Summary Concurrent License Server Error EXITING DUE TO SIGNAL 32 Exit reason 9: Another server was running This error is known to occur if another license server or vendor daemon is running. Symptoms EXITING DUE TO SIGNAL 32 Exit reason 9: Another server was running Cause This error is known to occur if another license server or vendor daemon is running. Resolution Using Task Manager, stop any running process for lmadmin, lmgrd and mvsn Restart the license server ... View more

Summary Best Practices to Avoid Windows Setup Launcher Executable Issues for InstallShield. Synopsis Several issues can, under very specific conditions, cause Windows to load a different library or launch a different executable than was intended by the author of a setup launcher executable. Referencing a library by less than its full path. Example: requesting to load the library, schannel.dll instead of, C:\Windows\System32\schannel.dll This can cause a DLL Preloading issue. If there is a library with the name earlier in the search path than the intended library, the unintended library will be loaded. Referencing an executable by less than its full path. Example: requesting to launch the executable, wmplayer.exe instead of, ?C:\Program Files\Windows Media Player\wmplayer.exe? This can cause a Binary Planting issue. If there is an executable with the name wmplayer.exe earlier in the search path than the intended executable, the unintended executable will be launched. Referencing an executable by its full path, but not quoting that full path when it contains space characters. Example: requesting to launch the executable, C:\Program Files\Windows Media Player\wmplayer.exe instead of, ?C:\Program Files\Windows Media Player\wmplayer.exe? This can cause an Unquoted Path issue. If there is an executable with one of the following names (in quotes), that unintended executable will be launched instead of the intended executable. The other parts of the path will be mistaken as parameters: ?C:\Program.exe? Files\Windows Media Player\wmplayer.exe ?C:\Program Files\Windows.exe? Media Player\wmplayer.exe ?C:\Program Files\Windows Media.exe? Player\wmplayer.exe This is usually called an Unquoted Service Path issue because even though a programmer can forget to put quotes around the path when launching any executable in any context, this happens most often when a setup author configures a service to be started by Windows and forgets to quote the service?s path. Naming an executable setup.exe Discussion For a computer to be affected by these issues, an unauthorized person must (a) be able to place a library or executable on the computer, (b) choose the correct name of the library or executable, and (c) in some cases precisely time the placement. If the unauthorized person?s access allows them to launch an executable with the privileges necessary for that executable to have its intended effect, they would simply launch that executable directly instead of using these methods to launch their library or executable indirectly. InstallShield Hotfix IOJ-1745445 This issue has been published as CVE-2016-2542. Setup authors can avoid the DLL Preloading issue by (a) not creating setup launcher executables, or (b) by creating setup launcher executables built with InstallShield Hotfix IOJ-1745445 and not using the name setup.exe for those executables. Setup launcher executables built using this hotfix call new Windows APIs which restrict the search path used to find libraries, even dependent libraries. Setup authors can avoid the Binary Planting issue (a) by not creating setup launcher executables, or (b) by referencing the full path of each executable launched by a setup launcher executable. Setup authors can avoid the Unquoted Service Path issue by quoting the full path of each executable which is registered as a service by a setup launcher executable. Custom actions implemented as an executable run as their own process, so they cannot inherit the benefit of InstallShield Hotfix IOJ-1745445 calling the new Windows APIs. Those custom action executables need to follow the Windows best practice recommendations discussed on the web pages reference below. NOTE 1: On February, 17, 2017, the Hotfixes for InstallShield 2013 SP1, InstallShield 2014 SP1, and InstallShield 2015 SP1 were updated to resolve an issue which could cause a crash on particular machines, tracked as Issue #IOJ-1771076 and Issue #IOJ-1777822. NOTE 2: On February, 23, 2018, the Hotfixes for InstallShield 2015 SP2 and InstallShield 2016 SP2 were updated to resolve an issue which caused an improper load of ntmarta.dll to occur if it is located in the same folder as a InstallScript single .exe installer, causing a Unicode crash during setup initialization on specific Windows 7 machines, tracked as Issue #IOJ-1829226. InstallShield 2016 SP2 Hotfix IOJ-1829226 may be downloaded here. InstallShield 2015 SP2 Hotfix IOJ-1829226 may be downloaded here. InstallShield 2014 SP1 Hotfix IOJ-1745445 may be downloaded here. InstallShield 2013 SP1 Hotfix IOJ-1745445 may be downloaded here. InstallShield 2012 Spring SP1 Hotfix IOJ-1745445 may be downloaded here. In order to determine if the InstallShield Hotfix has been installed, verify the version of the following files: InstallShield 2012 Spring SP1: The following files will be updated to version 19.0.0.200, except for SuiteAppxHelper.exe which will be updated to version 20.0.0.530: <ISInstallLocation>\Redist\0409\i386 dotnetfx.exe <ISInstallLocation>\Redist\Compressed Files\Language Independent\Intel 32 IISRT.dll SQLRT.dll <ISInstallLocation>\Redist\Language Independent\i386 ISChain.exe isexternalui.dll ISRT.dll ISSetup.dll setup.exe Setup_UI.dll setupPreReq.exe SetupSuite.exe SuiteAppxHelper.exe <ISInstallLocation>\Redist\Language Independent\x64 SetupSuite64.exe <ISInstallLocation>\Redist\Language Independent\i386\ISP ISSetup.dll setup.exe InstallShield 2013 SP1, InstallShield 2014 SP1, and InstallShield 2015 SP1: The following files will be updated to the version in the table below: InstallShield 2013 SP1 20.0.0.531 InstallShield 2014 SP1 21.0.0.351 InstallShield 2015 SP1 22.0.0.365 <ISInstallLocation>\Redist\0409\i386 dotnetfx.exe <ISInstallLocation>\Redist\Compressed Files\Language Independent\Intel 32 IISRT.dll SQLRT.dll <ISInstallLocation>\Redist\Language Independent\i386 ISChain.exe isexternalui.dll ISRT.dll ISSetup.dll setup.exe Setup_UI.dll setupPreReq.exe SetupSuite.exe SuiteAppxHelper.exe <ISInstallLocation>\Redist\Language Independent\x64 ISChain.exe SetupSuite64.exe <ISInstallLocation>\Redist\Language Independent\i386\ISP ISSetup.dll setup.exe InstallShield 2016 Spring SP2: The following files will be updated to version 23.0.0.517 <ISInstallLocation>\Redist\Language Independent\i386 Setup.exe SetupPreReq.exe SetupSuite.exe Additional Information DLL Preloading from Microsoft DLL Preloading from Secunia Research Binary Planting Unquoted Service Path ... View more

