Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Veracode pre scan fails on corrupt spring boot executable version > 2.5.9 #31673

Closed
tbowley2 opened this issue Jul 11, 2022 · 3 comments
Closed

Veracode pre scan fails on corrupt spring boot executable version > 2.5.9 #31673

tbowley2 opened this issue Jul 11, 2022 · 3 comments

Comments

@tbowley2
Copy link

Veracode fails to pre scan spring boot version > 2.5.9 executables - in our case, spring boot version is 2.6.4.
Veracode fails pre scan and module(s) cannot be selected.

These error messages are displayed on the Veracode Select Modules screen:
Corrupt Header - 1 File
Support Issue: Fatal - 1 File
Support Issue (fatal): .jar may have been corrupted by buggy version of spring boot (2.6.x). Please use version 2.5.9 (or earlier) or provide us with a non-executable jar/war (see the official Spring documentation).

We consulted with Veracode on July 6, they indicted this is a spring boot issue and suggested we open an issue here. Veracode has had a significant number of support call in the past month or so regarding this issue. It is a known, common issue with Veracode customers
Veracode states a script is added in the exec, and when the script gets removed, the length of the artifact is not properly adjusted (the executable byte length). It effectively makes the artifact corrupt for Veracode scanning.

Is this a known spring boot issue, if so, when will it be fixed?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 11, 2022
@wilkinsona
Copy link
Member

wilkinsona commented Jul 11, 2022
edited
Loading

Please use version 2.5.9 (or earlier)

This advice is concerning. Spring Boot 2.5.x reached the end of its OSS support period on 19 May 2022.

Veracode states a script is added in the exec

Perhaps they're referring to this change

and when the script gets removed, the length of the artifact is not properly adjusted (the executable byte length)

Once added, Spring Boot never removes the script. If something else is removing it, it will have to update the entry offsets to account for the change.

Is this a known spring boot issue

This isn't a known issue. If you would like us to investigate further, please provide a complete yet minimal sample that reproduces the problem.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Jul 11, 2022
@spring-projects-issues
Copy link
Collaborator

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Jul 18, 2022
@spring-projects-issues
Copy link
Collaborator

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

@spring-projects-issues spring-projects-issues removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue status: waiting-for-triage An issue we've not yet triaged labels Jul 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wilkinsona @spring-projects-issues @tbowley2