Open uhafner opened 3 months ago
hidden in a facade
That wouldn't be a problem. The problem is that it doesn't look at the code of dependencies, and since the actual permission check is in plugin-util-api
, that isn't visible to the scanner.
It would be helpful if the check could be improved.
CodeQL cannot identify the actual permission check, so… suggestions welcome. I'd rather not go with method name matching or similar hacks.
Is there a way to disable some of the rules in the configuration file in the meantime?
I think you could change https://github.com/jenkins-infra/jenkins-security-scan/blob/187851c1b2401848d69015680c62b48160f7bce1/.github/workflows/jenkins-security-scan.yaml#L43-L45 to specify the rules you want to use based on https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#specifying-which-queries-to-run-in-a-codeql-pack. I don't think you can exclude individual queries though, so this comes with quite a maintenance burden. Applying suppressions seems easier.
hidden in a facade
That wouldn't be a problem. The problem is that it doesn't look at the code of dependencies, and since the actual permission check is in
plugin-util-api
, that isn't visible to the scanner.
I see, then I will stay with my permission tests that utilize ArchUnit. This framework works on the byte code including all dependencies.
The check 'Stapler: Missing permission check` creates false positives if the permission check is hidden in a facade.
Example (https://github.com/jenkinsci/prism-api-plugin/security/code-scanning/7):
It would be helpful if the check could be improved.
Is there a way to disable some of the rules in the configuration file in the meantime? I get a lot of these false positives in all my plugins...