Azure pipeline & java problem

Hello

Is anyone experied message
"java.lang.UnsupportedClassVersionError: com/fortify/scancentral/launcher/Launcher has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0"

2024-07-06T10:08:11.1927451Z ##[section]Starting: FortifyScanCentralSAST
2024-07-06T10:08:11.1934920Z ==============================================================================
2024-07-06T10:08:11.1935049Z Task         : Fortify ScanCentral SAST Assessment
2024-07-06T10:08:11.1935131Z Description  : Installs ScanCentral client and performs a static analysis using ScanCentral
2024-07-06T10:08:11.1935247Z Version      : 7.3.3
2024-07-06T10:08:11.1935305Z Author       : Micro Focus
2024-07-06T10:08:11.1935370Z Help         : 
2024-07-06T10:08:11.1935429Z ==============================================================================
2024-07-06T10:08:11.5890962Z ScanCentral Controller URL: https://{sast_controller}/scancentral-ctrl
2024-07-06T10:08:15.2639860Z Caching tool: scancentral 24.2.0 x64
2024-07-06T10:08:15.3172128Z Prepending PATH environment variable with directory: /opt/hostedtoolcache/scancentral/24.2.0/x64/bin
2024-07-06T10:08:15.3188086Z Working Directory: /home/vsts/work/1/s
2024-07-06T10:08:15.3273376Z [command]/opt/hostedtoolcache/scancentral/24.2.0/x64/bin/scancentral -url https://{sast_controller}/scancentral-ctrl start --upload-to-ssc --ssc-upload-token *** --application self-service-api --application-version RC --build-tool none
2024-07-06T10:08:17.3394247Z Error: LinkageError occurred while loading main class com.fortify.scancentral.launcher.Launcher
2024-07-06T10:08:17.3395285Z   java.lang.UnsupportedClassVersionError: com/fortify/scancentral/launcher/Launcher has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0
2024-07-06T10:08:17.3497506Z ##[error]The process '/opt/hostedtoolcache/scancentral/24.2.0/x64/bin/scancentral' failed with exit code 1
2024-07-06T10:08:17.3547776Z ##[section]Finishing: FortifyScanCentralSAST

... on Azure pipeline after upgrade Fortify SAST enviroment form 23.2 to 24.2?

here are pipepline config:

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
 
variables:
- group: fortify
 
trigger:
- features/48236
 
pool:
  vmImage: ubuntu-latest
 
steps:
- task: JavaToolInstaller@0
  inputs:
    versionSpec: '17'
    jdkArchitectureOption: 'x64'
    jdkSourceOption: 'PreInstalled'
- task: FortifyScanCentralSAST@7
  inputs:
    scanCentralCtrlUrl: 'https://{sast_controller}/scancentral-ctrl'
    scanCentralClientToken: '$(ScanCentral.ClientToken)'
    sscCiToken: '$(ScanCentral.SscCiToken)'
    uploadToSSC: true
    applicationName: 'self-service-api'
    applicationVersion: 'RC'
    buildTool: 'none'
YAML schema reference
Azure Pipelines YAML schema reference

I configured OpenJDK-17 (RedHat 17.0.11+9-LTS) on SSC and ScanCentral Controller. 

SSC 24.2.0.0186
ScanCentral controller 24.2.0.0050
workers: 24.2.0.0150

Thank You in advance

-- 
Pawel


edit:

It looks like azure uses jre11 or earlier, but I'm not sure how to force using jre-17? 
Localy SSC, controller and two workers works fine with no errors.  

  • 0

    The pipeline error message looks the same  despite using different versions of JRE:  

    #1
    without JavaToolInstaller@0
     
    /usr/lib/jvm/temurin-11-jdk-amd64
     
    Error: LinkageError occurred while loading main class com.fortify.scancentral.launcher.Launcher
    	java.lang.UnsupportedClassVersionError: com/fortify/scancentral/launcher/Launcher has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0
    ##[error]The process '/opt/hostedtoolcache/scancentral/24.2.0/x64/bin/scancentral' failed with exit code 1
     
     
    #2
    with JavaToolInstaller@0 SET to 17
    BEFORE /usr/lib/jvm/temurin-11-jdk-amd64
    AFTER /usr/lib/jvm/temurin-17-jdk-amd64
     
    Error: LinkageError occurred while loading main class com.fortify.scancentral.launcher.Launcher
    	java.lang.UnsupportedClassVersionError: com/fortify/scancentral/launcher/Launcher has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0
    ##[error]The process '/opt/hostedtoolcache/scancentral/24.2.0/x64/bin/scancentral' failed with exit code 1
     
     
    #3
    with JavaToolInstaller@0 SET to 8
    BEFORE /usr/lib/jvm/temurin-11-jdk-amd64
    AFTER /usr/lib/jvm/temurin-8-jdk-amd64
     
    Error: LinkageError occurred while loading main class com.fortify.scancentral.launcher.Launcher
    	java.lang.UnsupportedClassVersionError: com/fortify/scancentral/launcher/Launcher has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0
    ##[error]The process '/opt/hostedtoolcache/scancentral/24.2.0/x64/bin/scancentral' failed with exit code 1

    Does this mean that the controller serves a client with version jre11 built-in, or does the controller itself have this version entered in the configuration?

    The same error occurs for Azure pipeline VM image in macOS, Ubuntu and Win versions.

  • Verified Answer

    +1 in reply to 

    Ok, I found it with Hubert's help. 

    OpenText/MicroFocus doesn't tested SAST on Azure DevOps. The problem is in client package 24.2.0.0050 ({SASTcontroller}\Tomcat10\client\scancentral.zip). CommandLine and Bash scripts fails to check Java versions.

    To resolve the problem you must force set JAVA_HOME to JAVA_HOME_17_X64 variable in both scripts in scancentral.zip package on ScanCentrall Controller (CMD and Bash) 



    Fortify_ScanCentral_Client_24.2.0.0051_x64.zip\bin\scancentral.bat

    @echo off
    
    rem *******************************************************************************************************************
    rem Copyright 2008 - 2024 Open Text.
    rem
    rem The only warranties for products and services of Open Text and its affiliates and licensors ("Open Text") are as
    rem may be set forth in the express warranty statements accompanying such products and services. Nothing herein should
    rem be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial
    rem errors or omissions contained herein. The information contained herein is subject to change without notice.
    rem
    rem Except as specifically indicated otherwise, this document contains confidential information and a valid license
    rem is required for possession, use or copying. If this work is provided to the U.S. Government, consistent with FAR
    rem 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for
    rem Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
    rem *******************************************************************************************************************
    
    setlocal
    
    set FORTIFY_HOME=%~dp0..
    
    :CheckJavaAtFortifyHome
    set JAVA_CMD=%FORTIFY_HOME%\jre\bin\java.exe
    if not exist "%JAVA_CMD%" (
        goto CheckJavaAtCentralJavaHome
    ) else (
        goto Run
    )
    
    :CheckJavaAtCentralJavaHome
    if ""=="%SCANCENTRAL_JAVA_HOME%" (
        goto CheckJava17AtAzureHostedAgent
    )
    set JAVA_CMD=%SCANCENTRAL_JAVA_HOME%\bin\java.exe
    if not exist "%JAVA_CMD%" (
        goto ErrorMessage
    ) else (
        goto Run
    )
    
    :CheckJava17AtAzureHostedAgent
    if ""=="%JAVA_HOME_17_X64%" (
        goto CheckJava21AtAzureHostedAgent
    )
    set JAVA_CMD=%JAVA_HOME_17_X64%\bin\java.exe
    if not exist "%JAVA_CMD%" (
        goto CheckJava21AtAzureHostedAgent
    ) else (
        goto Run
    )
    
    :CheckJava21AtAzureHostedAgent
    if ""=="%JAVA_HOME_21_X64%" (
        goto CheckJavaAtJavaHome
    )
    set JAVA_CMD=%JAVA_HOME_21_X64%\bin\java.exe
    if not exist "%JAVA_CMD%" (
        goto CheckJavaAtJavaHome
    ) else (
        goto Run
    )
    
    :CheckJavaAtJavaHome
    if ""=="%JAVA_HOME%" (
        set JAVA_CMD=java.exe
        goto Run
    )
    set JAVA_CMD=%JAVA_HOME%\bin\java.exe
    if not exist "%JAVA_CMD%" (
        goto ErrorMessage
    ) else (
        goto Run
    )
    
    :ErrorMessage
    echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
    echo ERROR: SCANCENTRAL_JAVA_HOME is not set.
    echo If your project requires Java 8:
    echo   1. Set the JAVA_HOME variable in your environment to match the
    echo      location of your Java 8.
    echo   2. Set the SCANCENTRAL_JAVA_HOME variable in your environment to match the
    echo      location of your Java 17 or higher.
    echo If you scan non Java project or your project requires Java 17 or higher:
    echo      Set the JAVA_HOME or SCANCENTRAL_JAVA_HOME variable in your environment
    echo      to match the location of your Java 17 or higher.
    exit /b 1
    
    :Run
    set ARGS=
    
    :CollectArgsLoop
    set ARGS=%ARGS% %1
    shift
    if not "%~1"=="" goto CollectArgsLoop
    
    if not "%CLOUDSCAN_LOG%"=="" (
        echo CLOUDSCAN_LOG variable is no longer supported. Use SCANCENTRAL_LOG variable instead.
    )
    
    :RunClient
    "%JAVA_CMD%" -Dscancentral.installRoot="%FORTIFY_HOME%" -Dlog4j.dir="%SCANCENTRAL_LOG%" -jar "%FORTIFY_HOME%\Core\lib\scancentral-launcher-24.2.0.0050.jar" %ARGS%
    
    :End

    Fortify_ScanCentral_Client_24.2.0.0051_x64.zip\bin\scancentral

    #!/bin/bash
    
    # *******************************************************************************************************************
    # Copyright 2008 - 2024 Open Text.
    #
    # The only warranties for products and services of Open Text and its affiliates and licensors ("Open Text") are as
    # may be set forth in the express warranty statements accompanying such products and services. Nothing herein should
    # be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial
    # errors or omissions contained herein. The information contained herein is subject to change without notice.
    #
    # Except as specifically indicated otherwise, this document contains confidential information and a valid license
    # is required for possession, use or copying. If this work is provided to the U.S. Government, consistent with FAR
    # 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for
    # Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
    # *******************************************************************************************************************
    
    #
    #The base directory path
    #
    PRG="$0"
    while [ -h "$PRG" ] ; do
      ls=`ls -ld "$PRG"`
      link=`expr "$ls" : '.*-> \(.*\)$'`
      if expr "$link" : '.*/.*' > /dev/null; then
        PRG="$link"
      else
        PRG=`dirname "$PRG"`/"$link"
      fi
    done
    BASE_DIR=`dirname "$PRG"`
    FORTIFY_HOME="${BASE_DIR}/.."
    
    showErrorMessage() {
      echo "  ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
      ERROR: SCANCENTRAL_JAVA_HOME is not set.
      If your project requires Java 8:
        1. Set the JAVA_HOME variable in your environment to match the
           location of your Java 8.
        2. Set the SCANCENTRAL_JAVA_HOME variable in your environment to match the
           location of your Java 17 or higher.
      If you scan non Java project or your project requires Java 17 or higher:
           Set the JAVA_HOME or SCANCENTRAL_JAVA_HOME variable in your environment
           to match the location of your Java 17 or higher."
      exit 1
    }
    
    checkJavaAtJavaHome() {
      if [ -n "$JAVA_HOME" ] ; then
        JAVA_CMD="${JAVA_HOME}/bin/java"
        if [ ! -x "$JAVA_CMD" ] ; then
          showErrorMessage
        fi
      else
        JAVA_CMD="java"
      fi
    }
    
    checkJava21AtAzureHostedAgent() {
      if [ -n "$JAVA_HOME_21_X64" ] ; then
        JAVA_CMD="$JAVA_HOME_21_X64/bin/java"
        if [ ! -x "$JAVA_CMD" ] ; then
          checkJavaAtJavaHome
        fi
      else
        checkJavaAtJavaHome
      fi
    }
    
    checkJava17AtAzureHostedAgent() {
      if [ -n "$JAVA_HOME_17_X64" ] ; then
        JAVA_CMD="${JAVA_HOME_17_X64}/bin/java"
        if [ ! -x "$JAVA_CMD" ] ; then
          checkJava21AtAzureHostedAgent
          true
        fi
      else
        checkJava21AtAzureHostedAgent
      fi
    }
    
    checkJavaAtCentralJavaHome() {
      if [ -n "$SCANCENTRAL_JAVA_HOME" ] ; then
        JAVA_CMD="$SCANCENTRAL_JAVA_HOME/bin/java"
        if [ ! -x "$JAVA_CMD" ] ; then
          showErrorMessage
        fi
      else
        checkJava17AtAzureHostedAgent
      fi
    }
    
