I am getting this error message while running REST API Scans on WebInspect tool: "Please verify a connection, we cannot capture any sessions". Any solution?
There could be several reasons for this error. Two of the most common would be our inability to parse the API definition file or access issues connecting to the site. The access issue could either be authentication or network related.
My recommendation would be opening a ticket with Fortify support (https://www.microfocus.com/en-us/support/contact-support) as there are some follow-up questions:
What API type are you scanning?
Is this a Postman based scan? If so, can it be run my Newman?
How is the scan configured?
Do you have any problems executing WiSwag from cli?
What are you seeing in the scan logs?
Related
In the Google Cloud console: MySQL-> myInstance-> Connectivity-> Authorized networks
I need to add an IP for my PC. SAVE gives me a message:
Operation failed: Invalid request: disk size can only be set for Second Generation instances..
How can I avoid this error? I didn't change the disk dimension.
I need to do the data export necessary to upgrade MySQL.
I'm 99% sure it's not the version of MySQL that's the issue, it's the version of Cloud SQL instance. See here: https://cloud.google.com/sql/docs/mysql/deprecation-notice for more information about the deprecation of first generation instances. It's still "supported" (ish) until March 2020, but more and more of these kinds of problems are likely to crop up.
As previous folks in the comments said, you should be able to create a ticket to help with the authorized issue to get you past that, but it's just going to be a bandaid. Miguel is right, you will need to transition to a second generation Cloud SQL instance.
Edit: For completeness, Here's the link on how to upgrade your instance that Miguel posted:
https://cloud.google.com/sql/docs/mysql/upgrade-2nd-gen
The first generation is closed and "Connections" cannot be configured. The MySQL generation upgrade has solved the problem.
During querying on Exact Online, I sometimes get an intermittent error in the Invantive Query Tool:
Not authorized to access Exact Online.
Please check that you have access to the administration and have licensed a module for the data object 'Settings'.
For some errors, we automatically retry the operation, for instance when the OAuth token expires.
At this moment we can not reliably detect this error since the text varies per language and has no message code. However, when you try a few more times without changing anything, the access on the Exact Online XML topic 'Settings' proceeds successfully. Retrying without carefully knowing what is wrong is not a reliable approach since an update can be applied then multiple times.
How do I reliably detect this type of error so I can appropriate automatic corrective measures?
Goal: Export all SonarQube issues for a project to JSON/CSV.
Approach 1: Mine the sonar mysql database
Approach 2: Use the SonarQube WS API
First I was motivated to go for approach-1, but having discussion with the SonarQube core developer community I got the impression not to touch the database at any situation.
Thus I proceed with approach-2 and developed scripts to get issues. However, later I found that through WS-API, I can get upto 10000 issues which does not meet my goal.
Now I am convinced that the approach-1 i.e., mining the database is best for me. When looking at the "issues" table in sonar db, I have the following question.
Question. What is the format/encoding of the "location" field and how can I decode it from python/java?
Extracting data from database is not recommended at all. Schema and content frequently changes. Each upgrade may break your SQL request. Moreover it contains binary data (issue location) which can't be parsed as-is.
The only way to get data is through web services. If api/issues/search faces a limitation that you consider as critical, then you should explain your functional need to the SonarQube google group.
I'm thinking about some optimal methods for gracefully handling errors on a website. I'm thinking that two modes will dictate how errors are handled:
Development Mode
Shows all notices, warning, and fatal errors on the view they are generated from
Errors are displayed in raw format
Production Mode
Hide all notices and warnings, no matter what
Redirect fatal errors to a page (something like the fail whale)
Tell the user that the error has been logged
Store information about the error in the database or some other type of log (developer's choice)
E-mail the error to an array of e-mail addresses (developer's choice)
What are your thoughts on this approach? Can you think of a better way to handle errors?
Production mode - instead of emailing developers and storing the error to databases yourself. Integrate with defect/bug tracking system like Bugzilla, let it handle all the emailing, assignments, etc... No need to reinvent the wheel. Integration is simple, just use Bugzilla web services.
For production I highly recommend using a error logging service like Sentry or Rollbar. They have free plans that should cover most of personal or small business websites.
Why use these services? They offer a simple script or one line of code you add to your website or app and the service will handle error logging, storage and notifications. For example, if a users uses a broken function, the logging service will record the error, send it to their servers, analyze it, store it and send you a notification like PROJECT1 - TypeError: document.getElementsByClassName.ToString is not a function to you.
Also, they provide their implementations for several languages so you could log your PHP backend and your JS frontend at the same time.
Using a specialized service will save you a lot of time. No need to write your own API, storage for errors and configure some push or notification service. I use Sentry for several months now and I'm very happy with it. It's basically a "setup once and forget"-thing.
Hi I have a question regarding security, and web services.
I need a web service to provide an interface for the underlying mySQL database. I am trying to get a Blackberry Application to store data on the web servers mySQL database through a web service.
My question is, how can I ensure that the bb-application is the only thing that is using the web service? The web service will essential insert data into a table. I want to ensure that only the bb-application is allowed to use this service and not someone who figures out the service and starts spamming my table.
Any pointers, best practices or links are greatly appreciated.
Also what sort of web service is best in this scenario?
Take a look at basic authentication over SSL. Configuring the application to include the username/password in the header should be fairly straightforward and the SSL connection will ensure they're not being transmitted in cleartext.
Use net.rim.device.api.crypto.HMAC to implement HMAC authentication and validation. Establishing end to end SSL connections on a Blackberry can be problematic and dependent on wireless provider support unless your users are activated on a corporate BES (which I srongly recommend as part of the solution if you want robust security).
I am going to assume that the BlackBerry application is made by yourself as well. How you can then do this is by creating a sequence or hash that only your application can create, that the web service can verify. For instance, in the beginning of the process, or better, for each step the web service sends down a key sequence, which maps to an internal dictionary within your application on the method to make the unique hash.
The flow would then be as follows:
Perform data task in BB application
Ready to transmit data to web service
Create unique hash from data + your own information from the mapped dictionary
Transmit the data with the key
Web Service verifies the key. If validation fails, it discards the data completely, if succeeds, it will then do what it needs to do.
Continue.
HTH
Disclaimer: Assuming this is an open ended WS.
Also see my answer here.
I would go with a REST web service over HTTPS it would take your problems away. I dunno anything about blackberry apps so I can't give u any pointers on how to use HTTPS in that platform.
If you are creating a SOAP web service then you want to read about ws-security.
Others have indicated using SSL to secure the site. However, that is only one part of the puzzle. Kyle was close with the second, but didn't quite cut it.
The answer is that every single transaction which is posted to your web service must contain some type of authorization key. That key can be pre-shared and baked into the application OR it can be acquired through some other means and set up as part of the application install / configuration process.
Nearly all companies which provide web services online following this method. The idea is that regardless of the underlying protocol (ssl for example) you have to validate that the request is indeed coming from an authorized device / program. Some vendors have the users create a unique key for each user, some for each device, and others just 1 key for the entire organization. Regardless of how deep you take it there is in fact a key.
The key usually isn't that large. It might be anywhere from 15 to 40 alphanumeric characters.