Troubleshooting containerized scans

Troubleshooting scans in AppScan 360° looks a little different than in AppScan on Cloud. Follow guidance here to troubleshoot scanning issues in AppScan 360°.

Troubleshooting containerized scans is performed first by the user, then, if a resolution is not reached, escalated to an administrator. The general path for troubleshooting is as follows:
  1. User reviews error messages.
  2. User reviews common error cases.
  3. If the issue persists, user downloads scan logs and escalates to an administrator.
  4. Administrator investigates user supplied information.
  5. If the issue persists, administrator escalates to HCL support.

User: Review error messages

Go to the scan page for the failed scan. Either:
  • Select Applications > (application) > View all scans > (scan name), or,
  • Select Scans > (scan name)
Review error messages displayed on the scan page. Common error cases are discussed below.

User: Review common error cases

The most common errors are:

Open source

Error: Scan failed. Your subscription does not allow for Open Source scans. Please contact your sales representative for information regarding activating “Open Source” scanning. If you need further assistance, please reach out to our Technical Support team

You tried to scan open source files. AppScan 360° does not support open source scanning.

If you uploaded a ZIP file for scanning, review the contents of the ZIP file.

  • If the ZIP contains only open source files, upload a ZIP containing non-open source files and try the scan again.
  • If the ZIP file contains an appscan-config.xml configuration file, review properties listed in the file. AppScan 360° does not support the openSourceOnly property. If openSourceOnly="true" is listed, remove this property and try the scan again.
    Note: Review supported properties for appscan-config.xml here.
If you uploaded an IRX:
  1. Rerun appscan prepare, confirming the target files are not open source files and the openSourceOnly parameter is not used.
    Note: Review supported parameters for appscan prepare here.
  2. If the issue persists, download scan logs and escalate to an administrator.

No IPVA/Corrupted IRX

Error: We are unable to complete the scan successfully. The scan failed since the IRX was not created properly. It could possibly be due to an incorrect configuration or missing dependencies. If you need additional assistance, please reach out to our Technical Support team.

Something went wrong during the IRX generation step of the scan.

If you uploaded an IRX:

  • If you have access to the location from which appscan prepare was run, check for errors in the logs.zip file created during that process.
  • Look in the SAClientUtil/logs/client.log file for errors.
  • For deeper IRX investigation, escalate to an administrator.

If you uploaded a ZIP, download scan log and escalate to an administrator.

Unknown error

Error. An unknown error occurred.

There are a few possibilities. Download the scan log and escalate to a scan administrator for further investigation.

User: Download scan log and escalate to an administrator

To download the scan log:
  1. On the scan page (Applications > Application > View all scans > (scan name) or Scans > (scan name)), copy the Execution ID listed under Scan details.
  2. On the upper right of the scan page, select Manage scan > Download log.

    AppScan 360° downloads a ZIP file to your local system. Note the location of the download.

  3. Extract the contents of the ZIP file.
  4. Open the service.log file.

    From this file you should be able to determine the step during which the error was thrown.

    For example:
    Request received to perform scan for execution-id 4277b41a-18ad-44ad-81c9-9542e7af83d7.
    Initiated fetch scan data request with scan-id e7330058-c743-41af-8914-95eb30554d78.
    Downloaded scan data successfully.
    Request received to perform scan.
    Initiated prepare request with scan-id e7330058-c743-41af-8914-95eb30554d78.
    Received prepare (PERFORM_PREPARE) request with scan-id e7330058-c743-41af-8914-95eb30554d78 by preparer-6d7c4c9c58-c4kgq.
    Execution completed with exit code -1.
    Request received to publish status to server for scan-id e7330058-c743-41af-8914-95eb30554d78. (Failed: Execution completed with exit code -1.)

    In this example, the error was thrown during the PERFORM_PREPARE step. Since the failure occurred during the prepare step, investigate the preparer pod.

