Mend Cloud Native Security Scanner

yuval-nahari commented 1 year ago

Repository URL

https://github.com/yuval-nahari/mend-cloud-native-plugin

New Repository Name

mend-cloud-native-security-scanner-plugin

Description

This plugin uses Mend CLI tool for scanning container images and detect vulnerabilities and other security risks.

GitHub users to have commit permission

yuval-nahari

Jenkins project users to have release permission

yuval_nahari_mend

Issue tracker

Jira

/hosting re-check

jenkins-cert-app commented 1 year ago

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a security scan was triggered on your repository. It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command. Security team only:

/audit-ok => the audit is complete, the hosting can continue :tada:.
/audit-skip => the audit is not necessary, the hosting can continue :tada:.
/audit-required => the superficial audit was not sufficient, a deeper look is necessary :mag:.
/audit-findings => the audit reveals some issues that require corrections :pencil2:.

Anyone:

/request-security-scan => the findings from the security scan were corrected, this command will re-scan your repository :mag:.
/audit-review => the findings from the audits were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.16.8)

jenkins-cert-app commented 1 year ago

:x: CodeQL Scan failed. The Security team was notified about this.

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: Repository URL 'https://github.com/mend/mend-cloud-native-plugin' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
:warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The origin repository 'https://github.com/mend/mend-cloud-native-plugin.git' ends in .git, please remove this
:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: Repository URL 'https://github.com/mend/mend-cloud-native-plugin' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
:no_entry: Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)
:warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The origin repository 'https://github.com/mend/mend-cloud-native-plugin.git' ends in .git, please remove this
:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: Repository URL 'https://github.com/mend/mend-cloud-native-plugin' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
:no_entry: Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)
:warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: Repository URL 'https://github.com/mend/mend-cloud-native-plugin' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
:no_entry: Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)
:warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: Repository URL 'https://github.com/mend/mend-cloud-native-plugin' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
:no_entry: Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)
:warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: yuval-nahari (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: Repository URL 'https://github.com/mend/mend-cloud-native-plugin' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
:warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: yuval-nahari_mend (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: yuval-nahari_mend (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: Repository URL 'https://github.com/mend/mend-cloud-native-plugin' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
:warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: yuval_nahari_mend (reports are re-synced hourly, wait to re-check for a bit after logging in)
:no_entry: Required: Repository URL 'https://github.com/mend/mend-cloud-native-plugin' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
:warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: Repository URL 'https://github.com/yuval-nahari/mend-cloud-native' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
:no_entry: Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)
:warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

Wadeck commented 1 year ago

/request-security-scan

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: You must use HTTPS for the <connection> tag in your <scm> block in your pom.xml. You can use this sample: <connection>scm:git:https://github.com/jenkinsci/${project.artifactId}-plugin.git</connection>
:no_entry: Required: The 'artifactId' from the pom.xml (mend-cloud-native-plugin) is incorrect, it should be https://github.com/yuval-nahari/mend-cloud-native ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

Wadeck commented 1 year ago

[ASSIST] (previous scan was started on https://github.com/yuval-nahari/mend-cloud-native before it was changed)

jenkins-cert-app commented 1 year ago

The CodeQL Scan did not find anything dangerous with your plugin, congratulations! :tada:

alecharp commented 1 year ago

Hello, I looked at the plugin code and I have a few points to correct:

