search

jenkins-infra / repository-permissions-updater

Artifactory permissions synchronization tool and data set
77 stars 1.03k forks source link

Appdome Build-2secure plugin #3153

Closed idanhauser closed 1 year ago

idanhauser commented 1 year ago

Repository URL

https://github.com/Appdome/Jenkins_Build-2secure-plugin

New Repository Name

appdome-build-2secure-plugin

Description

Easily secure and customize your mobile apps on Jenkins using the Appdome Build-2Secure plugin. No coding or technical expertise is required. Automate the process of adding security features such as encryption, biometric authentication, and more to your mobile apps. Additionally, sign your app with your own enterprise certificate for added flexibility and control. Get the flexibility and control you need to secure and customize your mobile apps with the Appdome Build-2Secure plugin.

GitHub users to have commit permission

@idanhauser @avi112211

Jenkins project users to have release permission

idanhauser avie

Issue tracker

Github

jenkins-cert-app commented 1 year ago

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a security scan was triggered on your repository. It takes ~10 minutes to complete.

Commands The bot will parse all comments, and it will check if any line start with a command. Security team only:
  • /audit-ok => the audit is complete, the hosting can continue :tada:.
  • /audit-skip => the audit is not necessary, the hosting can continue :tada:.
  • /audit-required => the superficial audit was not sufficient, a deeper look is necessary :mag:.
  • /audit-findings => the audit reveals some issues that require corrections :pencil2:.
Anyone:
  • /request-security-scan => the findings from the security scan were corrected, this command will re-scan your repository :mag:.
  • /audit-review => the findings from the audits were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.
Only one command can be requested per comment.

(automatically generated message, version: 1.15.2)

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 33 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AppdomeBuilder.java#672 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAutoDev connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#664 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintPrivate connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#656 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAuto connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#647 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeyPass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#639 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreAlias connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#631 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreFilePass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#623 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#614 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#604 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#595 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#586 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreP12Pass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#578 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckTeamId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#570 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckToken connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

Stapler: Missing permission check

You can find detailed information about this finding here.

AppdomeBuilder.java#672 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintAutoDev ```
AppdomeBuilder.java#664 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintPrivate ```
AppdomeBuilder.java#656 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintAuto ```
AppdomeBuilder.java#647 ``` Potential missing permission check in DescriptorImpl#doCheckKeyPass ```
AppdomeBuilder.java#639 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreAlias ```
AppdomeBuilder.java#631 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreFilePass ```
AppdomeBuilder.java#623 ``` Potential missing permission check in DescriptorImpl#doCheckFusionSetAndroid ```
AppdomeBuilder.java#614 ``` Potential missing permission check in DescriptorImpl#doCheckApplicationPathAndroid ```
AppdomeBuilder.java#604 ``` Potential missing permission check in DescriptorImpl#doCheckFusionSetIos ```
AppdomeBuilder.java#595 ``` Potential missing permission check in DescriptorImpl#doCheckApplicationPathIos ```
AppdomeBuilder.java#586 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreP12Pass ```
AppdomeBuilder.java#578 ``` Potential missing permission check in DescriptorImpl#doCheckTeamId ```
AppdomeBuilder.java#570 ``` Potential missing permission check in DescriptorImpl#doCheckToken ```

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

AppdomeBuilder.java#48 ``` Field should be reviewed whether it stores a password and is serialized to disk: keystoreAlias ```
AppdomeBuilder.java#47 ``` Field should be reviewed whether it stores a password and is serialized to disk: KeystoreP12Pass ```
AppdomeBuilder.java#45 ``` Field should be reviewed whether it stores a password and is serialized to disk: KeystoreFilePass ```
AppdomeBuilder.java#43 ``` Field should be reviewed whether it stores a password and is serialized to disk: keyPass ```
AutomaticSignInfo.java#28 ``` Field should be reviewed whether it stores a password and is serialized to disk: keyPass ```
AutomaticSignInfo.java#27 ``` Field should be reviewed whether it stores a password and is serialized to disk: keystoreAlias ```
AutomaticSignInfo.java#24 ``` Field should be reviewed whether it stores a password and is serialized to disk: keystorePass ```
github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

idanhauser commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 31 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AppdomeBuilder.java#672 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAutoDev connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#664 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintPrivate connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#656 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAuto connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#647 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeyPass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#639 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreAlias connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#631 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreFilePass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#623 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#614 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#604 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#595 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#586 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreP12Pass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#578 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckTeamId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#570 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckToken connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

Stapler: Missing permission check

You can find detailed information about this finding here.

AppdomeBuilder.java#672 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintAutoDev ```
AppdomeBuilder.java#664 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintPrivate ```
AppdomeBuilder.java#656 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintAuto ```
AppdomeBuilder.java#647 ``` Potential missing permission check in DescriptorImpl#doCheckKeyPass ```
AppdomeBuilder.java#639 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreAlias ```
AppdomeBuilder.java#631 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreFilePass ```
AppdomeBuilder.java#623 ``` Potential missing permission check in DescriptorImpl#doCheckFusionSetAndroid ```
AppdomeBuilder.java#614 ``` Potential missing permission check in DescriptorImpl#doCheckApplicationPathAndroid ```
AppdomeBuilder.java#604 ``` Potential missing permission check in DescriptorImpl#doCheckFusionSetIos ```
AppdomeBuilder.java#595 ``` Potential missing permission check in DescriptorImpl#doCheckApplicationPathIos ```
AppdomeBuilder.java#586 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreP12Pass ```
AppdomeBuilder.java#578 ``` Potential missing permission check in DescriptorImpl#doCheckTeamId ```
AppdomeBuilder.java#570 ``` Potential missing permission check in DescriptorImpl#doCheckToken ```

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

AppdomeBuilder.java#48 ``` Field should be reviewed whether it stores a password and is serialized to disk: keystoreAlias ```
AppdomeBuilder.java#47 ``` Field should be reviewed whether it stores a password and is serialized to disk: KeystoreP12Pass ```
AppdomeBuilder.java#45 ``` Field should be reviewed whether it stores a password and is serialized to disk: KeystoreFilePass ```
AutomaticSignInfo.java#28 ``` Field should be reviewed whether it stores a password and is serialized to disk: keystoreAlias ```
AutomaticSignInfo.java#25 ``` Field should be reviewed whether it stores a password and is serialized to disk: keystorePass ```
idanhauser commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 26 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AppdomeBuilder.java#672 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAutoDev connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#664 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintPrivate connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#656 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAuto connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#647 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeyPass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#639 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreAlias connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#631 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreFilePass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#623 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#614 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#604 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#595 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#586 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreP12Pass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#578 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckTeamId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#570 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckToken connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

Stapler: Missing permission check

You can find detailed information about this finding here.

AppdomeBuilder.java#672 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintAutoDev ```
AppdomeBuilder.java#664 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintPrivate ```
AppdomeBuilder.java#656 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintAuto ```
AppdomeBuilder.java#647 ``` Potential missing permission check in DescriptorImpl#doCheckKeyPass ```
AppdomeBuilder.java#639 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreAlias ```
AppdomeBuilder.java#631 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreFilePass ```
AppdomeBuilder.java#623 ``` Potential missing permission check in DescriptorImpl#doCheckFusionSetAndroid ```
AppdomeBuilder.java#614 ``` Potential missing permission check in DescriptorImpl#doCheckApplicationPathAndroid ```
AppdomeBuilder.java#604 ``` Potential missing permission check in DescriptorImpl#doCheckFusionSetIos ```
AppdomeBuilder.java#595 ``` Potential missing permission check in DescriptorImpl#doCheckApplicationPathIos ```
AppdomeBuilder.java#586 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreP12Pass ```
AppdomeBuilder.java#578 ``` Potential missing permission check in DescriptorImpl#doCheckTeamId ```
AppdomeBuilder.java#570 ``` Potential missing permission check in DescriptorImpl#doCheckToken ```
idanhauser commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 25 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AppdomeBuilder.java#679 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAutoDev connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#671 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintPrivate connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#663 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAuto connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#654 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeyPass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#646 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreAlias connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#638 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreFilePass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#630 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#621 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#611 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#602 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#593 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreP12Pass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#585 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckTeamId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#573 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckToken connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

Stapler: Missing permission check

You can find detailed information about this finding here.