To escalate the issue to the scan administrator for further troubleshooting, gather the following information, some of which is available in the service.log file:
  • Execution ID

    In the above service.log example, execution-id 4277b41a-18ad-44ad-81c9-9542e7af83d7.

  • Scan ID

    In the above service.log example, scan-id e7330058-c743-41af-8914-95eb30554d78.

  • Preparer pod ID, if applicable

    In the above service.log example, preparer-6d7c4c9c58-c4kgq.

  • Analyzer pod ID, if applicable
  • Any error reported on the scan page in AppScan 360° or in service.log.
  • The log ZIP file.
  • Details about the application/project being scanned.

Scan administrator: Investigate user-supplied information

Access scan logs

To access scan logs:

  1. Open your Swagger page.
  2. In the top right select Scan Service > Scan Management Service.
  3. Click Authorize.
  4. Enter the AppScan Central Platform secret you passed in during deployment (--auth-token flag) and click Authorize.
  5. Click Try it out
  6. Paste the scan ID into the text box and click Execute.

    If you do not know the Scan ID, it can be found in the service.log downloaded from the scan page.

  7. In Response body, click the Download logs link.

    This downloads a ZIP file containing multiple log files onto your local machine. Note the location of the downloaded file.

  8. Extract and investigate the following logs for errors:
    • prepare.log
    • StaticAnalyzer-Errors.log
    • SASTAgent.log
  9. Resolve any errors, and try the scan again.

Investigate an IRX with a no IPVA/corrupted IRX error

  1. Open your Swagger page.
  2. In the top right select Scan Service > Scan Management Service.
  3. Click Authorize.
  4. Enter the AppScan Central Platform secret you passed in during deployment (--auth-token flag) and click Authorize.
  5. Scroll down to Download an IRX file and click Try it out.
  6. Enter the scan ID and click Execute.

    This downloads the IRX file onto your local machine. Note the location of the downloaded file.

  7. Using 7-ZIP or a similar tool, right click the IRX file and click Open archive.

  8. Double-click internal.scan to open it.

  9. Check the .log file in the root as well as the logs in the logs folder for any errors.
  10. Resolve any errors, and try the scan again.

Investigating an IRX with an open source error

Note: AppScan 360° does not support open source scanning.
If the scan failed with the error Your subscription does not allow for Open Source scans. and you uploaded an IRX for scanning, check for errors in the IRX file:
  1. Open your Swagger page.
  2. In the top right select Scan Service > Scan Management Service.
  3. Click Authorize.
  4. Enter the AppScan Central Platform secret you passed in during deployment (--auth-token flag) and click Authorize.
  5. Scroll down to Download an IRX file and click Try it out.
  6. Enter the scan ID and click Execute.

    This downloads the IRX file onto your local machine. Note the location of the downloaded file.

  7. Using 7-ZIP or a similar tool, right click the IRX file and click Open archive.

  8. Open the scan.manifest file for examination.
    If Total Languages Found = 1 and the only entry in the Language section is Open Source, then the IRX file was generated for open source scanning only, or you pointed to a location containing only open source files:
    • Confirm that the target location contains non-open source files.

      AppScan 360° does not support open source scanning.

    • Confirm that you are not using an unsupported property or parameter in the appscan prepare command or in the appscan-config.xml file. If openSourceOnly="true" is listed, remove this property.

      AppScan 360° does not support the openSourceOnly property in either appscan prepare or appscan-config.xml.

  9. Try the scan again.

Accessing pod logs for a scan

If you need more detailed logs than the Swagger download can provide, you can get logs from the pods themselves.
  1. In your Kubernetes IDE, download the logs for the pod you are investigating.
  2. In this file, search for the scan ID string.
    The Prepare or Analysis stage will look like this in the log:
    Payload(id= e7330058-c743-41af-8914-95eb30554d78, type=PERFORM_PREPARE,
    Payload(id= e7330058-c743-41af-8914-95eb30554d78, type=PERFORM_ANALYSIS,
    The prepare and analysis commands run after these lines. This is where you should see errors. If there’s no clear indication of what went wrong in this log, connect to the pod and investigate further.
  3. Connect to the pod and execute the following command:
    >: cd ~/data/scans/<scan_id>/logs
  4. Look for errors:
    1. For prepare errors, look in the prepare.log and the SAClientUtil/logs/client.log.

