Closed miniOrangeDev closed 1 year ago
Security audit, information and commands
The security team is auditing all the hosting requests, to ensure a better security by default.
This message informs you that a Jenkins Security Scan was triggered on your repository. It takes ~10 minutes to complete.
/audit-ok
=> the audit is complete, the hosting can continue :tada:./audit-skip
=> the audit is not necessary, the hosting can continue :tada:./audit-findings
=> the audit reveals some issues that require corrections :pencil2:./request-security-scan
=> the findings from the [Jenkins Security Scan](https://www.jenkins.io/doc/developer/security/scan/) were corrected, this command will re-scan your repository :mag:./audit-review
=> the findings from the audit were corrected, this command will ping the security team to review the findings :eyes:.
It's only applicable when the previous audit required changes.(automatically generated message, version: 1.17.14)
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
:x: Jenkins Security Scan failed. The Security team was notified about this.
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
/hosting re-check
[ASSIST] Hi @miniOrangeDev,
Since I see you're active there, I'm taking this opportunity to draw your attention to SECURITY-3001 as I haven't received any response to the ticket.
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
<jenkins.version>2.332.4</jenkins.version>
to at least 2.361.4 in your pom.xml. Take a look at the baseline recommendations.You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
@miniOrangeDev I have some comments on your repository
mvn tidy:pom
on your repository to ease the human reading of the pom.xml
.mvn
files nor the GitHub Action description. Please see https://www.jenkins.io/doc/developer/publishing/releasing-cd/src/main/resources/<path-to-class>/help-<field-name>.jelly
. Please see https://www.jenkins.io/doc/developer/forms/jelly-form-controls/#add-an-inline-help-to-a-form-elementjelly
files. Please see https://www.jenkins.io/doc/developer/views/exposing-bundled-resources/#exposing-bundled-resources to centralize thatWhat is the purpose of this plugin which is not yet covered by existing plugins, like the plenty of openId, SAML, etc. plugins we already host.
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.
Hosting team members can host this request with /hosting host
Hello from your friendly Jenkins Hosting Checker
It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.
Hosting team members can host this request with /hosting host
/hosting host
@alecharp Thanks for the suggestions. We will work on these suggestions and update the ticket as soon as possible.
I'm also interested by the purpose of this, as stated by @NotMyFault on https://github.com/jenkins-infra/repository-permissions-updater/issues/3304#issuecomment-1544336383. Could you elaborate what this plugin would bring to the ecosystem which is not already provided by other plugins or integration?
@alecharp @NotMyFault
This is a 2fa plugin which enables the admin to enforce a second factor on the Jenkins side. Such a plugin is not yet available on the marketplace. We plan on adding other several methods as your second factor to secure your Jenkins instance. This plugin works with all security realms. We had received several requests for this plugin.
Thanks for the detailed answer. I don't believe the plugin is in a state yet, where I would expect it on the Jenkins plugins portal. Given, its name doesn't live up with its purpose (yet). I'd keep this proposal on hold, until the TODO list in the README has been worked through. Hosting half-baked plugins is not in our interest.
@NotMyFault I appreciate your feedback regarding the Jenkins 2FA plugin and your concerns about its current state. The current version of the plugin supports complete flow for the security questions as the 2nd factor for authentication in Jenkins. This is not half-baked as the admin can enforce 2FA for their users thus improving the security for the Jenkins instance. Also, as mentioned earlier we had received requests for this plugin from some Jenkins users.
As far as the TODO list in README is concerned, we are going to prioritize and develop the other methods as per user requests. So many user-management-related features along with these methods will be rolled out in future timely releases by our team.
I kindly request you to reconsider putting it on hold. We are confident in our ability to address the remaining tasks promptly and would appreciate the opportunity to continue the approval process.
@alecharp We have implemented the changes pointed out by you. Kindly let us know if anything else needs to be done and also let us know the further steps.
complete flow for the security questions as the 2nd factor for authentication this is not half-baked as the admin can enforce 2FA
I sought sources backing these points up, but even OWASP recommends against it. Therefore, I won't reconsider my previous comment, until the plugins adds at least one actual 2FA method, which is not covered by existing plugins yet.
