protecodeExecuteScan error json: cannot unmarshal string into Go struct field Vuln.results.components.vulns.vuln.cvss of type float64

[radianer]

Since this weekend we get this errors in our pipelines in the protecodeExecuteScan step:

fatal error: errorDetails{"category":"undefined","correlationId":"<url>","error":"json: cannot unmarshal string into Go struct field 
Vuln.results.components.vulns.vuln.cvss of type float64","library":"SAP/jenkins-library","message":"Error during unqote 
response: {\"results\":{\"id\":1516315,\"status\":\"R\",\"sha1sum\":\"<sha>\",\"product_id\":1516316,\"name\":\"
<package>\",\"custom_data\":{},\"app_type\":\"Container\",\"group_id\":1133,\"user\":\"
<user>\",\"data_retention_protection\":false,\"notify\":true,\"last_updated\":\"2022-12-
19T06:51:52.540023\",\"binary_bytes\":197980160,\"created\":\"2022-12-
19T06:50:44.652156\",\"scanned_bytes\":173430342,\"components\":[{\"lib\":\"acl\",\"objects\":
[\"libacl.so.1.1.2253\"],\"version\":\"2.2.52-4.3.1\",\"distro_version\":\"2.2.52-4.3.1\",\"cpe\":[\"cpe:/a:acl:acl:2.2.52-
4.3.1\",\"cpe:/a:acl_project:acl:2.2.52-4.3.1\"],\"vulns\":[{\"vuln\":{\"cve\":\"CVE-2009-4411\",\"summary\":\"The (1) setfacl and
 (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical 
(aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink 
attack.\",\"cvss\":\"3.7\",\"published\":\"2009-12-24T16:30:00\",\"modified\":\"2017-08-17T01:31:00\",\"cwe\":\"CWE- ....

I think something has changed in the parsing or the json field "cvss":"3.7" is now a string and not longer a float.

[ThommySte]

Any updates regarding this issue - It broke all of our pipelines since the Protecode update. We have to ship a new release soon.

[RalfHammer]

Our delivery is also blocked by this issue.
Any update on this? Do you want to rollback your changes?

[i540608]

cc @OliverNocon @CCFenner @UmidjonUrunov Hello, colleagues! Do you have time to check the issue ? seems new Protecode API has breaking changes;

[ffeldmann]

Tried to add a PR fixing the issue. Does anyone have a sample file (with the new changes) for me to replace https://github.com/SAP/jenkins-library/blob/master/pkg/protecode/testdata/protecode_result_violations.json ?
@i540608 @RalfHammer

[i540608]

@ffeldmann I have only results from successful pipeline; You could clone the file and add new item where cvss is string; this would allow to check if your changes would work for new API that returns a string and also for old API that returns float;

[ffeldmann]

@i540608 can you run the custom piper binary with your pipeline to see if it works as expected? I honestly would not like to upload a internal security finding file in gihtub...

[matthias-goetzenberger]

What prevents you from merging #4167 ? We are still blocked...

[ffeldmann]

@matthias-goetzenberger I do wait for the confirmation from the OS office that their checks work with the changes... Then we can merge. Any minute :)

PS: I am doing this voluntarily, not part of piper, nor protecode... Just contributing and helping to improve developers live with sustainability at the core :)

[jhoenger]

@ffeldmann thank you for the swift support! Will you or someone in your team follow up on this issue? I would assume the next time Protecode introduces breaking changes to their API contract we want to notice before they go live and break your automation. Maybe the have a test system for integration tests or can provide such a system in the future.

(you can reach out to the protecode team via SNOW:
https://itsm.services.sap/sp?id=sc_cat_item&sys_id=703f22d51b3b441020c8fddacd4bcbe2&priority=2&service_offering=0d5f43371b487410341e11739b4bcbc2&public=Yes)

[ffeldmann]

Hi @jhoenger honestly I do not know. Im neither part of Piper, nor Protecode. Totally different team. Please reach out to @UmidjonUrunov .

[drbugfinder-work]

I'd suggest to discuss this internally and not posting internal links here.