      SAClientUtil/logs/client.log can be found in ~/SAClientUtil.

    2. For analysis errors, look in the StaticAnalyzer-Errors.log and the SASTAgent.log.
Note: If the pod is terminated, you can access the pod log using these commands from an active pod:
>: cd logs/<pod_type>/
>: cat <pod_id>.log

Investigating other error cases

Open Source File Types

Problems found during validation. 
The prepare operation found only open source files types. To run opensource only, use the -oso flag. To run security and opensource, include additional supported file types.

You tried to run an open source-only scan, or tried to run a third-party scan, but the scan needs additional configuration.

AppScan 360° does not support open source-only scans.

Verify scan configuration:
  • Confirm that you are not using an unsupported parameter in the appscan prepare command. If openSourceOnly="true" or -oso is listed, remove this parameter.

    AppScan 360° does not support the openSourceOnly or -oso parameter in appscan prepare.

  • If you uploaded an IRX and intended to run a scan on a location with only third-party libraries, enable third-party scanning. Either:
    1. Add the third-party flag to appscan prepare to pick up third-party libraries and try the scan again.

      The command should look like: appscan prepare -tp.

    2. Add thirdParty="true" to appscan-config.xml and try the scan again.

      An example can be found at Configuring IRX file generation with the CLI

  • If you uploaded a ZIP and intended to run a scan on a location with only third-party libraries, enable third-party scanning:
    • If you want to scan third-party code, add thirdParty="true" to appscan-config.xml and try the scan again.

No Known File Types

No known scan file types were found during discovery. 
Please specify a location that contains .class, .jar, .war, .ear, .dll, .exe, PHP, Ruby, NPM packages, or JavaScript files.

You tried to scan a location that does not contain any scannable files.

Verify that the files in the target location are valid files types. Check the list of supported file types at Static analysis language support.

If you used appscan-config.xml, check that the target path is a valid location.

No Scannable Files

Problems found during validation. 
No scannable files found. If you are trying to scan third party code, generate the IRX file using the --thirdParty option. If you are trying to scan for open source, generate the IRX using the -oso option. For a list of supported file types, refer to https://help.hcl-software.com/appscan/ASoC/src_language_support.html#src_language_support__table_ylp_rn5_jw.
  • If you intended to run a scan on a location with only third-party libraries, you must enable third-party scanning. Either:
    1. Add the third-party flag to appscan prepare to pick up third-party libraries and try the scan again.

      The command should look like appscan prepare -tp.

    2. Add thirdParty="true" to appscan-config.xml and try the scan again.

      An example can be found at Configuring IRX file generation with the CLI

  • If you intended to run a data flow analysis scan, confirm that the target scan location contains the correct compiled file types for Java, .NET, or C/C++, and try the scan again.

  • If you intended to run a source code-only scan, confirm the target location contains correct source code file types, and try the scan again.
  • If you did not intend to run a source-code only scan, remove the –sco flag from the appscan prepare command, or from appscan-config.xml, and try the scan again.

Scan administrator: Working with HCL support

If, after applying the troubleshooting guidance presented here, you’re still unsure of what caused the scan failure, contact HCL Customer Support for additional assistance. Be ready to provide support with the following information:
  • Execution ID
  • Scan ID
  • Preparer pod ID, if applicable
  • Analyzer pod ID, if applicable
  • Any error reported on the scan page in AppScan 360° or in service.log.
  • The log ZIP file.
  • Details about the application/project being scanned.
  • Details about steps taken to troubleshoot and/or resolve the issue.
Note: Backup any important information and scan details off the pod to a secure location. Data on the pod is cleaned up by default after 10 days.