@NotMyFault Thanks for providing the insight. We would like to assure you that we have taken your feedback into account, and we are committed to implementing at least one unique and distinct 2FA method as per your demand. Our team will work diligently to ensure that the plugin meets your expectations and provides added value to the Jenkins community.
We value your support and engagement in this process, and we will keep you updated on the progress of the plugin's development. If you have any further suggestions or specific requirements, please feel free to share them with us.
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
<jenkins.version>2.361.1</jenkins.version>
to at least 2.387.3 in your pom.xml. Take a look at the baseline recommendations.You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
@NotMyFault we have added OTP Over Email method for authentication as per your comment and OWASP guidelines.
Please let us know if you have any further suggestions.
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.
Hosting team members can host this request with /hosting host
@alecharp @NotMyFault We have made changes in the plugin as per your suggestions and added the OTP Over Email method for authentication. Could you let us know if any more work is required from our side or the next steps which are needed to get the plugin on the marketplace?
@NotMyFault @alecharp We recently updated the plugin accordingly to your requirements. We understand that you may be busy, but we wanted to check on the status of our submission and see if there were any updates or feedback. If there are any changes or improvements required to meet the submission guidelines, we are more than willing to work on them promptly.
Please let us know if there's any additional information you need from our end to process the submission or if there's an estimated timeline for review. Thank you for your time, and I'm looking forward to hearing back from you soon.
Thanks for adding the changes requested. I am short on time and haven't had the chance yet to take a look at the changes done, but I have some feedback for you:
.github
within the repository root directory with the following files and subdirectories: https://github.com/jenkinsci/archetypes/tree/master/common-files/.github.mvn
folder within the repository root directory with the following files: https://github.com/jenkinsci/archetypes/tree/master/common-files/.mvnio.jenkins.plugins
doesn't match your actual groupId used: https://github.com/miniOrangeDev/miniorange-two-factor/tree/master/src/main/java/com/miniorange/
Please move classes and files from com.miniorange
to io.jenkins.plugins
matching the default groupId. jenkins.version
used.20230618
.mvn clean verify package
.one-column
type, like in https://github.com/jenkinsci/jenkins/blob/d841f1d1f7bd3a164c00cdfa2048df0e2ed9746d/core/src/main/resources/jenkins/agents/CloudSet/new.jelly#L35MoGlobalConfig
shouldn't be stored in the controller's root directory, but rather in the plugin's directory.@NotMyFault Thank you for pointing out the above issues. We appreciate you taking out the time and posting the response. We are actively working on the above suggestions and will update once it's done.
@NotMyFault We have diligently addressed the suggestions you highlighted and have taken every effort to ensure that the plugin meets the high standards set by the Jenkins Marketplace. We kindly request you to review the updated version of our plugin at your earliest convenience. We are ready and willing to provide any necessary information or make further modifications to expedite the review process as this is ongoing for a long time and few of our users are waiting for this plugin.
/request-security-scan
The Jenkins Security Scan discovered 20 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.
Once you're done, either re-run the scan with /request-security-scan
or request the Security team to review your justifications with /audit-review
.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
/request-security-scan
The Jenkins Security Scan discovered 2 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.
Once you're done, either re-run the scan with /request-security-scan
or request the Security team to review your justifications with /audit-review
.
You can find detailed information about this finding here.
/request-security-scan
The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:
:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.
@NotMyFault We have fixed all the issues pointed out by the security scan. Kindly let us know the next steps required to publish the plugin on the Jenkins marketplace.
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
<jenkins.version>2.361.4</jenkins.version>
to at least 2.387.3 in your pom.xml. Take a look at the baseline recommendations.You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
The first two bullet points in https://github.com/jenkins-infra/repository-permissions-updater/issues/3304#issuecomment-1657121775 remained unaddressed.
Repository URL
https://github.com/miniOrangeDev/miniorange-two-factor
New Repository Name
miniorange-two-factor-plugin
Description
Two-Factor Authentication for Jenkins Plugin adds a layer of security to Jenkins authentication by requiring users to provide a second factor of authentication along with their username and password. It enhances the overall security of your Jenkins environment. Additionally, this plugin does not require you to extend the security realm, making it easier to implement and use.
GitHub users to have commit permission
Jenkins project users to have release permission
Issue tracker
Jira