Skip to content

Empty Risky Service Principals leads to JSON parsing error #1658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
schrolla opened this issue Mar 31, 2025 · 1 comment · May be fixed by #1682
Open
1 task done

Empty Risky Service Principals leads to JSON parsing error #1658

schrolla opened this issue Mar 31, 2025 · 1 comment · May be fixed by #1682
Assignees
@mitchelbaker-cisa
Labels
bug This issue or pull request addresses broken functionality
Milestone
Nemo

Comments

@schrolla
Copy link
Contributor

schrolla commented Mar 31, 2025
edited
Loading

Prerequisites

  • This issue has an informative and human-readable title.

ScubaGear Version

v1.5.0

Operating System

Windows 11

PowerShell Version

5.1

M365 Environment and License(s)

M365 Environment: GCC high
License Types:

🐛 Summary

When running ScubaGear, receive the following error running against a particular GCC high tenant environment.

Fatal Error involving the Report Creation.
Ending ScubaGear execution. Error: Invalid JSON primitive: .

at New-Report,
C:\Users\Administrator\Documents\WindowsPowerShell\Modules\ScubaGear\1.5.0\Modules\CreateReport\CreateReport.psm1:
line 66
at Invoke-ReportCreation,
C:\Users\Administrator\Documents\WindowsPowerShell\Modules\ScubaGear\1.5.0\Modules\Orchestrator.psm1: line 1277
at Invoke-SCuBA,
C:\Users\Administrator\Documents\WindowsPowerShell\Modules\ScubaGear\1.5.0\Modules\Orchestrator.psm1: line 440
at , C:\Users\Administrator\Documents\gcc1test.ps1: line 6
at , : line 1
At C:\Users\Administrator\Documents\WindowsPowerShell\Modules\ScubaGear\1.5.0\Modules\Orchestrator.psm1:1371 char:13

  •         throw $InvokeReportErrorMessage

  •         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : OperationStopped: (Fatal Error inv...o file>: line 1:String) [], RuntimeException
    • FullyQualifiedErrorId : Fatal Error involving the Report Creation.
      Ending ScubaGear execution. Error: Invalid JSON primitive: .

    at New-Report, C:\Users\Administrator\Documents\WindowsPowerShell\Modules\ScubaGear\1.5.0\Modules\CreateReport\Cre
    ateReport.psm1: line 66
    at Invoke-ReportCreation, C:\Users\Administrator\Documents\WindowsPowerShell\Modules\ScubaGear\1.5.0\Modu
    les\Orchestrator.psm1: line 1277
    at Invoke-SCuBA, C:\Users\Administrator\Documents\WindowsPowerShell\Modules\ScubaGear\1.5.0\Modules\Orche
    strator.psm1: line 440
    at , C:\Users\Administrator\Documents\gcc1test.ps1: line 6
    at , : line 1

When reviewing the associated ScubaResults JSON file, it appears the risky_third_party_service_principals key has no value, resulting in the parsing error.

Image

Steps to reproduce

  1. Setup tenant environment where there may be one or more risky apps, but no risky SPs (if possible).
  2. Run ScubaGear in GCC high environment 
    Invoke-Scuba -ProductNames @("defender", "teams", "exo", "sharepoint", "aad") `
-M365Environment gcchigh `
-AppID <rREDACTED> `
-CertificateThumbprint <REDACTED> `
-Organization <REDACTED> `
-OutPath <REDACTED> `
-Quiet
  3. Watch for fatal error during CreateReport stage of processing.

Expected behavior

ScubaGear should generate a complete report without errors.

Output from Initialize-SCuBA (optional)

No response
@schrolla schrolla added the bug This issue or pull request addresses broken functionality label Mar 31, 2025
@schrolla schrolla mentioned this issue Mar 31, 2025
Open
1 task
@schrolla
Copy link
Contributor Author

A very quick look at the code starting in ExportAADProvider.psm1:192 shows where the key value is set. It looks like it only considers when both SP and Apps values are null, and not if one or the other may be null.
Recommend looking at how the conditional handles one or the other being null as a possible code path that isn't covered and might result in null JSON values.

@schrolla schrolla mentioned this issue Apr 1, 2025
Open
@schrolla schrolla added this to the Marlin milestone Apr 7, 2025
@mitchelbaker-cisa mitchelbaker-cisa linked a pull request Apr 24, 2025 that will close this issue
Open
21 tasks
@mitchelbaker-cisa mitchelbaker-cisa linked a pull request Apr 24, 2025 that will close this issue
Add fix for invalid JSON primitive issues related to risky service principals #1682
Open
21 tasks
@mitchelbaker-cisa mitchelbaker-cisa modified the milestones: Marlin, Nemo Apr 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitchelbaker-cisa mitchelbaker-cisa

Labels
bug This issue or pull request addresses broken functionality
Projects
None yet
Milestone
Nemo
Development

Successfully merging a pull request may close this issue.

Add fix for invalid JSON primitive issues related to risky service principals cisagov/ScubaGear
2 participants
@schrolla @mitchelbaker-cisa