Dynamic workers plugin for Yandex Cloud

demenevai commented 1 year ago

Repository URL

https://github.com/Software-Cats/jenkins-yandex-cloud

New Repository Name

yandex-cloud-workers-plugin

Description

This plugin provides integration with Jenkins and Yandex Cloud.

Functionality:

requests virtual machines on demand by job labels or for any build task
multiple templates of VM
custom OS images support
shutdown or terminate VM after build (may be tuned by settings)

Goals solved by the plugin:

reduce cost of build system on cloud environment
optimize cases, when you need a large VM for build particular application (like game engine)

GitHub users to have commit permission

@demenevai @petrovvich @Th3Ch3shir3Cat @sam-bondarev

Jenkins project users to have release permission

ademenev sbondarev th3ch3shir3cat petrovich

Issue tracker

GitHub issues

jenkins-cert-app commented 1 year ago

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository. It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command. Security team only:

/audit-ok => the audit is complete, the hosting can continue :tada:.
/audit-skip => the audit is not necessary, the hosting can continue :tada:.
/audit-findings => the audit reveals some issues that require corrections :pencil2:.

Anyone:

/request-security-scan => the findings from the [Jenkins Security Scan](https://www.jenkins.io/doc/developer/security/scan/) were corrected, this command will re-scan your repository :mag:.
/audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.17.23)

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.361.4</jenkins.version> to at least 2.387.3 in your pom.xml. Take a look at the baseline recommendations.
:no_entry: Required: You must specify an <scm> block in your pom.xml. See https://maven.apache.org/pom.html#SCM for more information.
:no_entry: Required: You must add a 'groupId' in your pom.xml with the value io.jenkins.plugins.
:no_entry: Required: The pom.xml file in the root of the origin repository is not valid
:no_entry: Required: The parent pom version '4.54' should be at least '4.65' or higher.
:no_entry: Required: The 'artifactId' from the pom.xml (yc) is incorrect, it should be jenkinsci/yandex-cloud-workers ('New Repository Name' field with "-plugin" removed)
:no_entry: Required: Please specify a license in your pom.xml file using the <licenses> tag. See https://maven.apache.org/pom.html#Licenses for more information.
:no_entry: Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

jenkins-cert-app commented 1 year ago

The Jenkins Security Scan discovered 1 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

YCComputer.java#70

``` Potential CSRF vulnerability: If YCComputer#doDoDelete connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

demenevai commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The 'artifactId' from the pom.xml (yandex-cloud-workers) is incorrect, it should be jenkinsci/yandex-cloud-workers ('New Repository Name' field with "-plugin" removed)
:no_entry: Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The 'artifactId' from the pom.xml (yandex-cloud-workers) is incorrect, it should be jenkinsci/yandex-cloud-workers ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

demenevai commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The 'artifactId' from the pom.xml (jenkinsci/yandex-cloud-workers) should not contain "Jenkins"

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

demenevai commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

:x: Jenkins Security Scan failed. The Security team was notified about this.

sam-bondarev commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The 'artifactId' from the pom.xml (yandex-cloud-workers) is incorrect, it should be jenkinsci/yandex-cloud-workers ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

sam-bondarev commented 1 year ago

/hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: The 'artifactId' from the pom.xml (yandex-cloud-workers) is incorrect, it should be jenkinsci/yandex-cloud-workers ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 1 year ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

sam-bondarev commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The Jenkins Security Scan discovered 1 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

YCComputer.java#70

``` Potential CSRF vulnerability: If YCComputer#doDoDelete connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

sam-bondarev commented 1 year ago

/request-security-scan

jenkins-cert-app commented 1 year ago

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:

:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.

sam-bondarev commented 10 months ago

/audit-review

daniel-beck commented 10 months ago

@sam-bondarev Could you clarify why you requested a review? The wording is a bit ambiguous, but if you've addressed all findings and you have no questions, no review is needed.

sam-bondarev commented 10 months ago

Hi there! ) My question is: what is the further steps to achieve plugin hosting approval?

@sam-bondarev Could you clarify why you requested a review? The wording is a bit ambiguous, but if you've addressed all findings and you have no questions, no review is needed.

daniel-beck commented 10 months ago

@sam-bondarev Good question, I missed that this has been open since June as I'm just being summoned for the security audit.

@NotMyFault perhaps? AFAICT this has all checklists done.

NotMyFault commented 10 months ago

@sam-bondarev Good question, I missed that this has been open since June as I'm just being summoned for the security audit.

@NotMyFault perhaps? AFAICT this has all checklists done.

Can take a look next year, slipped here too oops

sam-bondarev commented 10 months ago

@sam-bondarev Good question, I missed that this has been open since June as I'm just being summoned for the security audit. @NotMyFault perhaps? AFAICT this has all checklists done.

