Hosting Request for MergeBase SCA plugin

[delanAtMergebase]

Repository URL

https://github.com/mergebase/mergebase-sca

New Repository Name

mergebase-sca-plugin

Description

The MergeBase SCA plugin allows MergeBase users who are also Jenkins users to run the MergeBase tool with an automated build step.

The plugin runs the MergeBase tool and prints a report, as well as sends the report back to the MergeBase dashboard.

GitHub users to have commit permission

@delanAtMergebase @juliusmusseau

Jenkins project users to have release permission

delanAtMergebase juliusmusseau

Issue tracker

GitHub issues

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The origin repository 'https://github.com/mergebase/mergebase-sca.git' ends in .git, please remove this
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @delanAtMergebase, @juliusmusseau (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @delanAtMergebase, @juliusmusseau (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: Repository URL 'https://github.com/mergebase/mergebase-sca' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
• :warning: Warning: No build system found (pom.xml, build.gradle)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[delanAtMergebase]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The origin repository 'https://github.com/mergebase/mergebase-sca.git' ends in .git, please remove this
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @delanAtMergebase, @juliusmusseau (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @delanAtMergebase, @juliusmusseau (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: Repository URL 'https://github.com/mergebase/mergebase-sca' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
• :warning: Warning: No build system found (pom.xml, build.gradle)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[delanAtMergebase]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: juliusmusseau (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The 'name' field in the pom.xml should not contain "Jenkins"

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: juliusmusseau (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The 'name' field in the pom.xml should not contain "Jenkins"

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[delanAtMergebase]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[timja]

cc @Wadeck

From a quick look over likely customToken should be of type Secret

and using f:password for UI: https://github.com/mergebase/mergebase-sca/blob/master/src/main/resources/com/mergebase/jenkins/MergebaseStepBuilder/config.jelly#L13

[Wadeck]

Yes your finding is good.

Also, I have some doubts about https://github.com/mergebase/mergebase-sca/blob/7a044e3708991feb294199a399ba2d0634c4d2fa/src/main/java/com/mergebase/jenkins/MergeBaseRun.java#L34 as the path seems to be configured at the step level, it allow attackers with Job/Configure to download tooling to the controller. Gut feeling: this should be a global config, not a per-job config.

I will file an internal ticket to cover it completely => JENSEC-1800. ℹ️ ETA perhaps a bit longer than usual as we have several other tasks in parallel.

[delanAtMergebase]

I will address these issues before you do your full review. Thanks for the initial findings!

[Kevin-CB]

Hi @delanAtMergebase.

We're able to perform a more complete audit on your plugin here are the feedback:

• Your customerToken need to be encrypted to not get serialized to disk as plain text, for that you need to declare it as a Secret. (pipeline/MergebasePipelineStep.java#L33 & jenkins/MergebaseStepBuilder.java#L33) Also you'll need to use f:password for UI in MergebaseStepBuilder/config.jelly#L14.

Moreover in jenkins/MergebaseConfig.java#L7 you're implementing a Serializable interface while it's not needed, this should be removed. (If you want to keep it you should transform customerToken into a Secret type)

Recommendation: https://www.jenkins.io/doc/developer/security/secrets/

---

• An arbitrary folder write vulnerability due to jenkins/MergeBaseRun.java#L37 You're downloading a tool to the controller and the path can be specified by a user to create folder anywhere on the controller (e.g: : ../../newFolder).

Recommendation: You should move this configuration to a global level (by admin only) or restrict it to workspace (forbidding non-relative paths).

We will let you correct the finding and ping us when you are done or if you have questions.

[delanAtMergebase]

Hi @Kevin-CB

I have addressed your feedback:

• Moved several settings to Global configuration
• Made customerToken Secret and used f:password.
• Removed Serializable from MergebaseConfig

Let me know if there's anything else. Thank you!

[Kevin-CB]

Hi @delanAtMergebase,

I was able to review and test your latest version and everything seems ok on security point of view!

We can continue the hosting process.

[timja]

I would suggest updating this file: https://github.com/mergebase/mergebase-sca/blob/master/src/main/resources/index.jelly#L3

It will be displayed in the Plugin Manager in the Jenkins UI

[timja]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[timja]

/hosting host

[jenkins-infra-bot]

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/mergebase-sca-plugin

GitHub issues has been selected for issue tracking and was enabled for the forked repo.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please remove your original repository (if there are no other forks) so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

• Accept the invitation to the Jenkins CI Org on Github
• Add additional users for upload permissions, if needed
• Releasing your plugin

In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: buildPlugin()

Welcome aboard!