search

Wadeck / sample-repo-plugin

Sample repository of a Jenkins plugin to be tested with CodeQL
MIT License
0 stars 0 forks source link

sdf #5

Open Wadeck opened 1 year ago

Wadeck commented 1 year ago

Repository URL

https://github.com/Wadeck/sample-repo-plugin/

New Repository Name

asdgasdf

jenkins-cert-app commented 1 year ago

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a security scan was triggered on your repository. It takes ~10 minutes to complete.

Commands The bot will parse all comments, and it will check if any line start with a command. Security team only:
  • /audit-ok => the audit is complete, the hosting can continue :tada:.
  • /audit-skip => the audit is not necessary, the hosting can continue :tada:.
  • /audit-required => the superficial audit was not sufficient, a deeper look is necessary :mag:.
  • /audit-findings => the audit reveals some issues that require corrections :pencil2:.
Anyone:
  • /request-security-scan => the findings from the security scan were corrected, this command will re-scan your repository :mag:.
  • /audit-review => the findings from the audits were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.
Only one command can be requested per comment.

(automatically generated message, version: dev)

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 10 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

SampleBuildStep.java#125 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckGlobalMessageToDisplay9_onlySupportedInComment connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
SampleBuildStep.java#109 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckGlobalMessageToDisplay7_onlySupportedInComment connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
SampleBuildStep.java#101 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckGlobalMessageToDisplay6_notAfter connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
SampleBuildStep.java#85 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckGlobalMessageToDisplay4_noSuppressions connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

Stapler: Missing permission check

You can find detailed information about this finding here.

SampleBuildStep.java#125 ``` Potential missing permission check in DescriptorImpl#doCheckGlobalMessageToDisplay9_onlySupportedInComment ```
SampleBuildStep.java#109 ``` Potential missing permission check in DescriptorImpl#doCheckGlobalMessageToDisplay7_onlySupportedInComment ```
SampleBuildStep.java#85 ``` Potential missing permission check in DescriptorImpl#doCheckGlobalMessageToDisplay4_noSuppressions ```
SampleBuildStep.java#78 ``` Potential missing permission check in DescriptorImpl#doCheckGlobalMessageToDisplay3_notBefore ```
SampleBuildStep.java#69 ``` Potential missing permission check in DescriptorImpl#doCheckGlobalMessageToDisplay2_ok ```
SampleBuildStep.java#61 ``` Potential missing permission check in DescriptorImpl#doCheckGlobalMessageToDisplay1_notBefore ```
Wadeck commented 1 year ago

/audit-findings

Wadeck commented 1 year ago

/audit-review

Wadeck commented 1 year ago

/audit-skip