[JENKINS-50982] AppScanStandardBuilder persists PrintStream to the disk (JEP-200)

Type: Bug
Resolution: Unresolved
Priority: Minor
Component/s: ibm-security-appscanstandard-scanner-plugin
Labels:
- JEP-200

Similar Issues:
Powered by SuggestiMate

Show

According to the code inspection, there is a JEP-200 issue in the plugin:

https://github.com/jenkinsci/ibm-security-appscanstandard-scanner-plugin/blob/62c0967a9d2e623d6eb97dd2c2f354f9ff87f5ac/src/main/java/appscanstdrdintegration/appscanstandard/AppScanStandardBuilder.java#L146

This code likely causes a JEP-200 security exception when the object gets persisted to the disk. "java.io.PrintStream" is not whitelisted in Jenkins for a reason, because loggers are not expected reliably after being deserialized from the disk.

Useful links about JEP-200:

Blog post for users: https://jenkins.io/blog/2018/03/15/jep-200-lts/
JEP-200 guidelines for plugin developers: https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers

Oleg Nenashev created issue - 2018-04-24 23:44

Oleg Nenashev made changes - 2018-04-24 23:44

Component/s		New: ibm-security-appscanstandard-scanner-plugin [ 21689 ]
Component/s	Original: ibm-security-appscansource-scanner-plugin [ 21460 ]

Oleg Nenashev made changes - 2018-04-24 23:45

Description

Original: According to the code inspection, there is a JEP-200 issue in the plugin:
* https://github.com/jenkinsci/ibm-security-appscansource-scanner-plugin/blob/3a925c5b9016a6a5db8c5c68d2764805a4603f94/src/main/java/com/aspectsecurity/automationservices/plugins/jenkins/appscansource/AppScanSourceBuilder.java#L55

This code likely causes a JEP-200 security exception when the object gets persisted to the disk. "java.io.PrintStream" is not whitelisted in Jenkins for a reason, because loggers are not expected reliably after being deserialized from the disk.

Useful links about JEP-200:

* Blog post for users: https://jenkins.io/blog/2018/03/15/jep-200-lts/
* JEP-200 guidelines for plugin developers: https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers

New: According to the code inspection, there is a JEP-200 issue in the plugin:
* https://github.com/jenkinsci/ibm-security-appscanstandard-scanner-plugin/blob/62c0967a9d2e623d6eb97dd2c2f354f9ff87f5ac/src/main/java/appscanstdrdintegration/appscanstandard/AppScanStandardBuilder.java#L146

This code likely causes a JEP-200 security exception when the object gets persisted to the disk. "java.io.PrintStream" is not whitelisted in Jenkins for a reason, because loggers are not expected reliably after being deserialized from the disk.

Useful links about JEP-200:

* Blog post for users: https://jenkins.io/blog/2018/03/15/jep-200-lts/
* JEP-200 guidelines for plugin developers: https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers

Oleg Nenashev made changes - 2018-04-24 23:45

Assignee

Original: Kevin Fealey [ kevinfealey ]

New: Tiago Lopes [ tlopespt ]

Tiago Lopes added a comment - 2018-04-26 08:35

I'll have a look into it and deploy an update asap, thanks.

Tiago Lopes added a comment - 2018-04-26 08:35 I'll have a look into it and deploy an update asap, thanks.

Assignee:: Tiago Lopes

Reporter:: Oleg Nenashev

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2018-04-24 23:44

Updated:: 2018-04-26 08:35

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Tiago Lopes added a comment - 2018-04-26 08:35

Expand comment: Tiago Lopes added a comment - 2018-04-26 08:35

People

Dates