Closed waltwilo closed 9 months ago
Security audit, information and commands
The security team is auditing all the hosting requests, to ensure a better security by default.
This message informs you that a Jenkins Security Scan was triggered on your repository. It takes ~10 minutes to complete.
/audit-ok
=> the audit is complete, the hosting can continue :tada:./audit-skip
=> the audit is not necessary, the hosting can continue :tada:./audit-findings
=> the audit reveals some issues that require corrections :pencil2:./request-security-scan
=> the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository :mag:./audit-review
=> the findings from the audit were corrected, this command will ping the security team to review the findings :eyes:.
It's only applicable when the previous audit required changes.(automatically generated message, version: 1.26.21)
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
<jenkins.version>2.361.4</jenkins.version>
to at least 2.387.3 in your pom.xml. Take a look at the baseline recommendations.amazon-inspector-scanner
) is incorrect, it should be amazon-inspector-container-image-scanner-jenkins
('New Repository Name' field with "-plugin" removed)You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
The Jenkins Security Scan discovered 13 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.
Once you're done, either re-run the scan with /request-security-scan
or request the Security team to review your justifications with /audit-review
.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
You can find detailed information about this finding here.
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
amazon-inspector-container-image-scanner-jenkins
) should not contain "Jenkins"amazon-inspector-container-image-scanner-jenkins
from the pom.xml is incorrect, it must have less than 37 characters, currently it has 48 charactersYou can re-trigger a check by editing your hosting request or by commenting /hosting re-check
/hosting re-check
Hello from your friendly Jenkins Hosting Checker
It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
amazon-inspector-image-scanner
) is incorrect, it should be amazon-inspector-container-image-scanner-jenkins
('New Repository Name' field with "-plugin" removed)You can re-trigger a check by editing your hosting request or by commenting /hosting re-check
Hello from your friendly Jenkins Hosting Checker
It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.
Hosting team members can host this request with /hosting host
/request-security-scan
The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:
:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.
/audit-review
I've suppressed the password storage error. It is never stored in config as it's retrieved via the username and never saved to disk. The dockerPassword
variable is only used to pass to an SBOM scanning tool in the case that a user wants to scan a private repository.
Hello, please see what I found on your plugin:
mvn tidy:pom
on your project, this would help humans to read the pom.xml
files.sts
a sdk from AWS? Could it be made into a plugin like in https://github.com/jenkinsci/aws-java-sdk-plugin? Same for utils
, inspectorscan
, apache-client
and aws-json-protocol
?index.html
file as you are not using a normal output directory for it https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin/blob/ac12140bddfbc1813f241c09f1634529e3078d8e/pom.xml#L152-L175Jenkinsfile
must be at the root of the repository, not in /docs/
(https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin/blob/main/docs/Jenkinsfile)/docs/SECURITY.md
file, there is a security policy in the community that is, I think, enforced on all plugins (cc @jenkins-infra/security)release-drafter
to generate your release notes and not use any CHANGELOG
file, but that is really just a suggestion.AmazonInspectorBuilder
, I would suggest not to browse though all the available credentials and stop on the first one having the username configured by the user, because users might be using the same username for many many many different system. Please see https://github.com/jenkinsci/credentials-plugin/blob/master/docs/consumer.adoc to see how to use credentialsId
in your configuration. This would also prevent to have another copy of the credentials list in memory (UsernameCredentialsHelper.java)I need to spend more time on that class. I think there are other potential issues there.
Is sts a sdk from AWS? Could it be made into a plugin like in https://github.com/jenkinsci/aws-java-sdk-plugin? Same for utils, inspectorscan, apache-client and aws-json-protocol?
Those dependencies are all used to interact with AWS, unfortunately, they cannot be made into Jenkins plugins. They are all sourced from https://mvnrepository.com/artifact/software.amazon.awssdk
I'm not sure how you are using the index.html file as you are not using a normal output directory
The plugin adds data to index.html at the end of the build which is copied to the workspace as a build report.
I don't know how different the Amazon code of conduct is from the Jenkins community but I don't know if we can have a different one from the community standards.
The code of conducts should be compatible with each other, Amazon's essentially only prevents harassment. https://aws.github.io/code-of-conduct
I would suggest to use release-drafter to generate your release notes and not use any CHANGELOG file, but that is really just a suggestion.
Didn't know this existed, I'll incorporate it into the repo.
As for the credentials, I'm looking into it but would it be possible to delay that change until after the plugin is released?
I've fixed all comments not mentioned previously by me.
Those dependencies are all used to interact with AWS, unfortunately, they cannot be made into Jenkins plugins. They are all sourced from mvnrepository.com/artifact/software.amazon.awssdk
They aren't Jenkins plugins as such that they contribute code, they just wrap libraries so that only one instance of a library is deployed to Jenkins, see the existing AWS ones: https://github.com/jenkinsci/aws-java-sdk-plugin
/audit-ok
No need to request review if the bot is happy with your actions ;)
For the sdk librairies. I don't think it would be a blocker for the hosting. This can be dealt with later but it has to be dealt with for sure.
The credentials on the other hand is problematic for me. Once you have a customer using the username, you will have to deal with the configuration transformation, which will be a pain or even not possible automatically.
Please transform the username into a credentialsId and use the credentials
plugin. That shouldn't be too long as you already used the credentials API in your code.
@alecharp Alright I've updated it to use the credential ID instead of the username.
Thanks.
There are others issues within the code but nothing that cannot be resolved once hosted:
I don't see anything blocking the hosting process to go forward here.
/hosting host
Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/amazon-inspector-image-scanner-plugin
GitHub issues has been selected for issue tracking and was enabled for the forked repo.
A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.
Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.
You will also need to do the following in order to push changes and release your plugin:
In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: https://github.com/jenkinsci/archetypes/blob/master/common-files/Jenkinsfile
Welcome aboard!
@waltwilo don't forget to delete the original repository. If you need one, you can fork the jenkinsci
one back into aws
organization.
@alecharp does deletion need to be done before the marketplace release? I was planning on contacting github support to make the jenkins repo the root.
@alecharp does deletion need to be done before the marketplace release? I was planning on contacting github support to make the jenkins repo the root.
either works, and yes a support request will do it too
Repository URL
https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin
New Repository Name
amazon-inspector-image-scanner-plugin
Description
This plugin will allow users to scan container images from within their CICD pipelines using Amazon Inspector.
GitHub users to have commit permission
@naveshal @waltwilo @bluesentinelsec @riyli @TheTrueKen @cjbaco @awsactran
Jenkins project users to have release permission
inspector_opensource
Issue tracker
GitHub issues