Summary This articles provides a resolution for the warning: Establishing SSL connection without server's identity verification is not recommended. Symptoms WARN: Establishing SSL connection without server's identity verification is not recommended Cause MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requires SSL connections to be established by default if the option is not explicitly set. Resolution ?For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false or set useSSL=true and provide truststore for server certificate verification. To resolve this warning, follow these instructions: Modify the following core database configuration file: $palamida/config/core/core.db.properties Edit the db.url= line to append "&useSSL=false" as shown below without any spaces. db.url=jdbc:mysql://localhost:3306/palamida_6_10?autoReconnect=true&useSSL=false Restart the server and error should go away. If the installation of the database server is over SSL, then this setting needs to be changed to true. ... View more

Summary This article lists the required, default, and other ports used by FlexNet Code Insight. Question Which ports are used by FlexNet Code Insight? Answer Required Application Ports for Palamida 6.6.2 and prior Port From To Description 1099 Detector, Core Scanner Scanner RMI registry 2099 Detector, Scanner Core Core RMI registry 4099 Detector, Core Scanner Scanner RMI service 5099 Detector, Scanner Core Core RMI service 8005 localhost Core, Scanner Tomcat connector 8009 localhost Core, Scanner Tomcat shutdown command 8888 Browser Core, Scanner Tomcat webapp 61616 Detector Scanner ActiveMQ JMS Server Required Application Ports for Palamida 6.8.0 and later Port From To Description 8005 localhost Core, Scanner Tomcat connector 8009 localhost Core, Scanner Tomcat shutdown command 8888 Browser, Core, Scanner Core, Scanner Tomcat webapp Default Database Ports One of the following (default) ports is required for database access: Port From To Description 1521 Core, Scanner DB server Default Oracle DB port 3306 Core, Scanner DB server Default MySQL DB port 1433 Core, Scanner DB server Default MSSQL DB port Other Ports Other ports may be required by your configuration: Port From To Description 22 Core Palamida update server Automatic electronic updates 25 Core Mail server SMTP (unauthenticated) 389 Core LDAP server LDAP 443 Core or Client Amazon Servers Analyzer, Dual-Pane Source Matches 465 Core Mail server SMTP (authenticated) 3268 Core LDAP server AD global catalog Additional Information Note: Port 8888 referenced here is the Palamida default non-SSL-enabled port, and is configurable. The default SSL-enabled port is 8443, and is also configurable. For brevity, this "main" port is referenced as 8888 throughout this document. ... View more

Summary This article provides instructions for enabling SSL. Synopsis This article provides instructions for... Generating a key and keystore with the keytool command Configuring FlexNet Code Insight to use SSL with the keystore Purchasing a certificate from a Certificate Authority Using a self-signed certificate Discussion Generate a key and keystore with the keytool command Generate a new keystore with a private key. The keystore and key passwords must be the same. cd <palamida>/tomcat keytool -genkey -alias palamida -keyalg RSA -keystore palamida.jks -keysize 2048 After entering the password, you need to have the value of the hostname for the value of first and last name: What is your first and last name? Unknown: <fully-qualified-network-accessible-hostname-of-core-server> eg. palamidacore.corp.com Be sure to make a backup of the keystore. cp -i palamida.jks palamida.jks.originalKey Configure Palamida to use SSL with the keystore Copy the example SSL Tomcat configuration to tomcat/conf cp -i conf/server.xml conf/server.xml.backup cp https/server.xml conf/server.xml Edit conf/server.xml with the keystore settings: keystoreFile="palamida.jks" keyAlias="palamida" keypass="<your keystore/key password>" NOTE: If using Palamida 6.6.x, use keystorePass instead of keypass. Also, see this article to avoid Diffie-Hellman errors. keystorePass="<your keystore/key password>" Edit bin/catalina.sh to turn on SSL in the Palamida application in the $JAVA_OPTS: -Dpalamida.ssl=true Edit $palamida/config/core/core.properties to use https URLs. If this is the core server: core.server.url = https://palamidacore.corp.com:8888/palamida/ If this is a scan server: scan.server.<ALIAS>.web = https://palamidascan.corp.com:8888/palamidaScanEngine To purchase a certificate from a Certificate Authority NOTE: Before you import your purchased certificate into the keystore, you may need to import the certificate vendor's chain of trust. Consult your vendor's instructions (for example, Entrust certificates). Generate a signing request from the keystore that you created above. keytool -certreq -file palamida.csr -alias palamida -keystore palamida.jks Send the palamida.csr file to your certificate authority. Place the certificate file returned by the authority palamida.crt in $palamida/tomcat and import it into the keystore. keytool -import -file palamida.crt -trustcacerts -alias palamida -keystore palamida.jks To use a self-signed certificate NOTE: This applies only if you did not purchase a certificate as above. Export the public certificate from the keystore that you created above: keytool -export -file palamida.crt -alias palamida -keystore palamida.jks Alternatively, users can use openssl to obtain the certificate if the server is running. For example: openssl s_client -connect palamida.corp.com:8888 -showcerts < /dev/null > palamida.crt Send the palamida.crt file to all users who will access the system. They will need to import that certificate in order to access Palamida. Import the certificate to the browser or system key database to avoid browser warning. For Windows users: Open your web browser's advanced security settings and import the certificate into the browser's keystore as a trusted certificate. For Mac users: (a). Open Applications > Utilties > Keychain Access and import the palamida.crt file into the login certificate keychain: (b). When prompted, click Always Trust. (c). Open the imported certificate and specify Always Trust for SSL: For client machines that will access the Detector application, they must import the certificate to the cacerts file in their Java JRE installation. For Windows users: (a). Locate the JRE installation, for example C:\Program Files\Java\jre7 and place the palamida.crt file in the lib\security sub-directory. (b). Run cmd as Administrator and import the certificate: cd "C:\Program Files\Java\jre7" cd lib\security copy cacerts cacerts.original ..\..\bin\keytool -import -file palamida.crt -keystore cacerts -storepass changeit Type yes when prompted to trust the certificate. For Mac/Linux users: (a). Locate the JRE installation, for example /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home and place the palamida.crt file in the lib/security sub-directory. (b). Open a terminal and import the certificate: cd "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home" cd lib/security sudo cp -i cacerts cacerts.original sudo ../../bin/keytool -import -file palamida.crt -keystore cacerts -storepass changeit Type yes when prompted to trust the certificate. For users of Palamida 6.8 and later: It is also necessary to import the certificate to the cacerts file in the Java JDK installation on the Core and Scan servers (in standalone installations, of course, there will be only one JDK). This can be done with the following commands: cd $JAVA_HOME/jre/lib/security sudo cp -i cacerts.original sudo ../../bin/keytool -import -alias palamida -file palamida.crt -keystore cacerts -storepass changeit Additional Information see $palamida/tomcat/https/readme.txt in the application folder. see the Apache Tomcat documentation for generating a Java keystore. you can set a JRE runtime parameter on client machines to use a specific cacerts file: -Djavax.net.ssl.trustStore=/path/to/cacerts to debug certification path issues you can set the runtime paratmers: -Djava.security.debug=certpath -Djavax.net.debug=trustmanager ... View more

