search

jenkins-infra / repository-permissions-updater

Artifactory permissions synchronization tool and data set
79 stars 1.05k forks source link

Request repository hosting for slsa-plugin #3224

Closed netomi closed 1 year ago

netomi commented 1 year ago

Repository URL

https://github.com/netomi/slsa-jenkins-plugin

New Repository Name

slsa-plugin

Description

The Eclipse Security Team has been developing a jenkins plugin to create SLSA provenance attestations (https://slsa.dev/attestation-model) during a build hosted in the repository above.

Its still early work, but already functional, and we would like to start the process of migrating it to the jenkinsci organization.

GitHub users to have commit permission

@netomi @mbarbero @fredg02

Jenkins project users to have release permission

netomi

Issue tracker

GitHub issues

jenkins-cert-app commented 1 year ago

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a security scan was triggered on your repository. It takes ~10 minutes to complete.

Commands The bot will parse all comments, and it will check if any line start with a command. Security team only:
  • /audit-ok => the audit is complete, the hosting can continue :tada:.
  • /audit-skip => the audit is not necessary, the hosting can continue :tada:.
  • /audit-required => the superficial audit was not sufficient, a deeper look is necessary :mag:.
  • /audit-findings => the audit reveals some issues that require corrections :pencil2:.
Anyone:
  • /request-security-scan => the findings from the security scan were corrected, this command will re-scan your repository :mag:.
  • /audit-review => the findings from the audits were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.
Only one command can be requested per comment.

(automatically generated message, version: 1.15.8)

jenkins-cert-app commented 1 year ago

:x: CodeQL Scan failed. The Security team was notified about this.

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

NotMyFault commented 1 year ago

The repository must be hosted on GitHub, don't add .git at the end of the URL @netomi

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

netomi commented 1 year ago

ok ty, I already guessed something like that. We will move the repo first to github and then start the migration.

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

netomi commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

netomi commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

NotMyFault commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 2 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing permission check

You can find detailed information about this finding here.

ProvenanceRecorder.java#151 ``` Potential missing permission check in DescriptorImpl#doCheckTargetDirectory ```
ProvenanceRecorder.java#144 ``` Potential missing permission check in DescriptorImpl#doCheckArtifactFilter ```
NotMyFault commented 1 year ago

Hey @netomi,

thanks for moving on to GitHub. I took a brief look over the hosting request and have some feedback for you:

Additionally, depending on if available:

netomi commented 1 year ago

thanks for the quick and thorough feedback, I will work on these items. I understand its still in an early stage and missing tests, but this will come step after step :D

netomi commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The CodeQL Scan discovered 2 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

ProvenanceRecorder.java#158 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckTargetDirectory connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
ProvenanceRecorder.java#145 ``` Potential CSRF vulnerability: If DescriptorImpl#doCheckArtifactFilter connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
NotMyFault commented 1 year ago

thanks for the quick and thorough feedback, I will work on these items

Sounds great!

NotMyFault commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

:x: CodeQL Scan failed. The Security team was notified about this.

Wadeck commented 1 year ago

[ASSIST]

[ERROR] Failed to execute goal org.jenkins-ci.tools:maven-hpi-plugin:3.41:validate (default-validate) on project slsa: The plugin org.jenkins-ci.tools:maven-hpi-plugin:3.41 requires Maven version 3.8.1 -> [Help 1]

I will dig the problem :)

Note for myself: Recent maven tooling require 3.8.1 which is not available by default in Debian Bullseye which is the base image used to run Jenkins security scan.

Image updated to install maven directly instead of relying on Debian packages. Worked locally, let's try :)

Wadeck commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

:x: CodeQL Scan failed. The Security team was notified about this.

Wadeck commented 1 year ago

/request-security-scan

netomi commented 1 year ago

The security-scan workflow of the repo itself seems to work properly: https://github.com/netomi/slsa-jenkins-plugin/actions/runs/4713231330

Wadeck commented 1 year ago

[ASSIST] @netomi they are different workflows, using the same scanner internally :)

netomi commented 1 year ago

After merging the 2 PR from dependabot:

https://github.com/netomi/slsa-jenkins-plugin/commit/bf782166039778720e70fdff01ef1ffa2ab3822b https://github.com/netomi/slsa-jenkins-plugin/commit/d9c6536da3fe87ea7b644889f9be88902a7a5564

it started to fail.

Wadeck commented 1 year ago

Yeah, there was a new requirement for Maven :) normally I updated the scanner image to include an up-to-date version of Maven. Current run seems running better

jenkins-cert-app commented 1 year ago

The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:

NotMyFault commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

NotMyFault commented 1 year ago

Looks alright to me. The produced .hpi file sizes ~12M. I'd recommend removing unused dependencies from the pom.xml and applying <exclusion>s to strip parts of dependencies this plugin doesn't need, to reduce the size a bit, if applicable.

netomi commented 1 year ago

Thanks for following up on this, I will check the dependencies to further reduce the size.

netomi commented 1 year ago

The reason why the plugin accumulates to 12 MB is the inclusion of the bouncycastle provider jar. Will refactor the plugin to not require that or use the available shared library.

NotMyFault commented 1 year ago

Will refactor the plugin to not require that or use the available shared library.

Thanks! If you rely on bouncycastle, you may depend on the corresponding Jenkins plugin: https://plugins.jenkins.io/bouncycastle-api/dependencies/ and don't need to bundle it yourself.

netomi commented 1 year ago

The dependency org.eclipsefdn.security.slsa:attestation has been updated to remove the bouncy castle dependency for now as the plugin currently can not generate signed attestations. This will be added in a future version.

The size of the plugin is now

.rw-rw-r-- 2,2M tn 24 Apr 22:45 slsa.hpi
NotMyFault commented 1 year ago

Thanks a lot!

Would you mind dropping the unused plugin dependencies from your pom.xml? https://github.com/netomi/slsa-jenkins-plugin/blob/409d2351163f28f73f806140c216084909636e22/pom.xml#L138-L168 No need to install plugins you don't depend on.

netomi commented 1 year ago

I cleaned the dependencies to other plugins.

Some additional changes that I made:

currently, only git is supported as SCM provider, will work on adding support also for others. There does not seem to be a generic way to get the SCM url from an SCM object at least I could not find a way yet. So each SCM provider needs to get custom handling.

NotMyFault commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

NotMyFault commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:

:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.

NotMyFault commented 1 year ago

/hosting host

jenkins-infra-bot commented 1 year ago

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/slsa-plugin

GitHub issues has been selected for issue tracking and was enabled for the forked repo.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: https://github.com/jenkinsci/archetypes/blob/master/common-files/Jenkinsfile

Welcome aboard!