Jenkins-specific warnings for GitHub code scanning
146 views
Skip to first unread message
Daniel Beck
Oct 9, 2020, 2:00:39 PM10/9/20
to Jenkins Developers
Hi everyone,
GitHub announced last week that their code scanning functionality is now generally available[1].
The Jenkins security team has worked on queries specifically for Jenkins and Jenkins plugins.
I'd now like to share them with a limited audience to get some initial feedback before we start rolling them out more widely.
If you're interested in getting your plugin code scanned and the results to appear on the GitHub UI, please file an issue in the Jenkins Jira INFRA project for the 'github' component with a list of plugins/repos you're maintaining and would like code scanning result to be reported to. I encourage all maintainers to sign up for this. I think the findings are generally reasonably high quality, and even if not, the GitHub UI makes it really easy to hide irrelevant warnings.
Please note we're only scanning the default branch (typically 'master'), and only in irregular intervals. Future enhancements could integrate this with pull requests, and to happen on every commit on certain branches, but this is all still very new.
For now our queries aren't accessible publicly. If you're a regular contributor to Jenkins and interested in contributing to these Jenkins-specific code scanning queries, please reach out to me directly.
1: https://github.blog/2020-09-30-code-scanning-is-now-available/
GitHub announced last week that their code scanning functionality is now generally available[1].
The Jenkins security team has worked on queries specifically for Jenkins and Jenkins plugins.
I'd now like to share them with a limited audience to get some initial feedback before we start rolling them out more widely.
If you're interested in getting your plugin code scanned and the results to appear on the GitHub UI, please file an issue in the Jenkins Jira INFRA project for the 'github' component with a list of plugins/repos you're maintaining and would like code scanning result to be reported to. I encourage all maintainers to sign up for this. I think the findings are generally reasonably high quality, and even if not, the GitHub UI makes it really easy to hide irrelevant warnings.
Please note we're only scanning the default branch (typically 'master'), and only in irregular intervals. Future enhancements could integrate this with pull requests, and to happen on every commit on certain branches, but this is all still very new.
For now our queries aren't accessible publicly. If you're a regular contributor to Jenkins and interested in contributing to these Jenkins-specific code scanning queries, please reach out to me directly.
1: https://github.blog/2020-09-30-code-scanning-is-now-available/
tzach solomon
Oct 12, 2020, 4:59:43 AM10/12/20
to jenkin...@googlegroups.com
Hi Daniel,
Thank you for this one.Thanks,
Tzach
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/63EFC305-9466-4DBF-B38E-9B9730705732%40beckweb.net.
Ullrich Hafner
Oct 12, 2020, 6:26:15 AM10/12/20
to Jenkins Developers
As Daniel wrote, please create a Jira task. Example: https://issues.jenkins-ci.org/browse/INFRA-2768
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgKLM1MgKCNsO-NRJ42Ej9fEk79v8tz960eqKnJ5t_ZMAQ%40mail.gmail.com.
tzach solomon
Oct 14, 2020, 1:03:55 AM10/14/20
to jenkin...@googlegroups.com
Ullrich thanks for the example :)
Tzach
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7BE0BF41-A9FB-481B-B4F6-A7D0DD6D1788%40gmail.com.
Ullrich Hafner
Oct 18, 2020, 9:05:37 AM10/18/20
to Jenkins Developers
Where should we report issues for false positives? I assume that those rules are written by a Jenkins community member, or are these general rules from Semmle?
Daniel Beck
Oct 19, 2020, 3:57:11 AM10/19/20
to JenkinsCI Developers
On Sun, Oct 18, 2020 at 3:05 PM Ullrich Hafner <ullrich...@gmail.com> wrote:
Where should we report issues for false positives? I assume that those rules are written by a Jenkins community member, or are these general rules from Semmle?
These are Jenkins project specific rules only, we use CodeQL as the tool/language but not the default rules (which is also why we use a custom tool name; no conflict with the normal Semmle stuff if you choose to use that as well). Please reach out to me directly with feedback. There's currently no better (public) feedback channel for this yet.
Reply all
Reply to author
Forward
0 new messages