Enable Jenkins Security Scan
47 views
Skip to first unread message
Daniel Krämer
Jun 21, 2024, 7:35:07 AM (12 days ago) Jun 21
to Jenkins Developers
A couple of days ago I noticed that there is a lot of plugin repositories that do not run the Jenkins Security Scan. Eventhough by now the GitHub action containing the scan is present in templates and archtypes there are still some plugins that were likely created before or simply did not care for it. Nevertheless, it is stated in the JENKINS SECURITY POLICY that
The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we work with Jenkins core and plugin developers, as well as security researchers, to fix security vulnerabilities in Jenkins in a timely manner, and to improve the security of Jenkins in general.
We as plugin developers should therefor try our best to support this. One way of doing so is to enable the Jenkins Security Scan.
The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we work with Jenkins core and plugin developers, as well as security researchers, to fix security vulnerabilities in Jenkins in a timely manner, and to improve the security of Jenkins in general.
We as plugin developers should therefor try our best to support this. One way of doing so is to enable the Jenkins Security Scan.
This is why over the course of the last two days I created roughly 200 PRs as a consequence. My PRs where made towards plugins that could be considered "in active development" - meaning they have had commit in the last 30 days and a release in the last 6 month. For all that I setup a script to grab me a list of plugin repositories that match those criteria and semi-automatically issue PRs for them, many of which have already been merged.
Since this is my first go at automating such a thing, there were some hickups that hopefully all got resolved by hand. Please let me know if you found any unresolved issues.
By now there seem to be no more plugins left that match my criteria, but I will likely run another analysis in a couple of weeks. If I caused any issues in the infrastructure, yeah, what can I say but sorry. It was not my intention to cause more work for anyone but rather do a good deed
Overall my goal is to make use of the great security features that we have at our hands and to share the word that security is so important in software development and doing my part in supporting the community to my best efforts.
Verachten Bruno
Jun 21, 2024, 8:37:51 AM (12 days ago) Jun 21
to jenkin...@googlegroups.com
Thank you, Daniel.
I received a few of your pull requests on the plugins I try to
co-maintain. I accepted some of them, but quickly realized, thanks to
the help of Mark Waite, that there was more to it than just clicking
"Merge". The scan then creates potentially hundreds of alerts that
maintainers have to deal with.
Depending on their involvement in the plugin, their understanding of
the existing codebase, the choices made before they joined the
maintainers group, and their comprehension of the alerts created, this
process could range from a walk in the park to hauling a
one-metric-ton rock to the top of a mountain.
I will do my homework and try to sort between false positives, real
issues I can solve, and things that are too complicated for me. In the
meantime, the other PRs you created for the plugins I try to maintain
will have to wait.
Please don't get discouraged if your PRs don't get merged or reviewed
in other repositories quickly. We experienced a similar situation when
Mark and I proposed the move to JDK21 to hundreds of plugins last
year.
Don't get me wrong: adding the Jenkins Security Scan is a very sane
and safe move. As far as I know, it runs on GitHub, so it should not
impact our infrastructure. It will just deepen our vendor-lock
dependency with GitHub, but we're already knee-deep in that
relationship, so it shouldn't make much difference.
Once again, thanks a lot for your work. I truly appreciate the effort,
and I'm sure the rest of the community will too.
I received a few of your pull requests on the plugins I try to
co-maintain. I accepted some of them, but quickly realized, thanks to
the help of Mark Waite, that there was more to it than just clicking
"Merge". The scan then creates potentially hundreds of alerts that
maintainers have to deal with.
Depending on their involvement in the plugin, their understanding of
the existing codebase, the choices made before they joined the
maintainers group, and their comprehension of the alerts created, this
process could range from a walk in the park to hauling a
one-metric-ton rock to the top of a mountain.
I will do my homework and try to sort between false positives, real
issues I can solve, and things that are too complicated for me. In the
meantime, the other PRs you created for the plugins I try to maintain
will have to wait.
Please don't get discouraged if your PRs don't get merged or reviewed
in other repositories quickly. We experienced a similar situation when
Mark and I proposed the move to JDK21 to hundreds of plugins last
year.
Don't get me wrong: adding the Jenkins Security Scan is a very sane
and safe move. As far as I know, it runs on GitHub, so it should not
impact our infrastructure. It will just deepen our vendor-lock
dependency with GitHub, but we're already knee-deep in that
relationship, so it shouldn't make much difference.
Once again, thanks a lot for your work. I truly appreciate the effort,
and I'm sure the rest of the community will too.
Reply all
Reply to author
Forward
0 new messages