search

jenkins-infra / repository-permissions-updater

Artifactory permissions synchronization tool and data set
79 stars 1.06k forks source link

Aribot - Automated Threat Modeling powered by AI #3307

Closed aristiun closed 1 year ago

aristiun commented 1 year ago

Repository URL

https://github.com/Aristiun-B-V/aribot-plugin

New Repository Name

aribot-plugin

Description

Automated Threat Modeling is an AI-powered threat modeling solution that enables development teams and security professionals to automate the process of visualizing security threats in their application environments, especially in public cloud environments such as AWS and Azure. With the help of this powerful threat modeling solution, developers will be able to automatically create traceable security requirements across the lifecycle, auto-map the requirements to respected compliance frameworks such as NIST CSF (National Institute of Standards and Technology), verify the implementation status anytime, and generate Infrastructure as code templates for mitigating cloud-specific threats. This is genuinely moving security to the left.

It is hard to scale threat modeling because it is manual and tedious. The output of threat models is often not traceable across the application's lifecycle. Aribot uses multiple AI solutions to automate threat models from the solution designs, map to known regulatory standards such as NIST and create cloud specific security policies for auto-remediation.

Automated Threat Modeling is an AI-powered threat modeling solution that enables development teams and security professionals to automate the process of visualizing security threats in their application environments, especially in public cloud environments such as AWS and Azure. With the help of this powerful threat modeling solution, developers will be able to automatically create traceable security requirements across the lifecycle, auto-map the requirements to respected compliance frameworks such as NIST CSF (National Institute of Standards and Technology), verify the implementation status anytime, and generate Infrastructure as code templates for mitigating cloud-specific threats. This is genuinely moving security to the left.

Product Features:

  • AI-Powered solution automates the threat modeling process.
  • Automatically create traceable security requirements across the lifecycle.
  • Generates traceable security requirements with full visibility across the software life cycle.
  • Scales fast; within days, get a complete view of the list of most prone cloud components and applications.
  • Auto-maps security requirements to frameworks such as NIST for easy compliance requirements adherence.
  • Generate Infrastructure as code templates for mitigating public cloud-specific threats.
  • Comprehensive reporting & tracking feature that keeps a record of all remediation efforts taken by development teams and auto-updates the implementation status without any intervention from the dev teams.

Patents pending -> Europe - EP23020192.3, US IP 18135688, India - 202341029005

GitHub users to have commit permission

@aristiun @alex-didyk-syntech

Jenkins project users to have release permission

tejs

Issue tracker

Jira

jenkins-cert-app commented 1 year ago

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository. It takes ~10 minutes to complete.

Commands The bot will parse all comments, and it will check if any line start with a command. Security team only:
  • /audit-ok => the audit is complete, the hosting can continue :tada:.
  • /audit-skip => the audit is not necessary, the hosting can continue :tada:.
  • /audit-findings => the audit reveals some issues that require corrections :pencil2:.
Anyone:
  • /request-security-scan => the findings from the [Jenkins Security Scan](https://www.jenkins.io/doc/developer/security/scan/) were corrected, this command will re-scan your repository :mag:.
  • /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.
Only one command can be requested per comment.

(automatically generated message, version: 1.17.14)

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

jenkins-cert-app commented 1 year ago

:x: Jenkins Security Scan failed. The Security team was notified about this.

NotMyFault commented 1 year ago

The repository linked is inaccessible.

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

aristiun commented 1 year ago

Do I need to make the repo public?

NotMyFault commented 1 year ago

Do I need to make the repo public?

Yes.

aristiun commented 1 year ago

done

aristiun commented 1 year ago

/hosting re-check

alex-didyk-syntech commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

https://github.com/Aristiun-B-V/aribot-plugin' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

aristiun commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

alecharp commented 1 year ago

Hello @aristiun, I have a few comment on current repository.

alex-didyk-syntech commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

alex-didyk-syntech commented 1 year ago

Hello @aristiun, I have a few comment on current repository.

Done, recheck please

NotMyFault commented 1 year ago
NotMyFault commented 1 year ago

/request-security-scan

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

jenkins-cert-app commented 1 year ago

The Jenkins Security Scan discovered 3 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AristiunAribotBuilder.java#215 ``` Potential CSRF vulnerability: If DescriptorImpl#doFillCredentialsItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

Stapler: Missing permission check

You can find detailed information about this finding here.

AristiunAribotBuilder.java#200 ``` Potential missing permission check in DescriptorImpl#doCheckName ```

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

AristiunAribotBuilder.java#68 ``` Field should be reviewed whether it stores a password and is serialized to disk: credentials ```
alex-didyk-syntech commented 1 year ago

The Jenkins Security Scan discovered 3 finding(s) mag. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AristiunAribotBuilder.java#215

Stapler: Missing permission check

You can find detailed information about this finding here.

AristiunAribotBuilder.java#200

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

AristiunAribotBuilder.java#68

Hello. This variable stores just credentials identifier, should I rename it credentialsId for it to be more clear?

aristiun commented 1 year ago

/audit-review

yaroslavafenkin commented 1 year ago

[ASSIST]

Hello. This variable stores just credentials identifier, should I rename it credentialsId for it to be more clear?

Renaming should do it. Alternatively you can just suppress the warning as it's a false positive.

alex-didyk-syntech commented 1 year ago

/audit-review

yaroslavafenkin commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:

:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.

aristiun commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

NotMyFault commented 1 year ago

/hosting host

jenkins-infra-bot commented 1 year ago

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/aribot-plugin

A Jira component named aribot-plugin has also been created with tejs as the default assignee for issues.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: https://github.com/jenkinsci/archetypes/blob/master/common-files/Jenkinsfile

Welcome aboard!