ScanDAST 24.2 - API Call Error

Hi all,

we installed ScanDAST 24.2 and performed a scan successfully using the SSC Web GUI.

We then try to do some calls to DAST API but we get the following errors

• From swagger UI (X.X.X.X:8081/.../index.html) :

Error: response status is 401

Response headers
content-length: 0
date: Wed,26 Jun 2024 07:22:08 GMT
server: Kestrel

• From fcli (fcli ssc app list):
Request: GET X.X.X.X/.../projects:
Response: 401
Response Body:
{"message":"Authentication failed.","responseCode":401,"errorCode":-10301}
at kong.unirest.CompoundInterceptor.lambda$onResponse$1(
at java.base/java.util.ArrayList.forEach(
at kong.unirest.CompoundInterceptor.onResponse(
at kong.unirest.apache.ApacheClient.request(
at kong.unirest.Client.request(
at kong.unirest.BaseRequest.request(
at kong.unirest.BaseRequest.asObject(
at com.fortify.cli.common.output.writer.output.standard.StandardOutputWriter.writeRecords(
at com.fortify.cli.common.output.writer.output.standard.StandardOutputWriter.write(
at com.fortify.cli.common.output.cli.mixin.AbstractOutputHelperMixin.write(
at picocli.CommandLine.executeUserObject(
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(
at picocli.CommandLine$RunLast.handle(
at picocli.CommandLine$RunLast.handle(
at picocli.CommandLine$AbstractParseResultHandler.execute(
at picocli.CommandLine$RunLast.execute(
at picocli.CommandLine.execute(

• Containers logs don't show any errors.

• curl call taken from swagger UI

curl -X 'GET' \
'X.X.X.X:8081/.../applications' \
-H 'accept: text/plain' \
-H 'Authorization: TOKEN-VALUE'

gives the following

* Trying X.X.X.X:8081...
* Connected to X.X.X.X (X.X.X.X) port 8081
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / secp384r1 / rsaEncryption
* ALPN: server accepted h2
* Server certificate:
* subject: REDACTED
* start date: Jun 14 10:12:28 2024 GMT
* expire date: Jun 14 10:12:28 2026 GMT
* issuer: REDACTED
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for X.X.X.X:8081/.../applications
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: X.X.X.X:8081]
* [HTTP/2] [1] [:path: /api/v2/applications]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: text/plain]
* [HTTP/2] [1] [authorization: TOKEN-VALUE]
> GET /api/v2/applications HTTP/2
> Host: X.X.X.X:8081
> User-Agent: curl/8.7.1
> accept: text/plain
> Authorization: TOKEN-VALUE
* Request completely sent off
< HTTP/2 401
< date: Wed, 26 Jun 2024 08:25:44 GMT
< server: Kestrel
< content-length: 0
* Connection #0 to host X.X.X.X left intact

• SSC logs show that URLs called are

- /ssc/api/v1/projects?fields=id,name,-_href&limit=-1
- /ssc/api/v1/projectVersions?fields=id,name,active,project&limit=1000&includeInactive=true

If we log in into SSC Web GUI and paste the above URLs in browser's address bar we have the following successful outcome:

- /ssc/api/v1/projects?fields=id,name,-_href&limit=-1 ==>> works fine and gives the following with expected data

{"data":[{"id":1,"name":"Expected Application Name"}],"count":1,"responseCode":200,"links":{"last":{"href":""first":{"href":"https://X.X.X.X/ssc/api/v1/projects?fields=id,name,-_href&limit=-1&start=0"}}}">X.X.X.X/.../projects

- /ssc/api/v1/projectVersions?fields=id,name,active,project&limit=1000&includeInactive=true ==>> gives the following message

{"data":[{"id":10000,"project":{"id":1,"name":"Expected Application Name","description":null,"creationDate":"2024-06-24T13:47:27.134+00:00","createdBy":"sicappadmin","issueTemplateId":"Prioritized-HighRisk-Project-Template"},"name":"1.0","active":true,"_href":"https://X.X.X.X/ssc/api/v1/projectVersions/10000"}],"count":1,"responseCode":200,"links":{"last":{"href":""first":{"href":"https://X.X.X.X/ssc/api/v1/projectVersions?fields=id,name,active,project&limit=1000&includeInactive=true&start=0"}}}">X.X.X.X/.../projectVersions

So I guess that when DAST API calls SSC API there's some problem I can't spot.
We're using a CIToken-type token of a user with Administrator role.

Any thoughts on this matter on how to debug this in a better way?

Thank you very much for your time.