Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2770

Enable code scanning for my plugins

    XMLWordPrintable

    Details

    • Similar Issues:

      Attachments

        Activity

        jvz Matt Sicker created issue -
        danielbeck Daniel Beck made changes -
        Field Original Value New Value
        Assignee Daniel Beck [ danielbeck ]
        danielbeck Daniel Beck made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Hide
        danielbeck Daniel Beck added a comment -

        Thanks for signing up!

        I'm not sure if any of these are worth enabling yet, but I also have access to the following which seem relevant:

        Release permissions only, not just committer access. Sorry.

        Which means the following repos are signed up:

        jenkinsci/sshd-module
        jenkinsci/ssh-credentials-plugin
        jenkinsci/pam-auth-plugin
        jenkinsci/jackson2-api-plugin
        jenkinsci/audit-log-plugin
        jenkinsci/extended-security-settings-plugin 

        SSH Credentials and PAM Auth already were, the rest is new.

        An initial scan is finished, and I added the repo(s) to the list for future re-scans.

        Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo.

        If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix and coordinate a release.

        We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repos on lgtm.com, or add regular CodeQL code scanning to your plugins.

        If you have questions or feedback, as a security team member, please file issues in jenkinsci-cert/codeql.

        Show
        danielbeck Daniel Beck added a comment - Thanks for signing up! I'm not sure if any of these are worth enabling yet, but I also have access to the following which seem relevant: Release permissions only, not just committer access. Sorry. Which means the following repos are signed up: jenkinsci/sshd-module jenkinsci/ssh-credentials-plugin jenkinsci/pam-auth-plugin jenkinsci/jackson2-api-plugin jenkinsci/audit-log-plugin jenkinsci/extended-security-settings-plugin SSH Credentials and PAM Auth already were, the rest is new. An initial scan is finished, and I added the repo(s) to the list for future re-scans. Unresolved findings are shown with an "unread indicator" on the "Security" tab on each repo. If you think a finding is a true positive security issue, please file those in the SECURITY tracker so we can review the fix and coordinate a release. We're using GitHub's CodeQL as the tool for this, but only execute our own, Jenkins-specific queries. For general purpose queries, you can check out the plugin repos on lgtm.com, or add regular CodeQL code scanning to your plugins. If you have questions or feedback, as a security team member, please file issues in jenkinsci-cert/codeql.
        danielbeck Daniel Beck made changes -
        Resolution Fixed [ 1 ]
        Status In Progress [ 3 ] Resolved [ 5 ]
        danielbeck Daniel Beck made changes -
        Labels code-scanning

          People

          Assignee:
          danielbeck Daniel Beck
          Reporter:
          jvz Matt Sicker
          Votes:
          0 Vote for this issue
          Watchers:
          2 Start watching this issue

            Dates

            Created:
            Updated:
            Resolved: