search

jenkins-infra / repository-permissions-updater

Artifactory permissions synchronization tool and data set
79 stars 1.05k forks source link

Sec1 SCA SAST Security Plugin #4087

Closed rahuldarekar222 closed 2 weeks ago

rahuldarekar222 commented 1 month ago

Repository URL

https://github.com/sec0ne/secone-sca-sast-security-scanner

New Repository Name

secone-sca-sast-security-scanner-plugin

Description

The Sec1 Security plugin provides both SCA and SAST capabilities, enabling teams to scan SCM repositories for open-source vulnerabilities and analyze code to detect security issues early in development.

GitHub users to have commit permission

@rahuldarekar222 @saurabhthatte007

Jenkins project users to have release permission

rahuldarekar saurabhthatte_sec1

Issue tracker

Jira

jenkins-cert-app commented 1 month ago

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository. It takes ~10 minutes to complete.

Commands The bot will parse all comments, and it will check if any line start with a command. Security team only:
  • /audit-ok => the audit is complete, the hosting can continue :tada:.
  • /audit-skip => the audit is not necessary, the hosting can continue :tada:.
  • /audit-findings => the audit reveals some issues that require corrections :pencil2:.
Anyone:
  • /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository :mag:.
  • /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.
Only one command can be requested per comment.

(automatically generated message, version: 1.29.12)

github-actions[bot] commented 1 month ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

jenkins-cert-app commented 1 month ago

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:

:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.

rahuldarekar222 commented 1 month ago

can anyone update on the hosting request?

timja commented 2 weeks ago

/hosting re-check

github-actions[bot] commented 2 weeks ago

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

timja commented 2 weeks ago

Hi can you take a look at the below please, nothing major:

  1. you should depend on an LTS minimum version unless you need a newer feature from the weekly line, is there a reason you aren't using 2.462.1 - see https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/?
  2. (nit) typo mockJenkkins https://github.com/sec0ne/secone-sca-sast-security-scanner/blob/main/src/test/java/io/jenkins/plugins/secone/security/SecOneScannerPluginTest.java#L454
  3. Don't repeat your plugin name in https://github.com/sec0ne/secone-sca-sast-security-scanner/blob/main/src/main/resources/index.jelly e.g. use Provides both SCA and SAST capabilities, enabling teams to scan SCM repositories for open-source vulnerabilities and analyze code to detect security issues early in development.
  4. resource leakage - http client should be closed: https://github.com/sec0ne/secone-sca-sast-security-scanner/blob/main/src/main/java/io/jenkins/plugins/secone/security/SecOneScannerPlugin.java#L529
  5. looks to be missing support for proxies, it should integrate with the Jenkins ProxyConfiguration class: https://github.com/sec0ne/secone-sca-sast-security-scanner/blob/main/src/main/java/io/jenkins/plugins/secone/security/object/factory/ObjectFactory.java#L18
rahuldarekar222 commented 2 weeks ago

@timja Done with suggested changes and committed them.

timja commented 2 weeks ago
  1. Nit, description should be active tense, Offers or Provides, rather than the plugin offers.
  2. Use try-with-resources https://github.com/sec0ne/secone-sca-sast-security-scanner/blob/main/src/main/java/io/jenkins/plugins/secone/security/SecOneScannerPlugin.java#L524C3-L524C65 - try (CloseableHttpClient client = objectFactory.createHttpClient()) then you can delete the finally block
  3. another place http client needs closing: https://github.com/sec0ne/secone-sca-sast-security-scanner/blob/main/src/main/java/io/jenkins/plugins/secone/security/SecOneScannerPlugin.java#L424
  4. Have you tested that this works on Jenkins agents? Normally you would work with Execution and FilePath to work on remote files / have a callable for running your CLI there? (special care needs to be taken with the proxyconfiguration` as that won't be available on the agent and needs to be passed down to the controller)
rahuldarekar222 commented 2 weeks ago

@timja done with suggested changes. also for point 4 => we are not executing any cli. its api based execution.

timja commented 2 weeks ago

To point 4 then have you tested it works with Jenkins agents, (either on a different machine or in a docker container so you have full isolation)

timja commented 2 weeks ago

@Wadeck what's with the TODO label being added?

Wadeck commented 2 weeks ago

The bot has some issues with the GH API to retrieve the reaction being posted or not on the message. I have to investigate and add a retry mechanism. The problem seems to come from the API but I am not totally sure (it was working fine before :D)

Wadeck commented 2 weeks ago

(currently correcting the bot behavior)

Wadeck commented 2 weeks ago

The bot was impacted by a node issue due to a recent upgrade. Normally the drunk behavior should be corrected now.

rahuldarekar222 commented 2 weeks ago

To point 4 then have you tested it works with Jenkins agents, (either on a different machine or in a docker container so you have full isolation) @timja yes we have tested it with Jenkins agents setup. PFA evidence for the same. Screenshot 2024-10-16 at 2 59 32 PM

timja commented 2 weeks ago

/hosting host

jenkins-infra-bot commented 2 weeks ago

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/secone-sca-sast-security-scanner-plugin

A Jira component named [secone-sca-sast-security-scanner-plugin](https://issues.jenkins.io/issues/?jql=project+%3D+JENKINS+AND+component+%3D+ secone-sca-sast-security-scanner-plugin)has also been created with rahuldarekar as the default assignee for issues.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

Welcome aboard!