Summary The Palamida Compliance Library provides information about the binary content of files, which is used during scanning for Exact Matches and Source Code Fingerprinting. These instructions are for upgrading the Compliance Library only. Synopsis The FlexNet Code Insight Compliance Library provides information about the binary content of files, which is used during scanning for Exact Matches and Source Code Fingerprinting. For more information see What is the difference between the Compliance Library and the Electronic Update? Discussion Copy the contents of the drive to the scan server. If you are running separate core and scan servers, the CL does not need to be copied to the core server. If you are running multiple scan servers, repeat these steps for each scan server. For example: cd /mount/CL_230_RC1_EXT mkdir -p /opt/palamida/CL cp -rv PDL/CL/2.30 /opt/palamida/CL Verify the integrity of the local copy of the signatures. On Linux run the Validate CL Signatures Script script, for example: bash tools/validateSigMD5s.sh /opt/palamida/CL/2.30 You should see the message: INFO: The signature is intact On Windows Use the file included on the CL drive named CL2.xx_RC1.md5. You can use this third-party tool (http://code.kliu.org/hashcheck/) and double-click on the .md5 file, which will launch a verification window like so: All the MD5s should match. Update the config/scanEngine/scan.properties file on the scan server to point to the new location: Note: On Windows systems, use / for paths, or escape the backslashes \\ # Palamida Data Library Location signaturesDirPath = /opt/palamida/CL/2.30 Restart Tomcat on the scan server: cd $PALAMIDA_HOME/tomcat/bin ./shutdown.sh Ensure the Tomcat Java process is stopped before starting: ./startup.sh && tail -f ../logs/catalina.out Check for any errors in the logs before continuing. Log into the WebUI and go to Help > About to verify the CL version. Additional Information To install the Compliance Library on FlexNet Code Insight 2017 R1 and above: 1. Connect your drive to a location that is accessible to your FlexNet Code Insight installation. 2. Log in to the FlexNet Code Insight UI 3. Navigate to 'Administration => Scan Server' 4. If a scan server has alread been configured, select it from the dropdown menu and click 'Edit'. Otherwise click 'New' 5. This will display the Scan Server Properties panel as shown below: 6. Configure the scan server as desired 7. For the 'CL Path' entry, enter the network accessible location of the drive including all sub-directories until the directory containing the 'bdb' and 'updates' directories is selected - For CL 2.40 this path would be <Drive Letter>/CL/2.40/ 8. With the scan server configured click 'Save' Your new Compliance Library drive will now be set up for use while scanning on the appropriate scan server. ... View more

Summary The entirety of FlexNet Code Insight?s LDAP configuration is done through the $palamida/config/core/core.ldap.properties file. The article discusses some of the primary properties in this file. The 'Additional Information' section of this article describes how to configure LDAP on FlexNet Code Insight 2018 R1 and above. Question How do I configure LDAP in FlexNet Code Insight? Answer The entirety of Palamida?s LDAP configuration is done through the $palamida/config/core/core.ldap.properties file. The file is self-documenting with comments explaining each property. Below are the main properties which need to be set: ldap.enabled This property enables LDAP-based authentication to the Palamida application. ldap.user.sync.enabled This property enables syncing of Palamida users from the LDAP server (i.e., pulling in users from LDAP into the Palamida application). ldap.url The hostname of the LDAP server, followed by a port number (389 for LDAP, 636 for LDAPS). Example: ldap://myadserver.corp.com:389 ldap.username ldap.password These need to be set to the appropriate credentials to log in and query the LDAP server. ldap.base ldap.searchbase This is somewhat of a tricky combination that seems to depend on the organization?s LDAP tree set-up. The important thing to remember is to NOT append ldap.base to ldap.searchbase. Basically, ldap.base is the base node of all the necessary information to be searched in your LDAP server, while the ldap.searchBase is the base node for the users specifically. Palamida ships the example file with ?ldap.base = dc=adtest,dc=palamida,dc=com? and ?ldap.searchBase = CN=Users?. Based on the properties we ship our file with, our LDAP tree thus looks like this: Make sure that the attributes of your ldap.base node do not also appear in the attributes of your ldap.searchBase node, because the LDAP connector will try to append ldap.base to ldap.searchBase automatically, so that although ?ldap.searchBase = CN=Users? appears in the properties file, Palamida understands the full attributes of the ldap.searchBase node are actually combined with ldap.base as ?CN=Users,DC=adtest,DC=palamida,DC=com? ldap.searchFilter This is where the query/search filter go. Your organization should have this prepared, so if you don?t have it, contact your LDAP administrator. Otherwise, you'll need to create an appropriate one using an LDAP client. It is helpful to have a tool to query your LDAP server to test search filters and connection settings without Palamida, such as JXplorer (http://jxplorer.org/). There are other clients available as well, both graphical and command-line. ldap.jobFrequency This property is used to set the LDAP import frequency/timing. The default value in the properties file is: ldap.jobFrequency=0 0 6 * * ? This means that every morning at 6 AM the system syncs up with the LDAP server. Another LDAP frequency example syntax is as follows: ldap.jobFrequency=0 0/1 * * * ? This means that Palamida syncs once a minute with the LDAP server. Refer to this site for further information about the Quartz/cron expression format. Additional Information To enable LDAP on FlexNet Code Insight 2018 R1 or above: - Open the FlexNet Code Insight UI and navigate to 'Administration => LDAP' - Use the 'Enable LDAP' buttons to enable the configuration settings for LDAP. This is similar to the ldap.enabled option for the 6.X products as shown above. - For the LDAP URL add the hostname of the LDAP server, followed by a port number (389 for LDAP, 636 for LDAPS). Example: ldap://myadserver.corp.com:389 - Determine whether anonymous authentication is enabled on your LDAP server and set the 'Authentication Type' radio buttons to match - If necessary add the LDAP username and password for the LDAP server - As with the instructions for 6.X above, the LDAP Base, LDAP Search Base and LDAP Serach Query fields will vary based on your LDAP tree. Please ensure that these details are correct before attempting to sync users from your LDAP server. Please contact our Technical Support team if you require assistance with this step - If your LDAP server is configured to use paging, set the LDAP Page Size settings appropriately. Otherwise set the 'Use Paging' option buttons to 'No' - The LDAP User Sync Frequency allows you to automate the user sync on an 'Hourly', 'Daily' or 'Weekly' schedule as required - The LDAP User Property Mappings section allows users to define which elements should be matched in order for a user to be imported. An example of a completed LDAP properties page is as follows: ... View more

