search

jenkins-infra / repository-permissions-updater

Artifactory permissions synchronization tool and data set
77 stars 1.03k forks source link

Amazon Inspector Plugin Hosting Request #3634

Closed waltwilo closed 9 months ago

waltwilo commented 10 months ago

Repository URL

https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin

New Repository Name

amazon-inspector-image-scanner-plugin

Description

This plugin will allow users to scan container images from within their CICD pipelines using Amazon Inspector.

GitHub users to have commit permission

@naveshal @waltwilo @bluesentinelsec @riyli @TheTrueKen @cjbaco @awsactran

Jenkins project users to have release permission

inspector_opensource

Issue tracker

GitHub issues

jenkins-cert-app commented 10 months ago

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository. It takes ~10 minutes to complete.

Commands The bot will parse all comments, and it will check if any line start with a command. Security team only:
  • /audit-ok => the audit is complete, the hosting can continue :tada:.
  • /audit-skip => the audit is not necessary, the hosting can continue :tada:.
  • /audit-findings => the audit reveals some issues that require corrections :pencil2:.
Anyone:
  • /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository :mag:.
  • /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.
Only one command can be requested per comment.

(automatically generated message, version: 1.26.21)

github-actions[bot] commented 10 months ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

jenkins-cert-app commented 10 months ago

The Jenkins Security Scan discovered 13 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

Jenkins: Missing permission check on a form fill web method with credentials lookup

You can find detailed information about this finding here.

AmazonInspectorBuilder.java#290 ``` doFillDockerUsernameItems should perform a permission check before calling #lookupCredentials ```
AmazonInspectorBuilder.java#286 ``` doFillSessionTokenIdItems should perform a permission check before calling #lookupCredentials ```
AmazonInspectorBuilder.java#282 ``` doFillSecretKeyIdItems should perform a permission check before calling #lookupCredentials ```
AmazonInspectorBuilder.java#278 ``` doFillAccessKeyIdItems should perform a permission check before calling #lookupCredentials ```

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AmazonInspectorBuilder.java#290 ``` Potential CSRF vulnerability: If DescriptorImpl#doFillDockerUsernameItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AmazonInspectorBuilder.java#286 ``` Potential CSRF vulnerability: If DescriptorImpl#doFillSessionTokenIdItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AmazonInspectorBuilder.java#282 ``` Potential CSRF vulnerability: If DescriptorImpl#doFillSecretKeyIdItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```
AmazonInspectorBuilder.java#278 ``` Potential CSRF vulnerability: If DescriptorImpl#doFillAccessKeyIdItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

Stapler: Missing permission check

You can find detailed information about this finding here.

AmazonInspectorBuilder.java#290 ``` Potential missing permission check in DescriptorImpl#doFillDockerUsernameItems ```
AmazonInspectorBuilder.java#286 ``` Potential missing permission check in DescriptorImpl#doFillSessionTokenIdItems ```
AmazonInspectorBuilder.java#282 ``` Potential missing permission check in DescriptorImpl#doFillSecretKeyIdItems ```
AmazonInspectorBuilder.java#278 ``` Potential missing permission check in DescriptorImpl#doFillAccessKeyIdItems ```

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

SbomgenRunner.java#21 ``` Field should be reviewed whether it stores a password and is serialized to disk: dockerPassword ```
waltwilo commented 9 months ago

/hosting re-check

github-actions[bot] commented 9 months ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

waltwilo commented 9 months ago

/hosting re-check

github-actions[bot] commented 9 months ago

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

github-actions[bot] commented 9 months ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

waltwilo commented 9 months ago

/request-security-scan

jenkins-cert-app commented 9 months ago

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:

:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.

waltwilo commented 9 months ago

/audit-review

I've suppressed the password storage error. It is never stored in config as it's retrieved via the username and never saved to disk. The dockerPassword variable is only used to pass to an SBOM scanning tool in the case that a user wants to scan a private repository.

alecharp commented 9 months ago

Hello, please see what I found on your plugin:

I need to spend more time on that class. I think there are other potential issues there.

waltwilo commented 9 months ago

Is sts a sdk from AWS? Could it be made into a plugin like in https://github.com/jenkinsci/aws-java-sdk-plugin? Same for utils, inspectorscan, apache-client and aws-json-protocol?

Those dependencies are all used to interact with AWS, unfortunately, they cannot be made into Jenkins plugins. They are all sourced from https://mvnrepository.com/artifact/software.amazon.awssdk

I'm not sure how you are using the index.html file as you are not using a normal output directory

The plugin adds data to index.html at the end of the build which is copied to the workspace as a build report.

Screenshot 2023-11-27 at 3 30 27 PM

I don't know how different the Amazon code of conduct is from the Jenkins community but I don't know if we can have a different one from the community standards.

The code of conducts should be compatible with each other, Amazon's essentially only prevents harassment. https://aws.github.io/code-of-conduct

I would suggest to use release-drafter to generate your release notes and not use any CHANGELOG file, but that is really just a suggestion.

Didn't know this existed, I'll incorporate it into the repo.

waltwilo commented 9 months ago

As for the credentials, I'm looking into it but would it be possible to delay that change until after the plugin is released?

waltwilo commented 9 months ago

I've fixed all comments not mentioned previously by me.

timja commented 9 months ago

Those dependencies are all used to interact with AWS, unfortunately, they cannot be made into Jenkins plugins. They are all sourced from mvnrepository.com/artifact/software.amazon.awssdk

They aren't Jenkins plugins as such that they contribute code, they just wrap libraries so that only one instance of a library is deployed to Jenkins, see the existing AWS ones: https://github.com/jenkinsci/aws-java-sdk-plugin

https://www.jenkins.io/doc/developer/plugin-development/dependencies-and-class-loading/#bundling-third-party-libraries

Wadeck commented 9 months ago

/audit-ok

No need to request review if the bot is happy with your actions ;)

alecharp commented 9 months ago

For the sdk librairies. I don't think it would be a blocker for the hosting. This can be dealt with later but it has to be dealt with for sure.

The credentials on the other hand is problematic for me. Once you have a customer using the username, you will have to deal with the configuration transformation, which will be a pain or even not possible automatically. Please transform the username into a credentialsId and use the credentials plugin. That shouldn't be too long as you already used the credentials API in your code.

waltwilo commented 9 months ago

@alecharp Alright I've updated it to use the credential ID instead of the username.

https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin/commit/8440e44c203edf6655dff95ec26994cfa5d5c9c9

alecharp commented 9 months ago

Thanks.

There are others issues within the code but nothing that cannot be resolved once hosted:

I don't see anything blocking the hosting process to go forward here.

timja commented 9 months ago

/hosting host

jenkins-infra-bot commented 9 months ago

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/amazon-inspector-image-scanner-plugin

GitHub issues has been selected for issue tracking and was enabled for the forked repo.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: https://github.com/jenkinsci/archetypes/blob/master/common-files/Jenkinsfile

Welcome aboard!

alecharp commented 9 months ago

@waltwilo don't forget to delete the original repository. If you need one, you can fork the jenkinsci one back into aws organization.

waltwilo commented 9 months ago

@alecharp does deletion need to be done before the marketplace release? I was planning on contacting github support to make the jenkins repo the root.

timja commented 9 months ago

@alecharp does deletion need to be done before the marketplace release? I was planning on contacting github support to make the jenkins repo the root.

either works, and yes a support request will do it too