search

jenkins-infra / repository-permissions-updater

Artifactory permissions synchronization tool and data set
79 stars 1.05k forks source link

Plugin proposal: DevOps Portal #3097

Closed rbello closed 1 year ago

rbello commented 1 year ago

Repository URL

https://github.com/rbello/jenkins-plugin-devops-portal

New Repository Name

devops-portal-plugin

Description

Bring together all the information about the build and run of your applications into a single dashboard.

GitHub users to have commit permission

@rbello

Jenkins project users to have release permission

rbello

Issue tracker

GitHub issues

jenkins-cert-app commented 1 year ago

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default. This message informs you that the security team was notified about the request and will soon participate in this issue to assist. The team is usually starting by a quick superficial audit and if it's not sufficient, they are planning a deeper audit.

Commands Security team only:
  • /audit-ok => the audit is complete, the hosting can continue :tada:.
  • /audit-skip => the audit is not necessary, the hosting can continue :tada:.
  • /audit-required => the superficial audit was not sufficient, a deeper look is necessary :mag:.
  • /audit-findings => the audit reveals some issues that require corrections :pencil2:.
Anyone:
  • /audit-review => the findings from the audits were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.
Only one command can be requested per comment.

(automatically generated message)

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

rbello commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

rbello commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

Kevin-CB commented 1 year ago

We're doing a security audit on your plugin, tracked internally as JENSEC-1938.

rbello commented 1 year ago

Hello @Kevin-CB, I prepared a new branch where I updated the minimum Java version to 11 and the parent project version to 4.54 I don't want to merge it right now because you are auditing the main branch. But if you don't mind I can do the merge.

Kevin-CB commented 1 year ago

Hello @rbello, we’re able to perform a complete audit on your plugins, and here are our feedbacks:

I will let you correct the different findings and ping us when you are done or if you have questions.

Kevin-CB commented 1 year ago

/audit-findings

rbello commented 1 year ago

Thank you @Kevin-CB and the team for your very interesting feedback.

  1. projectKey sensitivity: I don't think this information can be considered sensitive. This is typically the artifactId prefixed with the groupId

  2. XSS vulnerabilities / passing values to JavaScript: ok, fixed using data-* attributes

  3. XSS vulnerabilities / restrict href protocol: ok, fixed in ArtifactReleaseActivity::isUrlPresent

  4. CSRF / missing crumb:

  5. SSL/TLS validation must be enabled by default: ok fixed, added parameter to enable insecure mode (false by default)

  6. Dependencies with known vulnerabilities: all vulnerabilities come from the same dependency (org.sonarsource.sonarqube:sonar-ws) but I use the latests version (9.8.0.63668)

/audit-review

Kevin-CB commented 1 year ago

Thank you for your reactivity and your corrections, I was able to double check and everything looks good now!

I have just two little comments:

XSS vulnerabilities / restrict href protocol: ok, fixed in ArtifactReleaseActivity::isUrlPresent

/audit-ok

NotMyFault commented 1 year ago

Hey @rbello,

I have some general feedback for your hosting request:

rbello commented 1 year ago

Hi @NotMyFault, Thank you for your reply. Do you have some documentation about st:adjunct ?

I found this paragraph and some samples, but it seems that the includes attribute should contains a kind of package identifier and not a file path ?

<st:adjunct includes="io.jenkins.plugins.prism"/>
<st:adjunct includes="io.jenkins.plugins.jquery3"/>
<st:adjunct includes="lib.form.select.select"/>

NB: in my javascript functions I have translated strings. Does adjunct is compatible with this ?

if (!confirm('${%confirm_delete_version}')) {
        return false;
}
NotMyFault commented 1 year ago

Do you have some documentation about st:adjunct ?

See here: https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks

rbello commented 1 year ago

Hi @NotMyFault,

[ERROR] Rule 5: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps. The error(s) are [
Require upper bound dependencies error for org.jetbrains.kotlin:kotlin-stdlib-common:1.5.31 paths to dependency are:
+-io.jenkins.plugins:devops-portal:1.0
  +-org.sonarsource.sonarqube:sonar-ws:9.8.0.63668
    +-com.squareup.okhttp3:okhttp:4.10.0
      +-com.squareup.okio:okio-jvm:3.0.0
        +-org.jetbrains.kotlin:kotlin-stdlib-common:1.5.31
and
+-io.jenkins.plugins:devops-portal:1.0
  +-org.sonarsource.sonarqube:sonar-ws:9.8.0.63668
    +-com.squareup.okhttp3:okhttp:4.10.0
      +-org.jetbrains.kotlin:kotlin-stdlib:1.6.20
        +-org.jetbrains.kotlin:kotlin-stdlib-common:1.6.20
]

There are one recomment that I plan to implement in a future version if you agree:

NotMyFault commented 1 year ago
  • I have to keep the import of the kotlin-stdlib-common library because otherwise I encounter a validation problem:

If you just need the kotlin library to satisfy enforcer and don't depend on it, you may exclude it:

diff --git a/pom.xml b/pom.xml
index f2d3f11..6eccf09 100644
--- a/pom.xml
+++ b/pom.xml
@@ -113,15 +113,16 @@
             <artifactId>apache-httpcomponents-client-4-api</artifactId>
         </dependency>
         <!-- Sonar Connector -->
-        <dependency>
-            <groupId>org.jetbrains.kotlin</groupId>
-            <artifactId>kotlin-stdlib-common</artifactId>
-            <version>1.8.0</version>
-        </dependency>
         <dependency>
             <groupId>org.sonarsource.sonarqube</groupId>
             <artifactId>sonar-ws</artifactId>
             <version>9.8.0.63668</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.jetbrains.kotlin</groupId>
+                    <artifactId>kotlin-stdlib-common</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
     </dependencies>

There are one recomment that I plan to implement in a future version if you agree:

Fine with me, I just wrote it down to raise awareness.

Is the sonarqube dependency only needed for tests? If so, I would recommend declaring it that way because the hpi file sizes 10M, rather than ~300K without sonarqube.

rbello commented 1 year ago

Ok I have fixed the pom.xml

No it's not a test dependency unfortunately. I will consider getting rid of it later.

NotMyFault commented 1 year ago

No it's not a test dependency unfortunately. I will consider getting rid of it later.

I see, thanks for considering. 10M to ~300K is a notable difference :)

rbello commented 1 year ago

@NotMyFault Done

NotMyFault commented 1 year ago

/hosting host

jenkins-infra-bot commented 1 year ago

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/devops-portal-plugin

GitHub issues has been selected for issue tracking and was enabled for the forked repo.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: buildPlugin(useContainerAgent: true, jdkVersions: [8, 11])

Welcome aboard!