Stream out of synk

[LordBongio]

Current Behavior

when trying to upload a cyclondx file to the tenant, sometimes it "bugs out" and gives error "stream out of synk".

Expected Behavior

No response

Steps To Reproduce

No response

Environment

No response

Anything else?

No response

[LordBongio]

there is no real reason. 90% of the time it works and sometimes it doesn't. pipeline command is always the same

[MikeTheSnowman]

Hey @LordBongio. Sorry if this is a silly recommendation, but how do you feel about updating your script to simply retry uploading your first attempt at uploading fails? Or better yet, setup your code with a retry-limit.

Unfortunately, we have our hands tied with other important tasks and are not able to investigate the underline reason as to why the upload fails.

I do have one question for you though. Is there any special reason as to why you're referencing your release using the release-id? If you know the name of the application and the name of the release, you can simply do something like --release "<AppName>:<ReleaseName>". Would it be correct to assume that this is already contained in $FORTIFY_RELEASE?

[LordBongio]

hi,
yes we tryed several times relaunching the failed step and it doesn't work.
I honestly don't remember why we are using the release id instead of the other convention but that same release id is later on used by sast and sca and it works, so it is not the issue.
we will wait to find out why.
Thanks

[rsenden]

Hi @LordBongio, we've seen similar issues with OSS imports before. As a temporary work-around, can you please try uploading the file in one chunk, i.e., by setting the --chunk-size option to a value that's larger than the file that you're trying to import? I'm not sure whether there's any maximum chunk size, so this may not work if the file is too large. I'll raise this issue with the FoD product manager, you can also consider opening an FoD support case as this seems to be an issue on the FoD side.

[LordBongio]

hi, i see no -chunk-size option in fod oss import

[rsenden]

Hi @LordBongio, which fcli version are you using? I think the --chunk-size option was added in fcli 2.5.0, latest version at the moment is 2.7.1.

[LordBongio]

Hi @LordBongio, which fcli version are you using? I think the --chunk-size option was added in fcli 2.5.0, latest version at the moment is 2.7.1.

i'm now using the new version with the chunk file and it seems to work.
the only problem is that a lot of times i see that it accepts the import with status "IMPORT REQUESTED" but i never see the actual results in the platform, it gets uploaded into the oblivion.
Have you ever had this issue?

[rsenden]

Hi @LordBongio, I haven't seen this issue before. It may be worth waiting for the FoD 24.4 release to see whether this issue is still present; if so, please consider opening an FoD support ticket stating that SBOMs uploaded through the /api/v3/releases/{id}/open-source-scans/import-cyclonedx-sbom endpoint often are not shown in the FoD UI despite this endpoint returning a successful response. In the meantime, I'll again raise this issue to the FoD team to see whether they can provide any further input on these issues.

[rsenden]

Hi @LordBongio, just a quick side note; your first screenshot above shows a relatively complex command to set an FOD_RELEASE variable by piping the output of the fcli fod rel get command to grep, cut & tr. Looks like you're trying to retrieve the release id here, which could likely be simplified with a command like fcli fod rel get ${FORTIFY_RELEASE} -o expr={releaseId}

[kadraman]

This is repeatable. If the SBOM is larger than the default chunk size (1048576 bytes) it fails. This is why I added --chunk-size as a workaround - you can try setting this to the size of file while this is fixed. This should have been fixed in 24.4 but doesn't appear to have been.