Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2769

Code scanning for plugins maintained by timja

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Please activate code scanning for plugins maintained by timja. If this needs to be done manually, please activate at least:

       

        Attachments

          Activity

          timja Tim Jacomb created issue -
          timja Tim Jacomb made changes -
          Field Original Value New Value
          Reporter Ulli Hafner [ drulli ] Tim Jacomb [ timja ]
          timja Tim Jacomb made changes -
          Description Please activate code scanning for plugins maintained by uhafner. If this needs to be done manually, please activate at least:
           * warnings-ng: [https://github.com/jenkinsci/warnings-ng-plugin]
           * forensics-api: [https://github.com/jenkinsci/forensics-api-plugin]
           * git-forensics: [https://github.com/jenkinsci/git-forensics-plugin]
           * analysis-model: [https://github.com/jenkinsci/analysis-model]

           
          Please activate code scanning for plugins maintained by timja. If this needs to be done manually, please activate at least:
           * JUnit: [https://github.com/jenkinsci/junit-plugin]
           * Configuration as Code plugin: [https://github.com/jenkinsci/configuration-as-code-plugin]
           * Slack: [https://github.com/jenkinsci/slack-plugin]
           * Azure KeyVault: [https://github.com/jenkinsci/azure-keyvault-plugin]

           
          danielbeck Daniel Beck made changes -
          Assignee Daniel Beck [ danielbeck ]
          Hide
          danielbeck Daniel Beck added a comment -

          Easy enough to do all you maintain, which would be:

          jenkinsci/azure-keyvault-plugin
          jenkinsci/checks-api-plugin
          jenkinsci/code-coverage-api-plugin
          jenkinsci/configuration-as-code-plugin
          jenkinsci/dark-theme-plugin
          jenkinsci/database-h2-plugin
          jenkinsci/database-plugin
          jenkinsci/database-postgresql-plugin
          jenkinsci/github-checks-plugin
          jenkinsci/jenkins-infra-test-plugin
          jenkinsci/junit-plugin
          jenkinsci/junit-sql-storage-plugin
          jenkinsci/platformlabeler-plugin
          jenkinsci/slack-plugin
          jenkinsci/snakeyaml-api-plugin
          jenkinsci/theme-manager-plugin 

          Could you confirm that's the list?

          Show
          danielbeck Daniel Beck added a comment - Easy enough to do all you maintain, which would be: jenkinsci/azure-keyvault-plugin jenkinsci/checks-api-plugin jenkinsci/code-coverage-api-plugin jenkinsci/configuration-as-code-plugin jenkinsci/dark-theme-plugin jenkinsci/database-h2-plugin jenkinsci/database-plugin jenkinsci/database-postgresql-plugin jenkinsci/github-checks-plugin jenkinsci/jenkins-infra-test-plugin jenkinsci/junit-plugin jenkinsci/junit-sql-storage-plugin jenkinsci/platformlabeler-plugin jenkinsci/slack-plugin jenkinsci/snakeyaml-api-plugin jenkinsci/theme-manager-plugin Could you confirm that's the list?
          Hide
          timja Tim Jacomb added a comment -

          Perfect thanks!

          Show
          timja Tim Jacomb added a comment - Perfect thanks!
          danielbeck Daniel Beck made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Hide
          danielbeck Daniel Beck added a comment -

          Thanks for signing up!

          An initial scan is finished, and I added the repo(s) to the list for future re-scans.

          Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo.

          I've also done a basic sanity check of the findings and filtered out the obvious garbage due to limitations of current queries. This doesn't mean what's left are true positive findings, just that those are not due to really bad queries.

          If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix and coordinate a release.

          We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repo(s) on lgtm.com, or add regular CodeQL code scanning to your plugins.

          If you have questions or feedback, please reach out to me directly, or email the Jenkins security team at jenkinsci-cert@googlegroups.com

          Show
          danielbeck Daniel Beck added a comment - Thanks for signing up! An initial scan is finished, and I added the repo(s) to the list for future re-scans. Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo. I've also done a basic sanity check of the findings and filtered out the obvious garbage due to limitations of current queries. This doesn't mean what's left are true positive findings, just that those are not due to really bad queries. If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix and coordinate a release. We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repo(s) on lgtm.com, or add regular CodeQL code scanning to your plugins. If you have questions or feedback, please reach out to me directly, or email the Jenkins security team at jenkinsci-cert@googlegroups.com
          danielbeck Daniel Beck made changes -
          Resolution Fixed [ 1 ]
          Status In Progress [ 3 ] Resolved [ 5 ]

            People

            Assignee:
            danielbeck Daniel Beck
            Reporter:
            timja Tim Jacomb
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: