Closed hdhaygude closed 1 year ago
Security audit, information and commands
The security team is auditing all the hosting requests, to ensure a better security by default. This message informs you that the security team was notified about the request and will soon participate in this issue to assist. The team is usually starting by a quick superficial audit and if it's not sufficient, they are planning a deeper audit.
/audit-ok
=> the audit is complete, the hosting can continue :tada:./audit-skip
=> the audit is not necessary, the hosting can continue :tada:./audit-required
=> the superficial audit was not sufficient, a deeper look is necessary :mag:./audit-findings
=> the audit reveals some issues that require corrections :pencil2:./audit-review
=> the findings from the audits were corrected, this command will ping the security team to review the findings :eyes:.
It's only applicable when the previous audit required changes.(automatically generated message)
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
qualys-iac-scan
) is incorrect, it should be qualys-iac-security
('New Repository Name' field with "-plugin" removed)You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
qualys-iac-scan
) is incorrect, it should be qualys-iac-security
('New Repository Name' field with "-plugin" removed)You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Jenkins CERT will have a deeper look, tracked internally as JENSEC-1910.
/audit-required
Hi @hdhaygude,
Please address these issues and let me know when you're done, so I can have another look. In case of questions regarding findings feel free to ask.
/audit-findings
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hey @hdhaygude,
a few things I'd like to highlight additionally to the security review:
~~https://github.com/QIntegration/qualys-iac-security-plugin/blob/7a715dbaf4bf9698ba6d6bea58a84c2c7e0d6f71/pom.xml#L16 remove the description block and add it to the index.jelly
: https://github.com/QIntegration/qualys-iac-security-plugin/blob/master/src/main/resources/index.jelly
That is displayed at the update center~~
https://github.com/QIntegration/qualys-iac-security-plugin/blob/7a715dbaf4bf9698ba6d6bea58a84c2c7e0d6f71/pom.xml#L36 can be removed
https://github.com/QIntegration/qualys-iac-security-plugin/blob/7a715dbaf4bf9698ba6d6bea58a84c2c7e0d6f71/pom.xml#L39 should be removed. Please address spotbugs issues or put local suppressors for false positives in place.
https://github.com/QIntegration/qualys-iac-security-plugin/blob/7a715dbaf4bf9698ba6d6bea58a84c2c7e0d6f71/pom.xml#L54 Instead of depending on commons-lang3 directly, please specify the corresponding Jenkins plugin: https://plugins.jenkins.io/commons-lang3-api/#dependencies
https://github.com/QIntegration/qualys-iac-security-plugin/blob/7a715dbaf4bf9698ba6d6bea58a84c2c7e0d6f71/pom.xml#L59 same applies to databaind: Please depend on the api plugin instead: https://plugins.jenkins.io/jackson2-api/#dependencies
https://github.com/QIntegration/qualys-iac-security-plugin/blob/7a715dbaf4bf9698ba6d6bea58a84c2c7e0d6f71/pom.xml#L32 Your plugin uses the GNU GPL v3 license. Remove these properties and add a license block according to https://maven.apache.org/pom.html#Licenses
https://github.com/QIntegration/qualys-iac-security-plugin/blob/master/Jenkinsfile See my point with spotbugs above, you can use buildPlugin(useContainerAgent: true)
only.
https://github.com/QIntegration/qualys-iac-security-plugin/blob/00e51727beec50030dd177ab24adfc2b481fe07d/pom.xml#L5-L16 is obsolete and can be removed
https://github.com/QIntegration/qualys-iac-security-plugin/blob/00e51727beec50030dd177ab24adfc2b481fe07d/pom.xml#L41-L44 is obsolete and can be removed.
https://github.com/QIntegration/qualys-iac-security-plugin/blob/d7b027294136e76a67b13c01b06987a28e05d48a/pom.xml#L11 Please use io.jenkins.plugins
and do so respectively in imports and package names. That's the recommended package for new plugins.
few comments on the plugin configuration:
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
/hosting re-check
Hi @yaroslavafenkin
Hi @hdhaygude,
element.innerText
to append unsafe content). You could also maybe somehow escape unsafe content so it doesn't contain unescaped HTML, but I can't tell whether that will work for you without looking deeper.Hi All, @NotMyFault @yaroslavafenkin @alecharp I have done changes suggested by you, please check this pull request and give approval. https://github.com/QIntegration/qualys-iac-security-plugin/pull/1/files
I've crossed out points on alecharp's and my list that you've addressed, and left open what is to address still.
@NotMyFault currently Ionic icons not displaying on jelly page that is remaining, after approval I will merge to master,
@hdhaygude, I've also crossed out the points that are addressed on my list.
Hi @yaroslavafenkin
Hi @NotMyFault
@yaroslavafenkin , @NotMyFault cross out points if they are done.
I've had another look, none of the issues are addressed.
Zip slip is currently (as of https://github.com/QIntegration/qualys-iac-security-plugin/tree/c44bfb489cae1df02738b38e069df9f7df2de726) partially mitigated by never extracting content of zip archive. This will always be false
, because you're creating a directory before the method is called here. I expect you'd want to fix that. Otherwise I don't see any signs that extraction of archive contents outside of target directory is prevented.
Also if that helps for XSS I'm using https://github.com/yaroslavafenkin/qualys-iac-sec-mock to mock responses from qualys server.
@yaroslavafenkin
Zip slip seems to be correctly addressed now.
https://github.com/QIntegration/qualys-iac-security-plugin/blob/3508f9cfe561de94de39ab44dbc27e74fe374753/src/main/java/io/qualys/iac/jenkins/TemplateScanBuilder.java#L317 still missing a permission check. Also it seems wrong that method takes absolute path and returns information whether files or folders exist in the file system. Consider limiting it to workspace only.
Hi @yaroslavafenkin
Permission checks are fine now.
XSS is still to be addressed. If you need more details about reproduction steps please let me know.
@yaroslavafenkin
@yaroslavafenkin please approve XSS fix and cross out XSS point
/audit-review
Patience is key.
Had another look, seems fine now, cannot reproduce XSS anymore.
/audit-ok
/hosting re-check
The open findings from https://github.com/jenkins-infra/repository-permissions-updater/issues/2931#issuecomment-1318380597 are still to address, like the open findings by the hosting bot.
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
<jenkins.version>2.358</jenkins.version>
to at least 2.361.4 in your pom.xml. Take a look at the baseline recommendations.<scm>
block in your pom.xml. See https://maven.apache.org/pom.html#SCM for more information.You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
<jenkins.version>2.361</jenkins.version>
to at least 2.361.4 in your pom.xml. Take a look at the baseline recommendations.<scm>
block in your pom.xml. See https://maven.apache.org/pom.html#SCM for more information.You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Repository URL
https://github.com/QIntegration/qualys-iac-security-plugin
New Repository Name
qualys-iac-security-plugin
Description
The Qualys IaC Security plugin will scan repository files and find any misconfiguration in file, It also suggest remediation regarding those misconfigurations. After scanning is done it generates report in html format
GitHub users to have commit permission
@pmgupte @hdhaygude
Jenkins project users to have release permission
qualys
Issue tracker
GitHub issues