Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73506

Git Plugin should check TLS used if FIPS mode activated

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • git-plugin
    • None

      Git plugin plugin is not FIPS compliant.

      It allows skipping TLS verify which should not be allowed in a FIPS 140-2 environment.

      We should implement these checks when running in FIPS mode

          [JENKINS-73506] Git Plugin should check TLS used if FIPS mode activated

          Olivier Lamy created issue -
          Olivier Lamy made changes -
          Assignee Original: Pedro Bueno [ pbuenoyerbes ] New: Olivier Lamy [ olamy ]
          Olivier Lamy made changes -
          Description Original: Kubernetes plugin is not FIPS compliant.

          It allows skipping TLS verify which should not be allowed in a FIPS 140-2 environment.

          Also, server certificate is being encoded without checking it.

          We should implement these checks when running in FIPS mode
          New: Git plugin plugin is not FIPS compliant.

          It allows skipping TLS verify which should not be allowed in a FIPS 140-2 environment.

          We should implement these checks when running in FIPS mode
          Olivier Lamy made changes -
          Component/s New: git-plugin [ 15543 ]
          Component/s Original: kubernetes-plugin [ 20639 ]

          Olivier Lamy added a comment - - edited

          The current code have a `doCheckUrl` method for UserRemoteConfig but there is no equivalent method for GitSCMSource while it's the equivalent class for pipeline projects. I would like to have the same FIPS control for both but I wonder about the rest of the existing control made in  UserRemoteConfig$
          DescriptorImpl#doCheckUrl, should we have exactly the same with a new method GitSCMSource$DescriptorImpl#doCheckRemote? Or we just limit the change to FIPS requirement?
          Perso I would like to have exact same control. But do not take it as a very strong opinion

          Olivier Lamy added a comment - - edited The current code have a `doCheckUrl` method for UserRemoteConfig but there is no equivalent method for GitSCMSource while it's the equivalent class for pipeline projects. I would like to have the same FIPS control for both but I wonder about the rest of the existing control made in  UserRemoteConfig$ DescriptorImpl#doCheckUrl, should we have exactly the same with a new method GitSCMSource$DescriptorImpl#doCheckRemote? Or we just limit the change to FIPS requirement? Perso I would like to have exact same control. But do not take it as a very strong opinion

          Mark Waite added a comment -

          I'd limit the change to the FIPS requirement because I'm not aware of any other location that would call the doCheckUrl method of GitSCMSource.

          Mark Waite added a comment - I'd limit the change to the FIPS requirement because I'm not aware of any other location that would call the doCheckUrl method of GitSCMSource.
          Olivier Lamy made changes -
          Remote Link New: This issue links to "PR (Web Link)" [ 29834 ]
          Pedro Bueno made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Mark Waite made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Fixed but Unreleased [ 10203 ]
          Mark Waite made changes -
          Released As New: https://github.com/jenkinsci/git-plugin/releases/tag/git-5.3.0
          Status Original: Fixed but Unreleased [ 10203 ] New: Resolved [ 5 ]

            olamy Olivier Lamy
            olamy Olivier Lamy
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: