Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Critical
-
Resolution: Fixed
-
Component/s: hp-application-automation-tools-plugin
-
Labels:None
-
Similar Issues:
Description
We are currently evaluating the use of the hp-application-automation-tools-plugin in our setup to better integrate the mf tools with our established CI/CD pipeline. The huge amount of functionality packed into one plugin makes it hared to see the side effects.
After installation of the plugin we observed that internal data about the Jenkins installation and Job names is exposed at the Url: https://<jenkinsRoot>/userContent/nga/logs/ to users with minimum permissions on the Jenkins install. The data includes Jobs that are not related to the mf integration at all.
26/05/2020 15:47:04,102 INFO [EventsServiceWorker-155 ] EventsServiceImpl : [http://foo.example.com:8080?p=1001] sending [sbs-admin/job/sbs-admin-infra-bitbucket/job/sbs-infra/job/sbs-jenkins-git-backup:7781:STARTED, Checkout:7781:STARTED, Checkout:7781:FINISHED, Backup to GIT:7781:STARTED, Backup to GIT:7781:FINISHED, sbs-admin/job/sbs-admin-infra-bitbucket/job/sbs-infra/job/sbs-jenkins-git-backup:7781:FINISHED] event/s ... 26/05/2020 15:48:14,149 INFO [EventsServiceWorker-155 ] EventsServiceImpl : [http://foo.example.com:8080?p=1001] sending [community/job/sbs-fat-spring-pipeline/job/feature%2Fbitbucket-jenkins-plugin-testing:1:STARTED] event/s ... 26/05/2020 15:48:16,206 INFO [EventsServiceWorker-155 ] EventsServiceImpl : [http://foo.example.com:8080?p=1001] sending [checkout:1:STARTED] event/s ... 26/05/2020 15:48:25,271 INFO [EventsServiceWorker-155 ] EventsServiceImpl : [http://foo.example.com:8080?p=1001] sending [checkout:1:FINISHED, build:1:STARTED] event/s ... 26/05/2020 15:49:44,466 INFO [EventsServiceWorker-155 ] EventsServiceImpl : [http://foo.example.com:8080?p=1001] sending [build:1:FINISHED, static analysis:1:STARTED] event/s ... 26/05/2020 15:51:03,569 INFO [itbucket/sbs-infra/sbs-jenkins-git-backup #15509]]] BuildLogHelper : enqueued build 'sbs-admin/job/sbs-admin-bitbucket/job/sbs-infra/job/sbs-jenkins-git-backup #15509' for log submission 26/05/2020 15:51:03,579 WARN [itbucket/sbs-infra/sbs-jenkins-git-backup #15509]]] VulnerabilitiesWorkflowListener : No Security Scan integration configuration was found sbs-admin/sbs-admin-bitbucket/sbs-infra/sbs-jenkins-git-backup #15509 26/05/2020 15:51:03,939 INFO [BuildLogsPushWorker-156 ] LogsServiceImpl : [http://foo.example.com:8080?p=1001] log of 'sbs-admin/job/sbs-admin-bitbucket/job/sbs-infra/job/sbs-jenkins-git-backup #15509', root job : sbs-admin/job/sbs-admin-bitbucket/job/sbs-infra/job/sbs-jenkins-git-backup, no interested workspace is found 26/05/2020 15:51:04,436 INFO [EventsServiceWorker-155 ] EventsServiceImpl : [http://foo.example.com:8080?p=1001] sending [sbs-admin/job/sbs-admin-bitbucket/job/sbs-infra/job/sbs-jenkins-git-backup:15509:STARTED, Checkout:15509:STARTED, Checkout:15509:FINISHED, Backup to GIT:15509:STARTED, Backup to GIT:15509:FINISHED, sbs-admin/job/sbs-admin-bitbucket/job/sbs-infra/job/sbs-jenkins-git-backup:15509:FINISHED] event/s ... 26/05/2020 15:51:50,025 INFO [EventsServiceWorker-155 ] EventsServiceImpl : [http://foo.example.com:8080?p=1001] sending [static analysis:1:FINISHED, create docker image:1:STARTED] event/s ...
