2.5.x ssc session login bug

[coenfre]

Current Behavior

When executing the following session login command on fcli-linux 2.4.0 and 2.5.0/2.5.2 I get different results:
fcli ssc session login -t $PASSWORD --url $URL bug
2.4.0: login successful
2.5.x:

com.fortify.cli.common.rest.unirest.UnexpectedHttpResponseException: 
Request: POST https://intragate.ec.europa.eu/ssc/api/v1/userSession/tokenData: 
Response: 401 
Response Body:
SSCTokenGetOrCreateResponse(data=null)
	at com.fortify.cli.common.rest.unirest.config.UnirestUnexpectedHttpResponseConfigurer$UnexpectedHttpResponseInterceptor.onResponse(UnirestUnexpectedHttpResponseConfigurer.java:36)
	at kong.unirest.CompoundInterceptor.lambda$onResponse$1(CompoundInterceptor.java:48)
	at java.base@21.0.2/java.util.ArrayList.forEach(ArrayList.java:1596)
	at kong.unirest.CompoundInterceptor.onResponse(CompoundInterceptor.java:48)
	at kong.unirest.apache.ApacheClient.request(ApacheClient.java:134)
	at kong.unirest.Client.request(Client.java:57)
	at kong.unirest.BaseRequest.request(BaseRequest.java:365)
	at kong.unirest.BaseRequest.asObject(BaseRequest.java:266)
	at com.fortify.cli.ssc.access_control.helper.SSCTokenHelper.getTokenData(SSCTokenHelper.java:172)
	at com.fortify.cli.ssc.access_control.helper.SSCTokenHelper.getTokenData(SSCTokenHelper.java:100)
	at com.fortify.cli.ssc._common.session.helper.SSCSessionDescriptor.getToken(SSCSessionDescriptor.java:87)
	at com.fortify.cli.ssc._common.session.helper.SSCSessionDescriptor.getOrGenerateToken(SSCSessionDescriptor.java:82)
	at com.fortify.cli.ssc._common.session.helper.SSCSessionDescriptor.<init>(SSCSessionDescriptor.java:43)
	at com.fortify.cli.ssc._common.session.cli.cmd.SSCSessionLoginCommand.login(SSCSessionLoginCommand.java:42)
	at com.fortify.cli.ssc._common.session.cli.cmd.SSCSessionLoginCommand.login(SSCSessionLoginCommand.java:27)
	at com.fortify.cli.common.session.cli.cmd.AbstractSessionLoginCommand.getJsonNode(AbstractSessionLoginCommand.java:35)
	at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.call(AbstractOutputCommand.java:33)
	at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.call(AbstractOutputCommand.java:22)
	at picocli.CommandLine.executeUserObject(CommandLine.java:2118)
	at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2538)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2530)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2492)
	at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2350)
	at picocli.CommandLine$RunLast.execute(CommandLine.java:2494)
	at picocli.CommandLine.execute(CommandLine.java:2247)
	at com.fortify.cli.app.runner.DefaultFortifyCLIRunner.run(DefaultFortifyCLIRunner.java:49)
	at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:38)
	at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:32)
	at java.base@21.0.2/java.lang.invoke.LambdaForm$DMH/sa346b79c.invokeStaticInit(LambdaForm$DMH)

OS is ubuntu linux 20.04 and alpine:latest
Using a valid (works with 2.4.0), base64 encoded token CIToken
Fortify SSC server is version 23.2.1

Expected Behavior

I could not find any breaking changes on ssc session login so I would expact the syntax to keep working.

Steps To Reproduce

On a Ubuntu linux 22.04 or alpine:latest with Fortify SSC 23.2.1:

export PASSWORD=<valid CIToken>
export URL=<SSC url>
curl -L https://github.com/fortify/fcli/releases/download/v2.4.0/fcli-linux.tgz | tar xzf -
./fcli ssc session login -t $PASSWORD --url $URL bug
curl -L https://github.com/fortify/fcli/releases/download/v2.5.0/fcli-linux.tgz | tar xzf -
./fcli ssc session login -t $PASSWORD --url $URL bug

Environment

OS: Ubuntu 20.04 & alpine:latest
SSC: 23.2.1
fcli: 2.5.x

Anything else?

No response

[rsenden]

Thanks for reporting this! Not sure what the bug suffix in your sample session login commands is meant for; this is not an accepted CLI argument in either fcli 2.4.x or 2.5.x. Anyway, I can reproduce your issue with ./fcli ssc session login -t $PASSWORD --url $URL and SSC 23.2.0. This might be an unintended bug introduced by some of the session management changes in fcli 2.5.0; I'll try to investigate and provide a bug fix next week.

[coenfre]

Thank you, Ruud! I have no idea how that "bug" snuck in there, it should not be there.
Have a nice weekend. :-)

[rsenden]

For improved user experience on SSC 24.2, we're calling an endpoint that didn't exist in earlier SSC versions. We're ignoring any 404 responses to cater for older SSC versions but apparently also need to catch 401 responses. Not sure why this didn't show up during testing.

[rsenden]

New fcli release 2.5.3 is ready now, can you please confirm whether this fixes the issue for you.