Intermittent 'Error installing Debricked CLI'

[HarrisonFBG]

Current Behavior

Since the update to v1.31 our we have been getting the following error and workflow failure.
This issue seems to happen at random since it occurs in different repos and sometimes only 1/3 jobs in a workflow will fail but rerunning the workflow will usually be successful.

RUN PACKAGE: /runner/_work/_temp/fortify/tools/sc-client/24.2.0/bin/scancentral package -o package.zip -bt mvn -bf pom.xml -oss -o package.zip
  launcher.log will be stored in "/home/runner/.fortify/scancentral-24.2.0/log" directory.
  scancentral.log will be stored in "/home/runner/.fortify/scancentral-24.2.0/log" directory.
  No installed Debricked CLI was found.
  Error installing Debricked CLI.
  Error retrieving latest Debricked CLI version from GitHub.
  Shutting down with errors. Please see log for details.
Summary:
  PACKAGE: ERROR
Failing commands:
  PACKAGE: /runner/_work/_temp/fortify/tools/sc-client/24.2.0/bin/scancentral package -o package.zip -bt mvn -bf pom.xml -oss -o package.zip

This issue did not occur in prior versions of the action or in workflows that specify an older sc-client with the definition below

  uses: fortify/github-action/setup@v1
    with:
      sc-client: 23.1.0

Expected Behavior

Debricked CLI is successfully installed and the workflow proceeds with all of the subsequent steps to build/package
A successful run has the following

RUN PACKAGE: /runner/_work/_temp/fortify/tools/sc-client/24.2.0/bin/scancentral package -o package.zip -bt mvn -bf pom.xml -oss -o package.zip
  launcher.log will be stored in "/home/runner/.fortify/scancentral-24.2.0/log" directory.
  scancentral.log will be stored in "/home/runner/.fortify/scancentral-24.2.0/log" directory.
  No installed Debricked CLI was found.
  A new Debricked CLI version is available: 2.1.4.
  Cleanup the existing Debricked CLI installation.
  Installing Debricked CLI...
  Debricked CLI is installed at /runner/_work/_temp/fortify/tools/sc-client/24.2.0/Core/lib/debricked

Steps To Reproduce

In any repo run the following workflow step

- name: Run FoD SAST Scan
      # https://github.com/fortify/github-action?tab=readme-ov-file#fortify-github-action-fod-sast-scan
      uses: fortify/github-action/fod-sast-scan@v1
      env:
        FOD_URL: "https://ams.fortify.com"
        FOD_TENANT: "TENANT"
        FOD_RELEASE: ${{ steps.get-release-id.outputs.releaseId }}
        PACKAGE_EXTRA_OPTS: '-bt mvn -bf pom.xml -oss -o package.zip'
        FOD_SAST_SCAN_EXTRA_OPTS: '--notes="Triggered by GitHub Actions (actions/runs/${{ github.run_id }})"'

Environment

Github action runner: v2.319.1
Java: Java_Corretto_jdk/17.0.12-7.1/x64
fortify/github-action: v1.3.1
sc-client: 24.2.0

Anything else?

No response

[HarrisonFBG]

Did some more testing and it seems to be an issue with the latest scancentral version installing its own debricked copy. Even when running locally scancentral showed the same error.

Fortify_ScanCentral_Client_Latest_x64/bin/scancentral package -oss -o package.zip 
launcher.log will be stored in "/Users/username/.fortify/scancentral-24.2.0/log" directory.
scancentral.log will be stored in "/Users/username/.fortify/scancentral-24.2.0/log" directory.
No installed Debricked CLI was found.
A new Debricked CLI version is available: 2.1.4.
Error installing Debricked CLI.

Fixed it by adding the following steps to the github workflow before the fortify/github-action/fod-sast-scan step to avoid a race condition on the debricked installation

    - name: Setup Fortify Tools
      uses: fortify/github-action/setup@v1
      with:
        debricked-cli: latest
        sc-client: 24.2

    - name: Copy Debricked for ScanCentral 24.2
      shell: bash
      run: |
        cp -R "${{ env.DEBRICKED_CLI_BIN_DIR }}" "${{ env.SC_CLIENT_INSTALL_DIR }}/Core/lib/debricked"

[rsenden]

Hi, thanks for reporting this. I forwarded this issue to the product manager responsible for ScanCentral Client; he thinks this might be due to ScanCentral Client running into GitHub rate limits while checking for/downloading the latest Debricked CLI. He'll look into improving this in a next version of ScanCentral Client.

The fortify/github-action/setup action uses a slightly different approach for locating and downloading the latest Debricked CLI, and likely benefits from higher rate limits by automatically (implicitly) using authenticated GitHub API requests based on the GITHUB_TOKEN that's automatically provided by GitHub on every workflow run. I'll see whether I can incorporate your work-around in our Fortify GitHub Action.