Can take a look next year, slipped here too oops

Great news! would appreciate a lot )

NotMyFault commented 10 months ago

/hosting re-check

github-actions[bot] commented 10 months ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.387.3</jenkins.version> to at least 2.401.3 in your pom.xml. Take a look at the baseline recommendations.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

NotMyFault commented 10 months ago

Hey @sam-bondarev,

I took a brief look and have some feedback for you, alongside the outstanding bot comment above:

https://github.com/Software-Cats/jenkins-yandex-cloud/blob/81328846e1d0b7ca57568c4b88f637e89067aa41/.github/release-drafter.yml#L3 if you plan to use CD, please remove this line.
https://github.com/Software-Cats/jenkins-yandex-cloud/blob/main/CHANGELOG.md can be removed too. Changelogs are aggregated using GitHub releases, other files aren't used by the plugin manager.
https://github.com/Software-Cats/jenkins-yandex-cloud/blob/main/CONTRIBUTING.MD can be removed too, organization level files will be used instead
https://github.com/Software-Cats/jenkins-yandex-cloud/blob/main/Jenkinsfile please update your Jenkinsfile according to https://github.com/jenkinsci/archetypes/blob/master/common-files/Jenkinsfile
https://github.com/Software-Cats/jenkins-yandex-cloud/blob/81328846e1d0b7ca57568c4b88f637e89067aa41/pom.xml#L17 this should be removed from the pom and go into index.jelly. The description element in the pom is no longer used. The same applies to the <contributors> block, that can be removed in the same run.
Hudson.getInstance() is deprecated and should be replaced with Jenkins.get() in all occasions.
https://github.com/Software-Cats/jenkins-yandex-cloud/blob/81328846e1d0b7ca57568c4b88f637e89067aa41/src/main/java/io/jenkins/plugins/yc/YandexRetentionStrategy.java#L79 should be NonNull from FindBugs. Core doesn't ship ANTLR for the purpose of annotations.
https://github.com/Software-Cats/jenkins-yandex-cloud/blob/81328846e1d0b7ca57568c4b88f637e89067aa41/pom.xml#L95 is obsolete and should be removed. The BOM ships the version to use.
https://github.com/Software-Cats/jenkins-yandex-cloud/blob/81328846e1d0b7ca57568c4b88f637e89067aa41/pom.xml#L109 should be removed, same like above.
https://github.com/Software-Cats/jenkins-yandex-cloud/blob/81328846e1d0b7ca57568c4b88f637e89067aa41/pom.xml#L101-L105 instead of shading json yourself, you can depend on the jenkins plugin api: https://plugins.jenkins.io/json-api/dependencies/

sam-bondarev commented 10 months ago

/hosting re-check

github-actions[bot] commented 10 months ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

:no_entry: Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.401.3</jenkins.version> to at least 2.414.3 in your pom.xml. Take a look at the baseline recommendations.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

sam-bondarev commented 10 months ago

/hosting re-check

github-actions[bot] commented 10 months ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

sam-bondarev commented 10 months ago

@NotMyFault hi there ) All issues you noted have been resolved. Could you, please, have another look?

NotMyFault commented 10 months ago

/request-security-scan

NotMyFault commented 10 months ago

@NotMyFault hi there ) All issues you noted have been resolved. Could you, please, have another look?

Thanks!

Please exclude dependencies from the POM your plugin doesn't depend upon. 80M for a plugin is way to overkill: Screenshot 2024-01-17 at 22 13 49

jenkins-cert-app commented 10 months ago

The Jenkins Security Scan discovered 3 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

ServiceAccount.java#20

``` Field should be reviewed whether it stores a password and is serialized to disk: publicKey ```

ServiceAccount.java#19

``` Field should be reviewed whether it stores a password and is serialized to disk: privateKey ```

ServiceAccount.java#17

``` Field should be reviewed whether it stores a password and is serialized to disk: keyAlgorithm ```

sam-bondarev commented 10 months ago

@NotMyFault Unfortunately we can not reduce size of cloud provider SDK library:

Is there any possibility to achieve approval without hpi size reduction?

sam-bondarev commented 10 months ago

/request-security-scan

sam-bondarev commented 10 months ago

/hosting re-check

github-actions[bot] commented 10 months ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

jenkins-cert-app commented 10 months ago

The Jenkins Security Scan discovered 3 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

ServiceAccount.java#19

``` Field should be reviewed whether it stores a password and is serialized to disk: publicKey ```

ServiceAccount.java#18

``` Field should be reviewed whether it stores a password and is serialized to disk: privateKey ```

ServiceAccount.java#16

``` Field should be reviewed whether it stores a password and is serialized to disk: keyAlgorithm ```

sam-bondarev commented 10 months ago

/request-security-scan

jenkins-cert-app commented 10 months ago

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:

:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.

NotMyFault commented 10 months ago

@NotMyFault Unfortunately we can not reduce size of cloud provider SDK library:

Is there any possibility to achieve approval without hpi size reduction?

You are shading way more than just the SDK library. Hence I asked to work with exclusion rules to strip anything that is unneeded: Screenshot 2024-01-18 at 16 19 22

I am not confident that we will host a plugin literally draining gigabytes of artifactory storage with just a few incrementals and releases.

sam-bondarev commented 9 months ago

@NotMyFault Unfortunately we can not reduce size of cloud provider SDK library: Is there any possibility to achieve approval without hpi size reduction?

You are shading way more than just the SDK library. Hence I asked to work with exclusion rules to strip anything that is unneeded:

I am not confident that we will host a plugin literally draining gigabytes of artifactory storage with just a few incrementals and releases.

So as for now i reduced shaded libs count:

Is that ok now?

But hpi size reduction is not so much:

NotMyFault commented 9 months ago

/request-security-scan

NotMyFault commented 9 months ago

/hosting re-check

github-actions[bot] commented 9 months ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

jenkins-cert-app commented 9 months ago

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:

:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.

NotMyFault commented 9 months ago

/hosting host

jenkins-infra / repository-permissions-updater