Health check 'Security Vulnerabilities' fails with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
Security Vulnerabilities fails with the following error: “The health check was unable to complete within the timeout of 30000ms”
環境
- Atlassian Troubleshooting and Support Tools 1.34.0 or later versions
- フォワード プロキシ
- ファイアウォール制限
診断
The following errors can be seen in the logs:
WARN [PluginSchedulerTask-com.atlassian.troubleshooting.healthcheck.scheduler.HealthCheckSchedulerImpl:job] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
WARN [PluginSchedulerTask-com.atlassian.troubleshooting.healthcheck.scheduler.HealthCheckSchedulerImpl:job] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
WARN [PluginSchedulerTask-com.atlassian.troubleshooting.healthcheck.scheduler.HealthCheckSchedulerImpl:job] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
WARN [HealthCheck:thread-2] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
WARN [http-nio-127.0.0.1-8085-exec-10 url: /rest/troubleshooting/1.0/check/process/7fbf417a-9eea-4a8d-8701-4810f7e4f7a0/results; user: admin] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
WARN [support-zip] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
WARN [PluginSchedulerTask-com.atlassian.troubleshooting.healthcheck.scheduler.HealthCheckSchedulerImpl:job] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
WARN [PluginSchedulerTask-com.atlassian.troubleshooting.healthcheck.scheduler.HealthCheckSchedulerImpl:job] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
WARN [PluginSchedulerTask-com.atlassian.troubleshooting.healthcheck.scheduler.HealthCheckSchedulerImpl:job] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'
WARN [PluginSchedulerTask-com.atlassian.troubleshooting.healthcheck.scheduler.HealthCheckSchedulerImpl:job] [SupportHealthCheckProcess] Health check 'Security Vulnerabilities' failed with severity 'undefined': 'The health check was unable to complete within the timeout of 30000ms.'Further troubleshooting
アプリケーション サーバーから次の curl コマンドを実行します。
curl --trace dump https://atst-data.atl-paas.net/healthcheck/cve/bamboo.jsoncurl -v --trace-time https://atst-data.atl-paas.net/healthcheck/cve/bamboo.json
Please share the result with Atlassian Support to double-check that the Security Vulnerabilities are correct, along with the time response from the trace below:
原因
This is caused due to the security vulnerability health check being introduced in the recent Atlassian Troubleshooting and Support Tools version since 1.34.0 and onward versions.
To make it work, your application needs to be able to access the following URL:
Since the https://atst-data.atl-paas.net is hosted by Cloudfront, the IP range list and Amazon web services and CloudFront need to be set in the proxy/firewall.
Usually, adding the *.atl-paas.net wildcard address to the Outgoing proxies whitelist would be enough, but if there is no proxy between Bamboo and the internet, the IP ACLs will need to be added manually on the Firewall or enable DNS-based ACLs if the firewall supports it.
ソリューション
- 接続が確立されない場合 (ファイアウォールやプロキシ サーバー設定で制限されている場合など)、バージョン データ、セキュリティ脆弱性、またはドキュメントの更新情報をツールで取得できません。
- We recommend reviewing the forward proxy and/or firewall restrictions to allow access to *.atl-paas.net.
- A feature has been added under recent ATST version 1.36.1, where if it cannot allow access to *.atl-paas.net due to security policies, then the admin does have an option to disable this check. In case you disable this health check, then as expected Bamboo will not be able to report security vulnerabilities as a part of system health checks.
回避策
- Create a local mirror of
https://atst-data.atl-paas.net/healthcheck/cve/<product>.jsonon the company's premises, where<product>=bamboo. - On the local mirror, host the
<product>.jsonfile in the <URL>/healthcheck/cvelocation Add the following entry to the Bamboo properties file
-Datst.data.url=https://cve.mydomain.net- Bamboo will then follow https://cve.mydomain.net/healthcheck/cve/bamboo.json instead of reaching out to the Internet. This allows more control over the results and avoids messing with Firewall rules.