Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2768

Code scanning for plugins maintained by uhafner

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Please activate code scanning for plugins maintained by uhafner. If this needs to be done manually, please activate at least:

       

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          Hide
          Permalink
          danielbeck Daniel Beck added a comment -

          Please activate code scanning for plugins maintained by uhafner. If this needs to be done manually, please activate at least:

          Well, I need to build the list but that's all I do manually Would that be it?

          jenkinsci/analysis-config-plugin
jenkinsci/analysis-core-plugin
jenkinsci/analysis-model-api-plugin
jenkinsci/analysis-test-plugin
jenkinsci/autograding-plugin
jenkinsci/bootstrap4-api-plugin
jenkinsci/checks-api-plugin
jenkinsci/checkstyle-plugin
jenkinsci/cobertura-plugin
jenkinsci/code-coverage-api-plugin
jenkinsci/data-tables-api-plugin
jenkinsci/database-h2-plugin
jenkinsci/dry-plugin
jenkinsci/echarts-api-plugin
jenkinsci/findbugs-plugin
jenkinsci/font-awesome-api-plugin
jenkinsci/forensics-api-plugin
jenkinsci/git-forensics-plugin
jenkinsci/github-checks-plugin
jenkinsci/jquery3-api-plugin
jenkinsci/plot-plugin
jenkinsci/plugin-util-api-plugin
jenkinsci/pmd-plugin
jenkinsci/popper-api-plugin
jenkinsci/publish-over-ftp-plugin
jenkinsci/swarm-plugin
jenkinsci/tasks-plugin
jenkinsci/warnings-ng-plugin
jenkinsci/warnings-plugin
          Show
          danielbeck Daniel Beck added a comment - Please activate code scanning for plugins maintained by uhafner. If this needs to be done manually, please activate at least: Well, I need to build the list but that's all I do manually Would that be it? jenkinsci/analysis-config-plugin jenkinsci/analysis-core-plugin jenkinsci/analysis-model-api-plugin jenkinsci/analysis-test-plugin jenkinsci/autograding-plugin jenkinsci/bootstrap4-api-plugin jenkinsci/checks-api-plugin jenkinsci/checkstyle-plugin jenkinsci/cobertura-plugin jenkinsci/code-coverage-api-plugin jenkinsci/data-tables-api-plugin jenkinsci/database-h2-plugin jenkinsci/dry-plugin jenkinsci/echarts-api-plugin jenkinsci/findbugs-plugin jenkinsci/font-awesome-api-plugin jenkinsci/forensics-api-plugin jenkinsci/git-forensics-plugin jenkinsci/github-checks-plugin jenkinsci/jquery3-api-plugin jenkinsci/plot-plugin jenkinsci/plugin-util-api-plugin jenkinsci/pmd-plugin jenkinsci/popper-api-plugin jenkinsci/publish-over-ftp-plugin jenkinsci/swarm-plugin jenkinsci/tasks-plugin jenkinsci/warnings-ng-plugin jenkinsci/warnings-plugin
          Hide
          Permalink
          danielbeck Daniel Beck added a comment -

          Forgot

          jenkinsci/analysis-collector-plugin

          in the above list, but I guess you don't care much about this anymore?

          Show
          danielbeck Daniel Beck added a comment - Forgot jenkinsci/analysis-collector-plugin in the above list, but I guess you don't care much about this anymore?
          Hide
          Permalink
          drulli Ulli Hafner added a comment -

          Yes I do not care about the old plugins anymore...

          Show
          drulli Ulli Hafner added a comment - Yes I do not care about the old plugins anymore...
          Hide
          Permalink
          danielbeck Daniel Beck added a comment -

          Ulli Hafner Could you provide a list (perhaps based on mine in the first comment) of plugins for which I should enable code scanning? Then this is not ambiguous

          Show
          danielbeck Daniel Beck added a comment - Ulli Hafner Could you provide a list (perhaps based on mine in the first comment) of plugins for which I should enable code scanning? Then this is not ambiguous
          Hide
          Permalink
          drulli Ulli Hafner added a comment -

          Yes here we go:

          jenkinsci/analysis-model
jenkinsci/autograding-plugin
jenkinsci/checks-api-plugin
jenkinsci/code-coverage-api-plugin
jenkinsci/data-tables-api-plugin
jenkinsci/echarts-api-plugin
jenkinsci/forensics-api-plugin
jenkinsci/git-forensics-plugin
jenkinsci/github-checks-plugin
jenkinsci/plugin-util-api-plugin
jenkinsci/warnings-ng-plugin
          Show
          drulli Ulli Hafner added a comment - Yes here we go: jenkinsci/analysis-model jenkinsci/autograding-plugin jenkinsci/checks-api-plugin jenkinsci/code-coverage-api-plugin jenkinsci/data-tables-api-plugin jenkinsci/echarts-api-plugin jenkinsci/forensics-api-plugin jenkinsci/git-forensics-plugin jenkinsci/github-checks-plugin jenkinsci/plugin-util-api-plugin jenkinsci/warnings-ng-plugin
          Hide
          Permalink
          danielbeck Daniel Beck added a comment -

          Ulli Hafner

          Thanks!

          jenkinsci/analysis-model

          Please note that these checks are all Jenkins/Stapler specific, so general purpose libraries are unlikely to benefit.

          Show
          danielbeck Daniel Beck added a comment - Ulli Hafner Thanks! jenkinsci/analysis-model Please note that these checks are all Jenkins/Stapler specific, so general purpose libraries are unlikely to benefit.
          Hide
          Permalink
          danielbeck Daniel Beck added a comment -

          Thanks for signing up!

          An initial scan is finished, and I added the repo(s) to the list for future re-scans.

          Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo.

          I've also done a basic sanity check of some of the findings and filtered out the obvious garbage due to limitations of current queries. This doesn't mean what's left are true positive findings, just that those are not due to really bad queries.

          If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix in private and coordinate a release.

          We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repo(s) on lgtm.com, or add regular CodeQL code scanning to your plugins.

          If you have questions or feedback, please reach out to me directly, or email the Jenkins security team at jenkinsci-cert@googlegroups.com

          Show
          danielbeck Daniel Beck added a comment - Thanks for signing up! An initial scan is finished, and I added the repo(s) to the list for future re-scans. Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo. I've also done a basic sanity check of some of the findings and filtered out the obvious garbage due to limitations of current queries. This doesn't mean what's left are true positive findings, just that those are not due to really bad queries. If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix in private and coordinate a release. We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repo(s) on lgtm.com, or add regular CodeQL code scanning to your plugins. If you have questions or feedback, please reach out to me directly, or email the Jenkins security team at jenkinsci-cert@googlegroups.com

            People

            Assignee:
            danielbeck Daniel Beck
            Reporter:
            drulli Ulli Hafner
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: