Plugin for adoption: OWASP Dependency Check

103 views
Skip to first unread message

kudos-dude

unread,
Nov 10, 2021, 3:49:45 PM11/10/21
to Jenkins Developers
I adopted this plugin back in April, but my circumstances have changed.

I need to formally place this plugin back into a "Seeking a new maintainer" state. I believe that there was interest in the recent past looking to adopt the plugin, which I did at that stage state I was placing the plugin up for adoption again and was willing to transfer ownership. The conversation did not progress and I still own it as a result.

I have since received communication about additional work required for the plugin, but as stated above, I simply don't have time. I'd go into the reasons why, but this isn't my personal blog, so I'll spare the details.

I don't know what the official requirements are for making this concrete, so I ask any officials within this forum to please take this request across the finish line.

Mark Waite

unread,
Nov 10, 2021, 4:04:23 PM11/10/21
to Jenkins Developers
Thanks for adopting it in April.

The easiest way to list it as "Seeking a new maintainer" is to place a topic on the GitHub repository "adopt-this-plugin".  Refer to the https://github.com/jenkinsci/run-condition-plugin and the "adopt-this-plugin" topic that is assigned towards the upper right corner of the list of files
screencapture-github-jenkinsci-run-condition-plugin-2021-11-10-14_02_46-edit.png

Ullrich Hafner

unread,
Nov 11, 2021, 9:10:37 AM11/11/21
to JenkinsCI Developers
As a side note for this plugin: if someone is willing to refactor the existing parser so that it rather writes the output to the object model of the analysis-model plugin then we simply can integrate it into the parser collections of the warnings plugin. Then the whole OWASP Dependency Check plugin will become obsolete and the visualization will be automatically improved while the warnings plugin is improving.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/39e632a3-0462-4b12-b7b2-dd287526f965n%40googlegroups.com.
<screencapture-github-jenkinsci-run-condition-plugin-2021-11-10-14_02_46-edit.png>

kudos-dude

unread,
Nov 11, 2021, 3:36:50 PM11/11/21
to Jenkins Developers
I want to apologize for the tone in my original post. Just feeling a bit overwhelmed at the moment.

The plugin on Github still contains the `adopt-this-plugin` tag and the "Seeking a new maintainer" section.

https://github.com/jenkinsci/dependency-check-plugin

Please let me know if there is anything else I need to do.

Wes

Jean-Marc Meessen

unread,
Dec 18, 2021, 3:43:03 PM12/18/21
to Jenkins Developers
Hello Wes,

Thank you for adopting this plugin.

I am working with Mark Waites and a couple of others on various initiatives to improve the contributors and maintainers experience (especially newcomers).

It is in that context that I believe that it would be great if we could we discuss your experience by mail of even is a short call (if time zones are favorable). I'd like to know things, among others, like:
  • was the adoption successful?
  • what were the friction points? 
  • Did you get (or needed) help? In what form? 
  • what were your motives for adoption?
  • what is your previous experience as Jenkins/OSS contributor and in java dev?
  • ....
If interested to share your experience, you can contact me at jean...@meessen-web.org.

/- Jmm
Jean-Marc Meessen
Brussels, Belgium

Daniel Warmuth

unread,
Jan 17, 2022, 1:07:59 PMJan 17
to Jenkins Developers
Hi,

I'd like to become maintainer of this plugin (https://plugins.jenkins.io/dependency-check-jenkins-plugin/). I understand that Wes (kudos-dude) can no longer be maintainer and is looking for someone to take over.

My GitHub username is "danile42" and my Jenkins infrastructure account id is also "danile42".

I do not have pull requests open, but work at a company that wants to use this plugin - therefore, I have a special interest and time available to do maintenance work.

Please let me know how we can proceed.

Best regards,
Daniel

Mark Waite

unread,
Jan 17, 2022, 2:18:09 PMJan 17
to jenkinsci-dev
On Mon, Jan 17, 2022 at 11:07 AM Daniel Warmuth  wrote:
Hi,

I'd like to become maintainer of this plugin (https://plugins.jenkins.io/dependency-check-jenkins-plugin/). I understand that Wes (kudos-dude) can no longer be maintainer and is looking for someone to take over.

My GitHub username is "danile42" and my Jenkins infrastructure account id is also "danile42".

I do not have pull requests open, but work at a company that wants to use this plugin - therefore, I have a special interest and time available to do maintenance work.

Please let me know how we can proceed.

 Thanks for your willingness to adopt the plugin.

Please submit an issue to request GitHub permission on the repository through https://github.com/jenkins-infra/helpdesk/issues/new/choose .  You need "Maintain" permission on that repository.

Please submit a pull request to the repository permissions updater to add yourself as a maintainer of the plugin.  https://github.com/jenkins-infra/repository-permissions-updater/blob/master/permissions/plugin-dependency-check-jenkins-plugin.yml is the file that needs to be modified in the pull request.

Mark Waite

Tim Jacomb

unread,
Jan 17, 2022, 2:34:05 PMJan 17
to jenkin...@googlegroups.com
Just the pull request to repository permissions updated is needed, skip the help desk one, we’ll do it there.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

Jean-Marc Meessen

unread,
Jan 17, 2022, 3:02:21 PMJan 17
to Jenkins Developers
Hello Daniel,

Thank you for your interest in maintaining this plugin.

The situation of that plugin is a little blurry right now: there was a recent adoption request by Wes that has been approved. But the plugin is still marked for adoption. Did Wes forget to remove the flag or did he give up after a couple of weeks?

Could you please reach out to him to assess the exact situation and come back to this group? Hint: look at the git log for the email.

Apparently, this plugin needs some love and attention: there is an XSS vulnerability detected on it.

/- Jmm

You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/QxWAgJb4oyg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/eb4c42fa-d12d-4f55-a76e-5090577aed0en%40googlegroups.com.

Daniel Warmuth

unread,
Jan 17, 2022, 3:35:08 PMJan 17
to Jenkins Developers
Hi Jean-Marc,

I understood that "kudos-dude" (who wrote here on 10 November that he can no longer be maintainer) is the same person as "Wes" (see the last previous mail by "kudos-dude" and also the Jira profile: https://issues.jenkins.io/secure/ViewProfile.jspa?name=kudos_dude).

Nonetheless, he filed an issue 4 December asking for the security warning to be removed, because it is fixed in the newest version: https://issues.jenkins.io/browse/JENKINS-67321

I do not yet know what the process is to handle this issue, but it seems to be pretty clear that kudos-dude/Wes does not see himself in the maintainer-role any longer. I'll write to his e-mail address listed on Jira anyway to confirm that once more.

Best regards,
Daniel

kudos-dude

unread,
Jan 17, 2022, 4:33:56 PMJan 17
to Jenkins Developers

Hello,

I would like to pass off the maintainer role. Please let me know if you require anything additional to complete the process.

Ullrich Hafner

unread,
Jan 18, 2022, 3:11:21 AMJan 18
to JenkinsCI Developers
And please note:

Since a couple of releases an OWASP dependency check parser is part of the warnings plugin as well (https://github.com/jenkinsci/warnings-ng-plugin/blob/master/SUPPORTED-FORMATS.md). 
So if you are just interested in showing the results of the analysis no additional plugin is required anymore. And you do need to duplicate development of mostly the same feature set (and you do not need to fix security issues that have been fixed already in the warnings plugin).

Ulli 


Daniel Warmuth

unread,
Jan 18, 2022, 4:31:49 AMJan 18
to jenkin...@googlegroups.com
Thanks, Ullrich, I will have a look at that as soon as the "legal"
stuff is settled.
If the final result is that the plugin is redundant, a valid
maintenance action could be to document this on the plugin's page and
send it into retirement. We'll see.

Best regards,
Daniel

Am Di., 18. Jan. 2022 um 09:11 Uhr schrieb Ullrich Hafner
<ullrich...@gmail.com>:
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/F3994220-C390-4B91-B424-268B36A5F6D2%40gmail.com.

Jean-Marc Meessen

unread,
Jan 19, 2022, 10:51:58 PMJan 19
to Jenkins Developers
Hello Daniel,

The fog cleared out :-)

The paperwork part is then very simple. Just submit a PR on the https://github.com/jenkins-infra/repository-permissions-updater/blob/master/permissions/plugin-dependency-check-jenkins-plugin.yml  configuration (as described in the repo's README.md)
Mention in the comments of the PR, a reference to this conversation.

Don't hesitate to come back here if you have any questions or encounter blockers with the mentioned security issue and releasing the plugin. 
I am also interested to hear about your experience while doing this. It will help us identify and solve the friction points for new plugin maintainers.

/- Jmm

Daniel Warmuth

unread,
Feb 6, 2022, 5:02:30 PMFeb 6
to Jenkins Developers
Hello Tim,

since the pull request for the Artifactory permissions was merged a while ago, I understand that just the "help desk" change is left. Can you do this, please? Do you need any further information?

Thanks & best regards,
Daniel

Jean-Marc Meessen

unread,
Feb 7, 2022, 2:28:41 AMFeb 7
to Jenkins Developers
Hi Daniel,

Normally, once your infra PR has been merged, you are good to go: you can merge PRs and cut releases. No need to open a Helpdesk PR. (see https://www.jenkins.io/doc/developer/plugin-governance/adopt-a-plugin/)

The first step, as a new maintainer, is to remove the "adopt-this-plugin" label. This will validate that you have admin rights on that repository.

Let us know if it doesn't work as expected.

/- Jmm

You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/QxWAgJb4oyg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/9ce8cac1-2b5f-41f9-8e5e-707981c07d19n%40googlegroups.com.

Tim Jacomb

unread,
Feb 7, 2022, 2:43:58 AMFeb 7
to Jenkins Developers
I've re-invited you, please go to https://github.com/jenkinsci to accept the invite

Jean-Marc Meessen

unread,
Feb 7, 2022, 11:31:06 AMFeb 7
to Jenkins Developers, timja...@gmail.com
Hello Tim,

This (github invite) is probably something I could add to the plugin adoption guideline.
I don't remember exactly at what moment, to achieve what, and under what conditions it happens.  It has been some time for me and I am not sure anymore. Could you refresh my memory or point me where this is explained in details.

My guess is
  • you need to accept the invitation to the Github Jenkins xyz group so that you inherit the group's rights
  • it happens only when adopting your first plugin
  • it is just following the instructions received by mail.
Additional details I could add to the adoption guideline (with your help) is 
  • how to check if it is done
  • what to do if it failed and/or the invite was missed.
/- Jmm

Tim Jacomb

unread,
Feb 8, 2022, 3:55:11 AMFeb 8
to Jean-Marc Meessen, Jenkins Developers
Hi Jean-Marc

Yes that's right.
If you're already a member of the GitHub organization you will get the permissions immediately.
If you aren't a member then you have to accept the invitation.

The invite will be sent to your GitHub email account, you can also accept it at https://github.com/jenkinsci if you can't find the invite.
Invites expire after 7 days, and after that you need to ask for it to be re-sent.

Replying on the RPU pull request is the easiest way, you can also create an INFRA helpdesk ticket or email the jenkinsci-dev mailing list.
Reply all
Reply to author
Forward
0 new messages