Summary This article discusses how to resolve the exception: Connection Refused. Symptoms Upon trying to launch FlexNet Code Insight Detector, you receive the following exception in the Java console: Resolution Set -Djava.rmi.server.hostname in JAVA_OPTS in catalina.sh/catalina.bat. Ensure client machine can ping the server by the hostname in core.properties and scanEngine.properties. Make sure ports are open with telnet or nc on 1099, 2099, 4099, 5099, 61616. Drop firewall on current machine. Try "direct connection" in the java control panel settings: ... View more

Summary These Groovy scripts export and import group definitions and associated file information (e.g, tags applied to files), along with all attendant custom data. Synopsis These FlexNet Code Insight Groovy scripts export and import group definitions and associated file information (e.g, tags applied to files), along with all attendant custom data. NOTE: There have been changes to the URL syntax of the core server for Palamida versions later than 6.6.x.. In these versions, scriptrunner is run through Palamida's REST interface. In that case scriptRunner and the import/export scripts expect full HTTP URLs with a port and webapp, rather than a simple hostname. For instance, this means that localhost would be specified as http://localhost:8888/palamida/ including the port number and final forward-slash. The syntax for specifying the scan server includes the port number like this: some.server.name:8888 . Discussion Installation ZIP installation If you received a zip file, then unzip it in /scriptrunner directory This should place the files in the locations indicated in the "Manual Installation" section (immediately below) Manual Installation Place the driving scripts (exportWorkspaceData.groovy and importWorkspaceData.groovy) within the scriptRunner/scripts directory These two files will be executed from the ScriptRunner framework These are Groovy scripts (not classes) and cannot function alone; they require the Groovy classes in the groovy_classes directory Place the groovy_classes directory within the scriptRunner/lib directory The files in the groovy_classes directory are Groovy classes (not scripts) which are called from the two driving scripts above These files should never be called directly from ScriptRunner as they cannot function alone Usage Overview These scripts have been designed for two distinct scenarios: In-place backup and restoration of workspace audit information. Migrating workspace audit information from one Palamida instance to another. This includes transitioning to newer versions of the Palamida application Usage with ScriptRunner These scripts will only function properly when executed through the ScriptRunner framework. The flags used with ScriptRunner script itself are not passed through to the import or export scripts. For instance, on a stand-alone environment (both the core server and scan server running on the same machine) with IP address 111.122.133.144, if you invoke ScriptRunner in this manner. scriptRunner.sh -u username_foo -p password_foo -c 111.122.133.144 You must still pass into the export script the server name from which you would like to export a workspace. exportWorkspaceData.groovy -server 111.122.133.144 Otherwise the export script will use its hard-coded server name default value (i.e., localhost). In the above case, the entire command would be: scriptRunner.sh -u username_foo -p password_foo -c 111.122.133.144 exportWorkspaceData.groovy -server 111.122.133.144 Export Script The exportWorkspaceData.groovy script uses the Palamida ScriptRunner framework to export one or more Workspaces from one or more Palamida servers. Export Options For the most current list of these options, refer to the output from the script's -h flag. File and Path Options -output <file> Name of the file to export the workspace(s) to, without extension (Default: workspaceData) If a single workspace is being exported, then the result will be a XML file (with this name) containing that one workspace. If multiple workspaces are being exported, then the result will be a ZIP file (with this name) containing all of the exported workspace XML files, the custom data XML file (if necessary), and a log file indicating the significant events the export. -output_path <directory> Directory into which the export file(s) will be written (Defaults to the directory from which the script is executed) -custom_data_file <file> Exported custom data (if any) will be written to this file (no suffix. Default: customData) Server Options -server <hostnameOrIP> Export from the Palamida Core Server with this name (default: localhost) -scan_server <hostnameOrIP> Export from the Palamida Scan Engine with this name (default: value of -server flag). -server_all <hostnameOrIP> Export all workspaces from the Palamida Scan Engine with this name. This option overrides -scan_server , -team , -project , and -workspace options. -server_all_from_config <hostnameOrIP> Read Palamida Scan Engine machines from config on the indicated server. Export All workspaces from all Palamida Scan Engine machines. This option overrides -server_all , -server , -scan_server , -team , -project , and -workspace options. What to Export -team <teamName> Export all workspaces in all projects belonging to this team. This option overrides -workspace . If -team and -project are used together, this will export all workspaces for that project and should be used when different projects have the same name, but were created by different teams. -project <projectName> Export all workspaces in this project. This option overrides -workspace . If -team and -project are used together, this will export all workspaces for that project and should be used when different projects have the same name, but were created by different teams. This option will also cause the -pa (process active only) flag to be ignored. -workspace <workspaceName> Export only the workspace with this name. This option will cause the -pa (process active only) flag to be ignored. -exclude_file_extensions <extensions> When exporting files, skip all files that have the suffixes listed here. Comma-separated list, no spaces. Boolean Options -pa If present, then process only active ('In Progress') projects -pe If present, then do not process empty groups -pm If present, then export metadata for the groups being exported -ps If present, then do not process system groups -export_all_custom_data If present, export all custom data, not just custom data referenced by exported groups. If this is not set, then only export custom data which is referenced by the workspace(s) being exported. -export_tags If present, also export the tags for the group files in the exported workspace(s) Other Options -retries <number> Number of times to re-try export of a failed workspace (integer). Most often, an export failure is due to the workspace being scanned -wait <seconds> Number of seconds to wait before re-trying export of a failed workspace (integer). Combining Export Flags Option -server_all_from_config will cause the script to ignore the flags: -server_all, -server, -scan_server, -team, -project, and -workspace Option -server_all will cause the script to ignore the flags: -scan_server, -team, -project, and -workspace Option -team will cause the script to ignore the -workspace flag Option -project will cause the script to ignore the -workspace flag Options -team and -project together will export all workspaces for that project and should be used when different projects have the same name, but were created by different teams Options -workspace or -project will cause the -pa (process active only) flag to be ignored If Option -export_all_custom_data is not set, then only export custom data which is referenced by the workspace(s) being exported Export Usage In a stand-alone environment, the core server is the scan server, so there is no need to use the -scan_server flag. In a clustered environment, export can be run from any machine which can execute Palamida's ScriptRunner (Core Server, Scan Server, Detector, Client). Using one or more of the Server Options flags (above) to indicate the server(s) from which workspace(s) should be exported. Workspaces can be designated for export using a variety of flags (e.g., -workspace to export one workspace, -server_all to export all workspaces on that server) however, if the export script does not understand which workspace(s) to export, it will prompt the user to choose one workspace from the indicated scan server. Export Output The export script prints status messages to the screen as is runs, starting with a list of the flags (and their values) it will use for this execution. All output (XML files, ZIP file, log file, etc) will be written to either the location specified by the -output_path flag (if present) or to the directory from which the script was executed (if the -output_path flag was not specified). If one workspace is exported, then the output is: one XML file containing the workspace's information, one log file (export.log), and (if there is custom data for that workspace) one XML file containing that custom data. If multiple workspaces are exported, then the output is one ZIP file containing: one XML file for each exported workspace, one log file (export.log), and (if there is custom data for any exported workspace) one XML file containing all custom data for the exported workspaces. In general, only data not generated by a scan are exported. Since an exported XML file must be imported into a workspace of scanned files, exporting scan-generated information would be redundant. For instance, only files which are in groups are exported to the XML file. The other files are skipped because importing them would not add any information which had not already been acquired from the scan itself. Export Usage Examples As delineated above, the new export script has a bewildering array of options. Some of the more common usages are presented here. Export the Workspace named foo from stand-alone server some_server_name to the file named C:\Users\bert\Desktop\ernie\exportedWorkspace.xml: exportWorkspaceData.groovy -server some_server_name -workspace foo -output exportedWorkspace -output_path C:\Users\bert\Desktop\ernie Export the Workspace named foo from core server some_core_server_name and scan server some_scan_server_name to the file named C:\Users\bert\Desktop\ernie\exportedWorkspace.xml: exportWorkspaceData.groovy -server some_server_name -scan_server some_scan_server_name -workspace foo -output exportedWorkspace -output_path C:\Users\bert\Desktop\ernie Export all workspaces from the scan server some_scan_server_name to a set of XML files which will be compressed into a file named C:\Users\bert\Desktop\ernie\workspaceDataFromLocalhost.zip. Note how the core server, localhost, still has to be defined: exportWorkspaceData.groovy -server localhost -server_all some_scan_server_name -output workspaceDataFromLocalhost -output_path C:\Users\bert\Desktop\ernie Export all of the custom data on the stand-alone server localhost to an XML file named foo.xml, but do not export any workspaces: exportWorkspaceData.groovy -custom_data_file foo -export_all_custom_data Import Script Import can be run from any machine which can execute Palamida's ScriptRunner (Core Server, Scan Server, Detector, Client). Use the --server flag to set the value of the Palamida Core Server. On a clustered environment, also set --scan_server to the Palamida Scan Server containing the workspace you just scanned. Custom data (user-created licenses, components, and/or component versions) can be imported along with a workspace which uses that custom data, or the custom data can be imported by itself. The general steps are: Create a new workspace on the Palamida Core Server onto which you want to perform the import. This will be the 'target workspace' which will accept the audit data. This workspace must have all the files which were present in the exported workspace. In a clustered environment, both the core server and the target scan server must be designated ( --server and --scan_server flags). Execute a Scan of the workspace files. An import only copies over data which is not created by a scan. Open up the XML file containing the workspace data to be imported. If the file paths in the XML file do not matched the file paths in the workspace you just scanned, then the file information from the XML file will not be imported. So, either: Note which values you will need for the --adv_file_comparison and --adv_file_comparison_depth import flags, OR Edit the export XML file to change the file paths to exactly match the file locations in the 'target workspace' Run the import script. See the descriptions of available flags and the examples below, importantly: Required options for importing a workspace: --input (-f) to indicate the XML file which contains the workspace information to be imported -workspace (-w) to import data into the workspace with this name If the XML file containing the workspace information references custom data (i.e., user-created licenses, components, and/or component versions), then also indicate which XML file contains that custom data ( --custom_data_file (-x) flag). Open up Detector for the 'target workspace' and verify that the audit information was imported correctly. Import Options For the most current list of these options, see the output from the script's -h flag. Import Options Which Accept Parameters --input <file> (-f) File containing the workspace(s) to be imported --custom_data_file <file> (-x) Import custom data from this file --server <hostnameOrIP> (-c) Import the workspace onto this core server (default: localhost) --scan_server <hostnameOrIP> (-s) Import the workspace onto this scan server (default: value of -server flag) --workspace <workspaceName> (-w) Import data into the workspace with this name --reformat_xml_file <file> (-z) Reformat this XML file and do nothing else. If this option is set, then that XML file will be reformatted and the script will exit without importing anything. --adv_file_comparison <option> (-a) Whether to match files using only a portion of each file's path (default: never). Accepts the values: never, if_no_absolute_match, always. If this flag is not set, then a file element (from the imported XML file) must match the full file path and name in the workspace. --adv_file_comparison_depth (-d) This option is ignored if option --adv_file_comparison is not set. How much of a file's path/name/MD5 to compare (default: md5_file_name). Accepts the values: Require an MD5 Match: md5_only: To find matches between file elements (from the imported XML file) and files in the workspace, only compare the MD5 hashes. md5_file_name: For each file element and each file in the workspace, compare the MD5 hash and the file's name. md5_file_name_dir_depth_1: Compare the MD5 hash, the file's name, and each file's parent directory. For example: /a/b/c/foo.gif will match /d/e/c/foo.gif, but not /d/e/f/foo.gif (assuming the MD5 hashes also match). md5_file_name_dir_depth_2: Compare the he MD5 hash, the file's name, each file's parent directory, and each file's parent directory's parent directory. md5_file_name_dirdepth#: And so on, to an arbitrary depth. Do not require an MD5 match: no_md5_file_name: For each file element and each file in the workspace, compare only the file's name no_md5_file_name_dirdepth#: Compare the file's name and each file's parent directory to the indicated depth, as shown above --include_tags (-i) Import only these tags. Ignore all other tags. Incompatible with --exclude_tags (-e) * Accepts a comma-delimited list of tags * Converts the % character into a space, allowing for use with tags which have spaces in their names --exclude_tags (-e) Do not import these tags. Import all other tags. Incompatible with --include_tags (-i) Accepts a comma-delimited list of tags Converts the % character into a space, allowing for use with tags which have spaces in their names --path_search_replace_csv (-p) Location of the CSV file with the path fragments to find and replace (see below for additional information) Boolean Options All of these options default to false. Including any of these flags sets that flag to true. --dryrun (-y) If present, simulate an import without actually saving anything. Generates a log file containing what would be the significant events encountered during an actual import. --check_md5_hash (-m) If present, then in addition to checking the full file path, also check each file's MD5 hash. If there is a match, then do not import the file. This option is ignored if advanced file matching (see above flags) is used. --update_existing_group_data (-u) If present, update existing group data with the content from the XML workspace file. --annotate_adv_search_results (-r) If present, create a new metadata tag for each file matched with advanced file matching (see above flags). CSV File The --path_search_replace_csv (-p) flag takes one value: the location of a CSV file which maps the file paths from the workspace XML (indicated by --input (-f) ) to the paths on the scan server (indicated by --scan_server (-s) ) The CSV file has the format: /Path/To/Find/In/XML/File/One,Path/To/Replace/It/With/On/Scan/Server/1 /Path/To/Find/In/XML/File/Two,Path/To/Replace/It/With/On/Scan/Server/2 /Path/To/Find/In/XML/File/Three,Path/To/Replace/It/With/On/Scan/Server/3 Paths will be found and replaced exactly as shown in the CSV file. No regular expressions The "path to be found" will be matched only to the beginning of each path in the XML file being imported Limits the possibility of accidentally changing parts of other paths The portion of a path which matches is the only portion which is replaced Every "path to be found" will be tried on every path in the XML file being imported Matches are attempted in the order listed in the CSV file If a match is found, the matching portion of the path is replaced before the next match is attempted For each path, this allows for repeated changes as the search/replace map is iterated over Paths may contain any combination of forward slashes and/or backslashes Backslashes must be escaped with other backslashes Any path which contains at least one backslash must be wrapped in double-quotes For example, if you export from a Windows machine and import onto a Linux machine, your CSV file might look like this: "C:\\Path\\To\\Find\\In\\XML\\File\\One",Path/To/Replace/It/With/On/Scan/Server/1 "C:\\Path\\To\\Find\\In\\XML\\File\\Two",Path/To/Replace/It/With/On/Scan/Server/2 "C:\\Path\\To\\Find\\In\\XML\\File\\Three",Path/To/Replace/It/With/On/Scan/Server/3 In addition, two operators are available: CONVERT_TO_FORWARD_SLASH and CONVERT_TO_BACKSLASH Place either in the first field of a line. The second value in that line is ignored The conversion is performed on each forward slash or backslash in the entire file path Import Results The import script prints status messages to the screen as is runs, starting with a list of the flags (and their values) it will use for this execution. Log file (import.log) Located in the directory from which the workspace or custom data files were imported Contains: All significant actions taken during the import All issues encountered during the import All files that did not get associated to any group Metadata tags When a problem is encountered during the import of a group, a metadata tag (display name: Import Notes, field name: import-notes) is created for that group detailing the issue. If such a metadata tag already exists for that group, then the new issue is added to the existing tag. If the --annotate_adv_search_results flag has been included on the command line and a file is matched using advanced file matching (see above), then a metadata tag (display name: File Path Matched by Advanced Logic, field name: file-path-matched-by-advanced-logic, tag value: Yes) is created for that file. Import Usage Examples Import the workspace data contained in workspaceData.xml into the workspace foo. This will not overwrite any existing audit group data: importWorkspaceData.groovy --input C:\Users\bert\Desktop\workspaceData.xml --workspace foo Import the workspace data contained in workspaceData.xml into the workspace foo in a clustered environment with core server some_core_server and scan server some_scan_server, where the scan of workspace foo was run on some_scan_server. This will not overwrite any existing audit group data: importWorkspaceData.groovy --server some_core_server --scan_server some_scan_server --input C:\Users\bert\Desktop\workspaceData.xml --workspace foo Import the workspace data contained in workspaceData.xml into the workspace foo and overwrite any existing audit group data with audit group data from that XML file: importWorkspaceData.groovy --input C:\Users\bert\Desktop\workspaceData.xml --workspace foo --update_existing_group_data Import the workspace data contained in workspaceData.xml into the workspace foo along with the custom data from custom.xml. If workspaceData.xml references any custom data from custom.xml, then it is necessary to import custom.xml before (or at the same time) as workspaceData.xml: importWorkspaceData.groovy --custom_data_file C:\Users\bert\Desktop\custom.xml --input C:\Users\bert\Desktop\workspaceData.xml --workspace foo Import only the custom data from file custom.xml: importWorkspaceData.groovy --custom_data_file C:\Users\bert\Desktop\custom.xml Perform a 'dry run' of the import of custom data from the file custom.xml. Since this is a dryrun, the import script will walk through all the import steps, but will not write any data to the database: importWorkspaceData.groovy --custom_data_file C:\Users\bert\Desktop\custom.xml --dryrun Custom Data The term 'custom data' refers to user-created licenses, components, and component versions. When custom data is exported, it is written to a custom data XML file which is separate from an exported workspace XML file. A piece of custom data is exported any time you export a workspace which references that piece of custom data. If multiple workspaces are exported all at once, then only one custom data XML file is generated. This file contains all of the pieces of custom data referenced by all of the exported workspaces. It is possible to export all of the custom data on an entire Core Server using the -export_all_custom_data flag. Custom data can be imported along with a workspace which uses that custom data, or the custom data can be imported by itself. If you attempt to import a workspace into a database which does not already contain custom data utilized by that workspace, then the workspace import will fail. ... View more

Summary The purpose of this article is to enumerate the necessary materials to be sent to Flexera SoftwareSupport if your scan appears to be running for an unusually long period. Question Sometimes, a FlexNet Code Insight scan appears to be running for an unusually long period. A common inquiry during these periods is whether the situation is normal, or if the scan is "hung" and needs to be forcefully restarted. Answer Scan times are affected by several factors like the size and composition of the scanned materials, scan settings, and available system resources. To determine the state of a running scan operation, Palamida Support will generally ask for a snapshot of the system. If your scan appears to be hung or unresponsive, please contact Flexera Software Support. 1) All the logs in compressed/archived format from: $palamida/logs $palamida/tomcat/logs 2) Generate Java thread dumps on the relevant Scan server. About 3 thread dumps, taken a couple of minutes apart each, is ideal. For detailed instructions on how to perform a thread dump, please Generating Thread Dumps for Support. Thread dumps allow Palamida Support to inspect the underlying Java operations and help determine the status of the Scan. 3) Screenshot of the Scheduler page with the Scan server selected in the dropdown menu. To do this, within the Palamida web UI > click on Scheduler on the top panel > select your Scan Server from the dropdown menu > take a screenshot of Task Queue. 4) Screenshot of the Scan settings. To do this, within the Palamida web UI > click on your project > click on the Workspaces tab > click on your Workspace Name > select Workspace Resources from the dropdown menu > click on Edit Workspace Settings > click on Detection tab. It should look like this: 5) scan.properties file from the relevant Palamida Scan server, found at $palamidaScanner/config/scanEngine/scan.properties . 6) Approximate size of the Scan materials. If possible, please follow the instructions for the Palamida Code Metrics Tool to generate detailed code statistics. ... View more

Summary This article provides a resolution for the error: Current user admin doesn't have script admin role, please contact your System Administrator. Symptoms While running a scriptRunner script in FlexNet Code Insight 6.8 or later with a user with script admin role, you receive the following error: Current user admin doesn't have script admin role, please contact your Palamida System Administrator Resolution Try the following steps: 1. Try deleting the $USER/.palamida/config/scriptRunner/scriptRunner.properties file to get rid of cached scriptRunner credentials. NOTE: The location of this file will depend on whether or not you are running scriptRunner from the server or client machines. Then make sure that you are able to open the Groovy console using only the scriptRunner username: ./scriptRunner.sh -u admin And enter the JWT token for admin when prompted. If you can get to the groovy console, you?ve authenticated, and you know scriptRunner itself is not the problem. 2. Ensure that any URLs passed to scriptRunner are formatted correctly. For example: -server flag no longer takes just hostname, but full URL like http://servername:8888/palamida/ Conversely, the -scan_server flag now takes just servername:8888 3. Ensure that the -c flag provides the core server location followed by a "/". For example: http://<CORESERVER_URL>:8888/palamida/ Note that the trailing slash is necessary. 4. Check $palamida/scriptRunner/log/scriptRunner.log for any additional stacktrace/exception. ... View more

Summary This article documents the use of the FlexNet Code Analyzer Add-On. Synopsis Requirements FlexNet Code Insight 6.10+ A palamida.key with Data Services enabled. Install FlexNet Code Insight Analyzer is shipped in FlexNet Code Insight EE/CE version 6.10.3 and later. For a manual install, follow these steps: Download the appropriate distribution zip (standalone, core, or scanner) for the server. Standalone (core + scan) server Core only servers Scan only servers Auto-update package Unzip the appropriate distribution on the FlexNet Code Insight server(s) from the FlexNet Code Insight installation directory. On each scan server, run the installer script: cd $PALAMIDA/scriptRunner/scripts ../bin/scriptRunner.sh [...] configurePalamidaAnalyzer.groovy Discussion Update To update FlexNet Code Insight Analyzer, download the update jar and place it on the core server in the config/core/scripts directory. When the report task runs on the scan server(s) it will automatically download and install the update jar from the core server. The URL for the update jar is: api-dev.palamida-api.com Settings System settings are controlled via a properties file on the core server in config/core/analyzer.properties . Core Settings Analyzer Use Data Services NOTE: This requires a license key with Data Services enabled, and outgoing TCP access on port 443. Whether to use the Palamida Data Services API for additional analysis techniques. Default is true . Analyzer Use RubyGems API NOTE: This requires outgoing TCP access on port 443. Whether to use the RubyGems public API for additional analysis. Project Settings Project settings are controlled via Yes/No Metadata fields. You can create these Metadata fields by running the configurePalamidaAnalyzer.groovy script, as above. The default values are controlled via analyzer.properties . Analyzer Auto Schedule Whether to auto-schedule to the report task for enabled projects. The default is true . To change the default, set autoScheduleTask in analyzer.properties. Analyzer Auto Include Whether to select Include in Third-Party Notices for the groups that Repo Analyzer creates. Groups will only be included if they have license text. The default is true . To change the default, set autoIncludeNotices in analyzer.properties. Analyzer Override MID rules Whether the Analyzer should take files out of MID rule groups with the same component, and delete the groups if they are empty afterwards. The default is false . To change the default, set overrideMidrules in analyzer.properties. Analyzer Resolve Transitive Dependencies Whether to include transitive dependencies. Current this only affects the POM Analysis. The default is true . To change the default, set transitiveDependencies in analyzer.properties. Run To run the Analyzer task on a workspace, select the report from the workspace report menu. The Palamida Analyzer - Quick Assessment produces a report only, and does not make any modifications to groups. A scan is not required. The Palamida Analyzer - Group Builder requires a full scan to be completed, and creates the inventory with the associated files. Current Analyzers Source Package Repositories: CRAN NPM RubyGems Maven Binary Packages: rpm/centos RubyGems jar Source Components: bind busybox bzip2 clamav curl dbus expat ffmpeg giflib glibc jquery-ui jquery libexif libgcc libjpeg libpng libtiff libungif libxml2 linux-kernel openssh openssl qemu samba zlib Additional Information Files are available in Box ... View more