This does not feel right at other places this information is well hidden for users without permission. Is this an error in our setup?
Attachments
Activity
Hi Radi,
thanks for looking into this and offering a solution. I'd suggest for plugins to use the logging facility that is already part of Jenkins and not adding a own one. It feels a bit like the plugin is expecting to take over the whole Jenkins instance rather becoming a fair part of it. We follow the approach with one Jenkins master instance to serve all projects - only a fraction of these will be using some of the features of this plugin. So I'm concerned about the implications for other projects.
Kind regards, Andreas.
Andreas Mandel
added a comment - Hi Radi,
thanks for looking into this and offering a solution. I'd suggest for plugins to use the logging facility that is already part of Jenkins and not adding a own one. It feels a bit like the plugin is expecting to take over the whole Jenkins instance rather becoming a fair part of it. We follow the approach with one Jenkins master instance to serve all projects - only a fraction of these will be using some of the features of this plugin. So I'm concerned about the implications for other projects.
Kind regards, Andreas. Hi.
Our jenkins plugin uses Octane CI sdk that is shared between our different CI server plugins (we have additional plugins for Bamboo, TeamCity, GitLab and more) , therefore we use our own logging solution.
We can supply Beta version with the solution I suggested in previous answer.
What are features you are going to use?
Radi
Radi Berkovich
added a comment - - edited Hi.
Our jenkins plugin uses Octane CI sdk that is shared between our different CI server plugins (we have additional plugins for Bamboo, TeamCity, GitLab and more) , therefore we use our own logging solution.
We can supply Beta version with the solution I suggested in previous answer.
What are features you are going to use?
Radi Hi Radi,
as a 1st step we just want to trigger the UFT test execution (on a remote windows agent) with test scripts stored in the scm of the Jenkins project. The trigger is in a library based Jenkinsfile, which works fine for now we just struggle with the side effects of the plugin.
Kind regards, Andreas.
Andreas Mandel
added a comment - Hi Radi,
as a 1st step we just want to trigger the UFT test execution (on a remote windows agent) with test scripts stored in the scm of the Jenkins project. The trigger is in a library based Jenkinsfile, which works fine for now we just struggle with the side effects of the plugin.
Kind regards, Andreas. Do you use Octane?
Radi Berkovich
added a comment - Do you use Octane? Yes, we have this. For now we want to trigger UFT tests, both UI and API tests.
Andreas Mandel
added a comment - Yes, we have this. For now we want to trigger UFT tests, both UI and API tests. Hi, what is your status now?
Version 6.3 is released. Do you use it?
Radi Berkovich
added a comment - Hi, what is your status now?
Version 6.3 is released. Do you use it?
With 6.3 I can confirm that setting -DoctaneAllowedStorage=/export/sbs/jenkins/home/logs/octane as java system property prevents the nga folder being in a exposed area.
Thanks a lot for the fix!
Andreas Mandel
added a comment - With 6.3 I can confirm that setting -DoctaneAllowedStorage=/export/sbs/jenkins/home/logs/octane as java system property prevents the nga folder being in a exposed area.
Thanks a lot for the fix! 
Hi
Your setup is Ok.
The userContent folder is used for saving log files for Octane part of the plugin.
This place really accessible to users with minimum permissions on the Jenkins , but logs contains only job names and no more. The log does not contains sensitive information like secrets,passwords,userNames.
The accessibility of this path is very useful in case when plugin support is required, its very easy to get logs without need of additional permissions to physical machine.
In next version (6.3) of plugin , we can supply possibility to configure “plugin log place” in jenkins.xml by adding -DoctaneAllowedStorage=myNewPlace in <arguments> element
Thanks
Radi