CODEWITHSUNDEEP
jenkins-pipelineheap-memoryfortify
10raw
10raw

Reputation: 574

Not enough memory to complete analysis

I am facing a very unusual error related with fortify scan. It started yesterday evening and I have been struggling very hard to resolve it since it has been impacting the work of whole team. I am getting following error message in Jenkins console.

I tried to troublshoot by bumping the memory and java heap size with following argument in Jenkins pipeline code but that did not helped too. fortifyMemory: '-Xmx6G -Xms2400M -Xss48M'.

I tried to exclude more files using sourceExclusions: 'src/main/resources/**/*.*, but that did not worked too.

I found online that maybe using parallel processing and changing the java version type to 64 bit -64 might solve the problem but was not able to configure it properly in my Jenkins pipeline since there was not much information available.

Please let me know if someone knows how to pass these two flags in my pipeline code below or if there is another solution for this.

stage('Fortify Scan') {
    agent {
        label 'docker-fortify-slave'
    }
    steps {
        unstash 'build'
        fortifyscanjava([
            useExternalDependencyDirectory: false,
            buildVersion: "${TAG_VAL}",
            fortifyCredentialsId: "fortify-credentials",

            fortifyJavaVersion: '1.8',

            sourceDirectory: "${env.WORKSPACE}/dist",
            sourceExclusions: '',
            criticalThreshold: 0,
            fortifyMemory: '-Xmx32G -Xms4800M -Xss196M',
            highThreshold: 0,
            mediumThreshold: 1000,
            lowThreshold: 1000,
            fortifyVersion: '17.20',
            failBuildAfterThresholdPassed: true,
            archiveReports: true,
            uploadScan: false,
            sourceAnalyzerArgs: '',
            onlyNewIssues: true,
            outputFormatHtml: true,
            additionalIssueFilters: 'analysis:!Not an Issue'
        ])
    }
}

Upvotes: 3

Views: 3224

Answers (3)

Tom
Tom

Reputation: 312

A System.OutOfMemoryException error may occur during Fortify scanning.

For .net files we solved the issue patching the file dotnet-translator.exe that's used in the Fortify scan phase using a small tool called 4gb_patch.exe. The tool patches x86 executables to allow them to have 4 GB of virtual memory on x64 platforms (instead of 2 GB). You can download the tool from https://ntcore.com/?page_id=371.

The dotnet-translator.exe file may be found at this location: C:\Program Files\HPE_Security\Fortify_SCA_and_Apps_xx.xx\Core\private-bin\sca\dotnet-translator.exe

Of course you need to change XX.xx with your Fortify SCA version. ;)

Upvotes: 0

Raphael Hagi
Raphael Hagi

Reputation: 88

Maybe in your scenario is better to use a CloudScan.

https://www.microfocus.com/documentation/fortify-software-security-center/1820/CloudScan_Guide_18.20.pdf

"The translation phase, which isless processor- and time-intensive, is completed on the build machine. After translation is completed, CloudScan generates a package, which it then movesto a distributed cloud of machines(sensors) forscanning. In addition to freeing up build machines, this process makesit easy to add more resourcesto the cloud and grow the system as needed, without having to interrupt your build process. And, Fortify Software Security Center can direct CloudScan to output FPR files directly to the server."

Upvotes: 0

wtfacoconut
wtfacoconut

Reputation: 356

Fortify SCA hogs a lot of memory for scanning medium to large sized applications.

Around line 13 in your example, remove "fortifyMemory: '-Xmx1G -Xms600M -Xss24M -mt',".

Around line 17, if possible, increase your memory up to "-Xmx16G" (or whatever is possible). Basically, keep throwing more memory at the problem till that "Not enough memory" warning/error from Fortify goes away.

Also...

Explanation of what might be going on

Fortify SCA's '-mt' option means that you want to enable parallel analysis mode which is intended to try and speed up the scanning of your source code by creating multiple slave process to assist with the scanning. With '-mt', Fortify will automatically create 1 slave process for each cpu core on your host and because of your '-Xmx1GB', Fortify will allocate 1GB of memory for each process. So the error that you are seeing might because one or more slaves are running out of memory.

Conclusion

For this initial scan, don't use parallel analysis mode. That's why we are removing line 13 in your example. Also, you have the duplicate memory configuration settings again on line 17. After you can successfully product a scan, then try to dial back the amount of memory and then try playing with parallel analysis mode. When using parallel analysis mode, a formula for figuring our how much memory to allocate using the '-Xmx' might be: ( - 2GB) / <# of cpu cores>

Upvotes: 2

Related Questions