Summary This article provides steps for getting a JWT token to authorize scriptRunner for FlexNet Code Insight 6.8. Question How do I get a JWT token to authorize scriptRunner for FlexNet Code Insight 6.8? Answer Launch the web browser as a user who has Scripting Administrator privileges. After logging into the application, click on My Settings on the top right corner of the screen. Scroll to the bottom where you can add a Token. Proceed to add a token with a name to identify it, the desired expiration date, and copy the token as you will need it to run ScriptRunner. Navigate to the scriptRunner/bin directory to launch scriptRunner. You will need to The -c flag connects the core server, which needs to use the http(s) port used by the application, the same core server url specified in core.properties. Use the -u flag with the authorized user after you have copied the jwt Token from the Web UI. ./scriptRunner.sh -u username_of_scripting_administrator -c http(s)://core.server.url:8888/palamida/ This will prompt you to enter the jwt Token, paste it in for the one time authorization. If the authorization is successful, the groovy commandline console will be launched. Exit the console with the command exit. How to use JWT token while calling REST Apis Here are couple of examples to use JWT token in a java REST client or javascript client. RestClient.java import javax.ws.rs.client.ClientBuilder; import javax.ws.rs.client.Invocation.Builder; public class RestClient { public static void connect() { String jwtToken = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlhdCI6MTQ1MDM4Nzc5MH0.eIAZFqX9Mm5qlsHTjiztWBgT62RyDWPlBzp0phdgJaY"; String target = "https://dev-linux-1.eng.palamida.com:8888/palamida/api/component/lookup componentNames=zlib&versionNames=1.2.8&forgeIds=175"; Builder builder = ClientBuilder.newClient().target(target).request(); builder.header("JWT_TOKEN", jwtToken); String result = builder.get().readEntity(String.class); System.out.println(result); } } rest-client.js <\!DOCTYPE html> <html> <head> <title>JWT Token Test</title> <script src="https://code.jquery.com/jquery-2.2.0.min.js" ></script> <script src="json-minified.js" ></script> <script> $(document).ready(function() { $("#zlib").click(function() { $.ajax({ dataType: "json", type: "GET", beforeSend : function( xhr ) { xhr.setRequestHeader ("JWT_TOKEN", "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlhdCI6MTQ1MDM4Nzc5MH0.eIAZFqX9Mm5qlsHTjiztWBgT62RyDWPlBzp0phdgJaY"); }, url: "https://dev-linux-1.eng.palamida.com:8888/palamida/api/component/lookup?componentNames=zlib&versionNames=1.2.8&forgeIds=175", success: function(data) { var obj = JSON.stringify(data); $('.c-data').append(obj); } }) }) }); </script> </head> <body> <input type="button" id="zlib" value="Click to find component zlib data" /> <p class="c-data"></p> </body> </html> ... View more

Summary When running an update you receive an email notification with the following error message: java.lang.OutOfMemoryError: GC overhead limit exceeded... Symptoms When running an update you receive a FlexNet Code Insight email notification with the following error message: Dear Administrator, Palamida Update Service failed with following error. Please contact Palamida Supoort. java.lang.OutOfMemoryError: GC overhead limit exceeded *** PLEASE DO NOT REPLY TO THIS EMAIL *** Cause This typically indicates an insufficient amount of memory allocated to Java. Resolution You can adjust the Java heap size by changing the values for CATALINA_OPTS in $palamida/tomcat/bin/catalina.sh to the specifications below: CATALINA_OPTS="-Xms16384m -Xmx16384m -XX:PermSize=1024m -XX:MaxPermSize=1024m ... View more

Summary Palamida's Source Code Fingerprint matching ordinarily checks file contents for terms that are likely indicators of third-party content. This articles provides steps for creating custom fingerprints. Synopsis FlexNet Code Insight's Source Code Fingerprint matching ordinarily checks file contents for terms that are likely indicators of third-party content. Creating custom fingerprints allows one to generate a list of terms suited to the kinds of components one is interested in identifying. FlexNet Code Insight's standard source code fingerprints will continue to be checked for matches alongside your custom fingerprints. Behavior FlexNet Code Insight centrally manages custom data, such as custom source code fingerprints and digests. This means that custom fingerprints and digests will be picked up by all workspaces. If you need to isolate custom data to a particular workspace, contact Flexera Software Support. Configuration Custom fingerprint generation is controlled by an XML configuration file. The template for this file is located in: scriptRunner/scripts/customFingerprints_template.xml Discussion The basic instructions for generating custom fingerprints are as follows: Go to scriptRunner/scripts directory and make a copy of the customFingerprints_template.xml file. You can either edit this file or make a copy of it. For example purposes, we?ll assume we are editing the customFingerprints_template.xml file in these instructions. Edit customFingerprints_template.xml file located in scriptRunner/scripts directory as follows and save when finished: Set the output directory to point to the corporate workspaces directory: outputDir="Palamida/workspaces/CorporateWS"> Set the product name for which you are generating SCF: <product name="component_foo"> Set the release name for every distinct release for which you are generating SCF: <release name="component_foo_1.0.zip"> <release name="component_foo_1.2.zip"> Provide a directory where the source code for the fingerprints is located. Note: you need to give the path to the directory and not the file path. Custom SCFs will be generated for all the files under this directory. <fileset dir="/Palamida/custom/foo_directory"> Make sure the Palamida Server is running. Invoke scriptRunner to generate your custom fingerprints: cd $PALAMIDA_HOME/scriptRunner/bin ./scriptRunner.sh -n customFingerprints.groovy ?d customFingerprints_template.xml Additional Information The following options can provide you more detailed match information. -d : This option applied to the fingerprint compiler causes a digest record to be created for every file that is processed. If you do not specify the ?-d? option, you will not get digest matches on exact copies of the files processed by the fingerprint compiler. -a : This option generates fingerprints for files within archives. Otherwise, the fingerprint compiler will not go inside archive files. -v : This option gives you more detailed information in the scriptRunner/log/scriptRunner.log ... View more