AppdomeBuilder.java#679 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintAutoDev ```
AppdomeBuilder.java#671 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintPrivate ```
AppdomeBuilder.java#663 ``` Potential missing permission check in DescriptorImpl#doCheckFingerprintAuto ```
AppdomeBuilder.java#654 ``` Potential missing permission check in DescriptorImpl#doCheckKeyPass ```
AppdomeBuilder.java#646 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreAlias ```
AppdomeBuilder.java#638 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreFilePass ```
AppdomeBuilder.java#630 ``` Potential missing permission check in DescriptorImpl#doCheckFusionSetAndroid ```
AppdomeBuilder.java#621 ``` Potential missing permission check in DescriptorImpl#doCheckApplicationPathAndroid ```
AppdomeBuilder.java#611 ``` Potential missing permission check in DescriptorImpl#doCheckFusionSetIos ```
AppdomeBuilder.java#602 ``` Potential missing permission check in DescriptorImpl#doCheckApplicationPathIos ```
AppdomeBuilder.java#593 ``` Potential missing permission check in DescriptorImpl#doCheckKeystoreP12Pass ```
AppdomeBuilder.java#585 ``` Potential missing permission check in DescriptorImpl#doCheckTeamId ```
idanhauser commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 13 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AppdomeBuilder.java#689 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAutoDev connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#680 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintPrivate connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#671 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAuto connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#662 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeyPass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#653 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreAlias connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#644 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreFilePass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#635 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#625 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#614 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#605 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#595 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreP12Pass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#586 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckTeamId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#575 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckToken connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
idanhauser commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 13 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AppdomeBuilder.java#691 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAutoDev connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#682 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintPrivate connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#673 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAuto connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#664 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeyPass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#655 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreAlias connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#646 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreFilePass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#637 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#627 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#616 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#606 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#596 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreP12Pass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#587 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckTeamId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#575 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckToken connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
idanhauser commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 13 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AppdomeBuilder.java#700 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAutoDev connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#691 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintPrivate connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#681 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFingerprintAuto connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#671 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeyPass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#661 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreAlias connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#651 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreFilePass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#641 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#631 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathAndroid connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#619 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckFusionSetIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#608 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckApplicationPathIos connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#597 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckKeystoreP12Pass connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#587 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckTeamId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AppdomeBuilder.java#575 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckToken connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
idanhauser commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

NotMyFault commented 1 year ago

Hey @idanhauser,

I took a look over your hosting proposal and have some general feedback:

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

idanhauser commented 1 year ago

Hey @NotMyFault, Thank you for your valuable feedback. I have incorporated the changes that you suggested into the code.

However, I would like to seek your advice on one matter. You suggested removing the target with the "hpi" file, but I believe it is necessary to keep this file in our project to provide a link to download it. Could you please suggest where I can place this file in the repository?

Additionally, I have removed the asterisks from all fields with validation, but for fields where validation is not possible, I have left the asterisks. Do you have any suggestions on how to validate such fields?

In addition, I have added the ".github" folder and included the files that you requested me to place in it. However, I encountered an error with the "CODEOWNERS" file. Would it be alright to leave it as it is for now, or do you recommend that I make changes to the file in order to resolve the issue?

Thank you!

NotMyFault commented 1 year ago

However, I would like to seek your advice on one matter. You suggested removing the target with the "hpi" file, but I believe it is necessary to keep this file in our project to provide a link to download it. Could you please suggest where I can place this file in the repository?

Plugins are not meant to be distributed through your git repository at all. Once hosted, consumers can download the plugin through the Jenkins update center, which integrates with the Jenkins plugin manager or plugins.jenkins.io, if someone seeks for a web interface.

Additionally, I have removed the asterisks from all fields with validation, but for fields where validation is not possible, I have left the asterisks. Do you have any suggestions on how to validate such fields?

See https://weekly.ci.jenkins.io/design-library/Validation/ for an example for data validation. Basically, you can validate any input against a predefined check. There's no such thing like an input that can't be validated.

In addition, I have added the ".github" folder and included the files that you requested me to place in it. However, I encountered an error with the "CODEOWNERS" file.

This is expected. Leave it as-is, given it's supposed to reflect the location, once the repository is part of the jenkinsci org. Although, you can remove the $ before $appdome, that's obsolete. You can cut down https://github.com/Appdome/Jenkins_Build-2secure-plugin/blob/main/.github/release-drafter.yml to a three line file like https://github.com/jenkinsci/git-plugin/blob/master/.github/release-drafter.yml, replacing git- with your artifactId. We're using org templates, you don't need to configure release drafter yourself.

daniel-beck commented 1 year ago

History should be rewritten to remove target/ so the repo doesn't have this in the commit history.

idanhauser commented 1 year ago

/hosting re-check

idanhauser commented 1 year ago

/request-security-scan

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 2 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

AutoSign.java#16 ``` Field should be reviewed whether it stores a password and is serialized to disk: keystorePath ```
AutoSign.java#19 ``` Field should be reviewed whether it stores a password and is serialized to disk: keystorePath ```
idanhauser commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:

NotMyFault commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

NotMyFault commented 1 year ago

/hosting host

jenkins-infra-bot commented 1 year ago

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/appdome-build-2secure-plugin

GitHub issues has been selected for issue tracking and was enabled for the forked repo.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: buildPlugin(useContainerAgent: true, jdkVersions: [8, 11])

Welcome aboard!