you might want to use the gitHubRepo property in https://github.com/yuval-nahari/mend-cloud-native-plugin/blob/d239b2f600e4eefaa226ef8c3225519b207a8468/pom.xml#L24-L26
I see that you are requiring jenkins-test-harness-htmlunit dependency for production code (https://github.com/yuval-nahari/mend-cloud-native-plugin/blob/d239b2f600e4eefaa226ef8c3225519b207a8468/pom.xml#L89). As there is no tests on the plugin, I suspect that to be an error.
the plugin is containing one class but I don't think you want to keep the sample package name for it. This is probably coming from the skeleton of the archetype and should be removed. Rather, use the artifact Id.
in https://github.com/yuval-nahari/mend-cloud-native-plugin/blob/d239b2f600e4eefaa226ef8c3225519b207a8468/src/main/resources/io/jenkins/plugins/sample/MendCnScannerBuilder/config.jelly#L14-L16 the variable is pluralize. Does it means this field should be repeatable or that it accepts a format to provide multiple names? Probably good to express that with a help file.
it seems that you are downloading a cli to be executed. From https://github.com/yuval-nahari/mend-cloud-native-plugin/blob/d239b2f600e4eefaa226ef8c3225519b207a8468/src/main/java/io/jenkins/plugins/sample/MendCnScannerBuilder.java#L84-L93 it seems that you would download that file at each run. It could be a good idea to looking into ToolInstallation.
Please include more information in your README.md, what this plugin does, how the user sets it up and how to integrate it into jobs.
https://github.com/yuval-nahari/mend-cloud-native-plugin/blob/d239b2f600e4eefaa226ef8c3225519b207a8468/pom.xml#L94 remove this line. The BOM ships the version.
Please remove all dependencies from the pom.xml your plugin doesn't need.
Create a .mvn folder within the repository root and add the couple of files: https://github.com/jenkinsci/archetypes/tree/master/common-files/.mvn
Create a .github folder within the repository root and include the following files and subdirectories: https://github.com/jenkinsci/archetypes/tree/master/common-files/.github
https://github.com/yuval-nahari/mend-cloud-native-plugin/blob/d239b2f600e4eefaa226ef8c3225519b207a8468/src/main/java/io/jenkins/plugins/sample/MendCnScannerBuilder.java#L92 The constructor is deprecated in favor of URI#toURL.

yuval-nahari commented 1 year ago

Hi @alecharp, I've addressed your comments, thanks.

About the CLI download, this download link will be updated to a constant "latest" url that will provide the most up-to-date CLI. Meaning I have to download it to figure out if the CLI changed, and if I'm doing it so it's basically the same.

NotMyFault commented 1 year ago

Thanks for addressing @yuval-nahari

It appears something went wrong while you copied the default files:

https://github.com/yuval-nahari/mend-cloud-native-plugin/blob/master/.github/release-drafter.yml The default, https://github.com/jenkinsci/archetypes/blob/master/common-files/.github/release-drafter.yml, ${artifactId} is a placeholder. Replace ${artifactId} with the artifactId from your pom.xml. The template is obsolete too.
https://github.com/yuval-nahari/mend-cloud-native-plugin/blob/master/.github/CODEOWNERS same like above. Replace the placeholder.

Looks good otherwise.

alecharp commented 1 year ago

@yuval-nahari

Meaning I have to download it to figure out if the CLI changed, and if I'm doing it so it's basically the same.

Could user want to select a specific version rather than always be on the latest (like for Docker image tag)? This is not really a discussion for this hosting process so you can ignore this.

yuval-nahari commented 1 year ago

Fixed - placeholders replaced.

About the template existence - without it I got "template" is required error in the github action run.

NotMyFault commented 1 year ago

About the template existence - without it I got "template" is required error in the github action run.

That is expected, but can be ignored. Once hosted, release-drafter extends the existing config, which doesn't exist in your repository. My changes recommended can be applied safely.

yuval-nahari commented 1 year ago

Hi @alecharp @NotMyFault Do you require anything else for the hosting part?

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The 'artifactId' from the pom.xml (mend-cloud-native-plugin) is incorrect, it should be mend-cloud-native ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

NotMyFault commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:

:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.

yuval-nahari commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The 'artifactId' from the pom.xml (mend-cloud-native) is incorrect, it should be mend-cloud-native-security-scanner ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

NotMyFault commented 1 year ago

I reworded the repository name to reflect the purpose of the plugin. Please change it in the pom.xml and other spots too.

yuval-nahari commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

NotMyFault commented 1 year ago

/hosting host

jenkins-infra-bot commented 1 year ago

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/mend-cloud-native-security-scanner-plugin

A Jira component named mend-cloud-native-security-scanner-plugin has also been created with yuval_nahari_mend as the default assignee for issues.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: https://github.com/jenkinsci/archetypes/blob/master/common-files/Jenkinsfile

Welcome aboard!

jenkins-infra / repository-permissions-updater