    setUpJava() {
      JAVA_CMD="${FORTIFY_HOME}/jre/bin/java"
      if [ ! -x "$JAVA_CMD" ] ; then
        checkJavaAtCentralJavaHome
      fi
    }
    
    setUpJava
    
    if [ -n "$CLOUDSCAN_LOG" ]; then
      echo "\$CLOUDSCAN_LOG variable is no longer supported. Use \$SCANCENTRAL_LOG variable instead."
    fi
    
    $JAVA_CMD -Dscancentral.installRoot="${FORTIFY_HOME}" -Dlog4j.dir="${SCANCENTRAL_LOG}" -jar "${FORTIFY_HOME}/Core/lib/scancentral-launcher-24.2.0.0050.jar" "$@"

  • 0 in reply to 

    I have this same Issue but in Fortify On Demand integrated with Azure Devops. 

    Anyone coul resolve this? I don know how to force JAVA_HOME to JAVA_HOME_17_X64 on Scancentral client on Azure Devops. 

    Thank you all in advance. 

    CyberSecurity Practitioner and Cloud Enthusiast

  • 0 in reply to 

    Hello

    Please place some configs, screens, logs to describe your problem.

    best regards 

    -- 
    Pawel 

  • 0 in reply to 

    I has an support case answere with resolution below but it doesn't works for me:


    There is also an official way to select which java will be used 
    to run ScanCentral without modification of the exec files. It is 
    possible to set environment variable SCANCENTRAL_JAVA_HOME 
    
    In case of microsoft hosted azure agent it might be like
    
    set SCANCENTRAL_JAVA_HOME=%JAVA_HOME_17_X64%

  • 0 in reply to 

    I have this logs from the error that may be help. Were you say i have to set "SCANCENTRAL_JAVA_HOME=%JAVA_HOME_17_X64%".

    2024-11-12T14:47:53.6506408Z Retrieving saved scan settings :false
    2024-11-12T14:47:53.6507284Z Working Directory: /home/vsts/work/_tasks/FortifyOnDemandStatic_cbe8d5fd-a02d-4157-8bfa-21f98fcaa217/9.4.0
    2024-11-12T14:47:54.6202238Z outputfilepath : /home/vsts/work/1/a\source.zip
    2024-11-12T14:47:54.6212791Z [command]/opt/hostedtoolcache/scancentral/24.2.0/x64/bin/scancentral -debug package --build-tool mvn --output /home/vsts/work/1/a\source.zip
    2024-11-12T14:47:54.9380689Z Error: LinkageError occurred while loading main class com.fortify.scancentral.launcher.Launcher
    2024-11-12T14:47:54.9382011Z 	java.lang.UnsupportedClassVersionError: com/fortify/scancentral/launcher/Launcher has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0
    2024-11-12T14:47:54.9497704Z ##[error]Error: The process '/opt/hostedtoolcache/scancentral/24.2.0/x64/bin/scancentral' failed with exit code 1
    2024-11-12T14:47:54.9583380Z ##[section]Finishing: FortifyOnDemandStatic

    CyberSecurity Practitioner and Cloud Enthusiast

  • 0 in reply to 

    I had this problem on my SAST On-Premise environment. I haven't tested this issue myself, but from what I've heard from the client, he added a task JavaToolInstaller in ADO PipeLine before FortifyScanCentralSAST@7 task.
    However, the client needed to update the client package as I described in this discussion.
    Here is task example: 

    ...
    
    steps:
    - task: JavaToolInstaller@0
      inputs:
        versionSpec: '17'
        jdkArchitectureOption: 'x64'
        jdkSourceOption: 'PreInstalled'
    - task: FortifyScanCentralSAST@7
    ...

     
    If all attempts fail you can also open support ticket.

    best regards

    -- 

    Pawel

  • 0 in reply to 

    Thank you very much, Pawel. I am returning to you with an update.

    CyberSecurity Practitioner and Cloud Enthusiast

  • 0 in reply to 

    Hello, after several attempts I cannot get the fortify process to run correctly, having the same error mentioned.

    Thank you very much anyway.

    CyberSecurity Practitioner and Cloud Enthusiast