New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Amazon Inspector Plugin Hosting Request #3634
Comments
Security audit, information and commands The security team is auditing all the hosting requests, to ensure a better security by default. This message informs you that a Jenkins Security Scan was triggered on your repository. CommandsThe bot will parse all comments, and it will check if any line start with a command. Security team only:
Anyone:
Only one command can be requested per comment. (automatically generated message, version: 1.26.21) |
Hello from your friendly Jenkins Hosting Checker It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting |
The Jenkins Security Scan discovered 13 finding(s) 🔍. Once you're done, either re-run the scan with Jenkins: Missing permission check on a form fill web method with credentials lookupYou can find detailed information about this finding here. AmazonInspectorBuilder.java#290
AmazonInspectorBuilder.java#286
AmazonInspectorBuilder.java#282
AmazonInspectorBuilder.java#278
Stapler: Missing POST/RequirePOST annotationYou can find detailed information about this finding here. AmazonInspectorBuilder.java#290
AmazonInspectorBuilder.java#286
AmazonInspectorBuilder.java#282
AmazonInspectorBuilder.java#278
Stapler: Missing permission checkYou can find detailed information about this finding here. AmazonInspectorBuilder.java#290
AmazonInspectorBuilder.java#286
AmazonInspectorBuilder.java#282
AmazonInspectorBuilder.java#278
Jenkins: Plaintext password storageYou can find detailed information about this finding here. SbomgenRunner.java#21
|
/hosting re-check |
Hello from your friendly Jenkins Hosting Checker It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting |
/hosting re-check |
Hello from your friendly Jenkins Hosting Checker It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting |
Hello from your friendly Jenkins Hosting Checker It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience. Hosting team members can host this request with |
/request-security-scan |
The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉 💡 The Security team recommends that you are setting up the scan in your repository by following our guide. |
/audit-review I've suppressed the password storage error. It is never stored in config as it's retrieved via the username and never saved to disk. The |
Hello, please see what I found on your plugin:
I need to spend more time on that class. I think there are other potential issues there. |
Those dependencies are all used to interact with AWS, unfortunately, they cannot be made into Jenkins plugins. They are all sourced from https://mvnrepository.com/artifact/software.amazon.awssdk
The plugin adds data to index.html at the end of the build which is copied to the workspace as a build report.
The code of conducts should be compatible with each other, Amazon's essentially only prevents harassment. https://aws.github.io/code-of-conduct
Didn't know this existed, I'll incorporate it into the repo. |
As for the credentials, I'm looking into it but would it be possible to delay that change until after the plugin is released? |
I've fixed all comments not mentioned previously by me. |
They aren't Jenkins plugins as such that they contribute code, they just wrap libraries so that only one instance of a library is deployed to Jenkins, see the existing AWS ones: |
/audit-ok No need to request review if the bot is happy with your actions ;) |
For the sdk librairies. I don't think it would be a blocker for the hosting. This can be dealt with later but it has to be dealt with for sure. The credentials on the other hand is problematic for me. Once you have a customer using the username, you will have to deal with the configuration transformation, which will be a pain or even not possible automatically. |
@alecharp Alright I've updated it to use the credential ID instead of the username. aws/amazon-inspector-container-image-scanner-jenkins-plugin@8440e44 |
Thanks. There are others issues within the code but nothing that cannot be resolved once hosted:
I don't see anything blocking the hosting process to go forward here. |
/hosting host |
Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/amazon-inspector-image-scanner-plugin GitHub issues has been selected for issue tracking and was enabled for the forked repo. A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file. Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented. You will also need to do the following in order to push changes and release your plugin:
In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: Welcome aboard! |
@waltwilo don't forget to delete the original repository. If you need one, you can fork the |
@alecharp does deletion need to be done before the marketplace release? I was planning on contacting github support to make the jenkins repo the root. |
either works, and yes a support request will do it too |
Repository URL
https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin
New Repository Name
amazon-inspector-image-scanner-plugin
Description
This plugin will allow users to scan container images from within their CICD pipelines using Amazon Inspector.
GitHub users to have commit permission
@naveshal
@waltwilo
@bluesentinelsec
@riyli
@TheTrueKen
@cjbaco
@awsactran
Jenkins project users to have release permission
inspector_opensource
Issue tracker
GitHub issues
The text was updated successfully, but these errors were encountered: