Closed itfsw closed 1 year ago
Security audit, information and commands
The security team is auditing all the hosting requests, to ensure a better security by default.
This message informs you that a security scan was triggered on your repository. It takes ~10 minutes to complete.
/audit-ok
=> the audit is complete, the hosting can continue :tada:./audit-skip
=> the audit is not necessary, the hosting can continue :tada:./audit-required
=> the superficial audit was not sufficient, a deeper look is necessary :mag:./audit-findings
=> the audit reveals some issues that require corrections :pencil2:./request-security-scan
=> the findings from the security scan were corrected, this command will re-scan your repository :mag:./audit-review
=> the findings from the audits were corrected, this command will ping the security team to review the findings :eyes:.
It's only applicable when the previous audit required changes.(automatically generated message)
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
<jenkins.version>2.328</jenkins.version>
to at least 2.361.4 in your pom.xml. Take a look at the baseline recommendations.<connection>
tag in your <scm>
block in your pom.xml. You can use this sample: <connection>scm:git:https://github.com/jenkinsci/${project.artifactId}-plugin.git</connection>
<developerConnection>
tag in your <developerConnection>scm:git:https://github.com/jenkinsci/${project.artifactId}-plugin</developerConnection>
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
For a brand new plugin, https://github.com/itfsw/remote-result-trigger-plugin/blob/4d2abe990706536ca6deec12eed627858439ac00/pom.xml#L12-L14 is an indicator of a bad copy & paste from elsewhere. I suggest you go with a more recent core, and remove the compatibleSince
.
https://github.com/itfsw/remote-result-trigger-plugin/blob/4d2abe990706536ca6deec12eed627858439ac00/pom.xml#L58-L78 I recommend you look into using https://github.com/jenkinsci/bom.
The CodeQL Scan discovered 5 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.
Once you're done, either re-run the scan with /request-security-scan
or request the Security team to review your justifications with /audit-review
.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.
Hosting team members can host this request with /hosting host
/request-security-scan
/audit-review
The CodeQL Scan discovered 5 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.
Once you're done, either re-run the scan with /request-security-scan
or request the Security team to review your justifications with /audit-review
.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
/request-security-scan
@Wadeck Your bot -1's me :(
Is there a chance to react with "+1" when requesting a re-run?
The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:
@NotMyFault the -1 is because the "status" was not expected. I need to check what happened, there were lot of commands there :) (the -1 was on the audit-review not the re-run of the scan)
Hey @itfsw,
I took a general look over your hosting request and have a few recommendations:
io.jenkins.plugins
. Please adjust it and move your packages to io.jenkins.plugins
too: https://github.com/itfsw/remote-result-trigger-plugin/tree/main/src/main/java/com/itfsw/<dependencyManagement>
<dependencies>
<dependency>
<groupId>io.jenkins.tools.bom</groupId>
<artifactId>bom-2.361.x</artifactId>
<version>1798.vc671fe94856f</version>
<scope>import</scope>
<type>pom</type>
</dependency>
</dependencies>
</dependencyManagement>
Followed by that, you can remove the <version>
block from credentials, jackson2-api and okhttp-api
.mvn/extensions.xml
file with the following content: https://github.com/jenkinsci/git-plugin/blob/master/.mvn/extensions.xml.mvn/maven.config
file with the following content: https://github.com/jenkinsci/git-plugin/blob/master/.mvn/maven.config.github/workflows/release-drafter.yml
file with the following content: https://github.com/jenkinsci/git-plugin/blob/master/.github/workflows/release-drafter.yml. Replace master
with main
..github/release-drafter.yml
file with the following content. https://github.com/jenkinsci/git-plugin/blob/master/.github/release-drafter.yml. Replace git-
with the artifact id of your plugin.github/dependabot.yml
file with the following content: https://github.com/jenkinsci/console-column-plugin/blob/master/.github/dependabot.ymljenkinsci
as repository owner.@NotMyFault all fixed
/request-security-scan
The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:
https://github.com/itfsw/remote-result-trigger-plugin/blob/42a8c0f65973579a4ec06afd5c0deee2d67e26b0/src/main/java/io/jenkins/plugins/remote/result/trigger/auth2/CredentialsAuth.java#L151-L152 Only one of these is needed, they both independently accomplish that. Note that doFillCredentialsIdItems
are not considered to have side effects, so a suppression here would also be fine.
https://github.com/itfsw/remote-result-trigger-plugin/blob/42a8c0f65973579a4ec06afd5c0deee2d67e26b0/src/main/java/io/jenkins/plugins/remote/result/trigger/RemoteBuildResultTrigger.java#L194 looks like an unsafe default. Unsure what use case this being Boolean
covers, that looks like something added for backwards compatibility with an older release (bad copy & paste again?). Should be easier with a boolean
and defaulting to not trust.
@daniel-beck
/request-security-scan
The CodeQL Scan discovered 2 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.
Once you're done, either re-run the scan with /request-security-scan
or request the Security team to review your justifications with /audit-review
.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
/request-security-scan
The CodeQL Scan discovered 1 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.
Once you're done, either re-run the scan with /request-security-scan
or request the Security team to review your justifications with /audit-review
.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
/request-security-scan
The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.
Hosting team members can host this request with /hosting host
/request-security-scan
The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:
Hey @itfsw,
auth
package. You probably want to see whether you can use the drop in replacement methods.mvn clean verify package
to get a list of all failures to address.@NotMyFault Thanks for review,all need fixed has done. But i have pull new version to support monitor more than one remote jobs. So we need a new review.
/request-security-scan
The CodeQL Scan discovered 3 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.
Once you're done, either re-run the scan with /request-security-scan
or request the Security team to review your justifications with /audit-review
.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
/request-security-scan
The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:
/request-security-scan
The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:
Hello from your friendly Jenkins Hosting Checker
It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.
Hosting team members can host this request with /hosting host
/hosting host
Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/remote-result-trigger-plugin
GitHub issues has been selected for issue tracking and was enabled for the forked repo.
A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.
Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.
You will also need to do the following in order to push changes and release your plugin:
In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content:
buildPlugin(useContainerAgent: true, jdkVersions: [8, 11])
Welcome aboard!
Repository URL
https://github.com/itfsw/remote-result-trigger-plugin
New Repository Name
remote-result-trigger-plugin
Description
Remote-Build-Result-Trigger-Plugin
A plugin for Jenkins CI that gives you the ability to monitor successful build on a remote Jenkins server.
Instructions
Enable the trigger within the "Remote Build Result Trigger" section of the build's configuration page.
When remote server build successful, plugin will trigger a local build and inject remote envs to job.
Screenshot
GitHub users to have commit permission
@itfsw
Jenkins project users to have release permission
itfsw
Issue tracker
GitHub issues