Amazon Inspector Plugin Hosting Request

[waltwilo]

Repository URL

https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin

New Repository Name

amazon-inspector-image-scanner-plugin

Description

This plugin will allow users to scan container images from within their CICD pipelines using Amazon Inspector.

GitHub users to have commit permission

@naveshal
@waltwilo
@bluesentinelsec
@riyli
@TheTrueKen
@cjbaco
@awsactran

Jenkins project users to have release permission

inspector_opensource

Issue tracker

GitHub issues

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

• /audit-ok => the audit is complete, the hosting can continue 🎉.
• /audit-skip => the audit is not necessary, the hosting can continue 🎉.
• /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

• /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.26.21)

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.361.4</jenkins.version> to at least 2.387.3 in your pom.xml. Take a look at the baseline recommendations.
• ⛔ Required: The parent pom version '4.52' should be at least '4.71' or higher.
• ⛔ Required: The 'artifactId' from the pom.xml (amazon-inspector-scanner) is incorrect, it should be amazon-inspector-container-image-scanner-jenkins ('New Repository Name' field with "-plugin" removed)
• ⛔ Required: Please specify a license in your pom.xml file using the <licenses> tag. See https://maven.apache.org/pom.html#Licenses for more information.
• ⛔ Required: Please add a license file to your repo, GitHub provides an easy mechanism to do this from their user interface.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[jenkins-cert-app]

The Jenkins Security Scan discovered 13 finding(s) 🔍.
For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

---

Jenkins: Missing permission check on a form fill web method with credentials lookup

You can find detailed information about this finding here.

AmazonInspectorBuilder.java#290

doFillDockerUsernameItems should perform a permission check before calling #lookupCredentials

AmazonInspectorBuilder.java#286

doFillSessionTokenIdItems should perform a permission check before calling #lookupCredentials

AmazonInspectorBuilder.java#282

doFillSecretKeyIdItems should perform a permission check before calling #lookupCredentials

AmazonInspectorBuilder.java#278

doFillAccessKeyIdItems should perform a permission check before calling #lookupCredentials

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AmazonInspectorBuilder.java#290

Potential CSRF vulnerability: If DescriptorImpl#doFillDockerUsernameItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

AmazonInspectorBuilder.java#286

Potential CSRF vulnerability: If DescriptorImpl#doFillSessionTokenIdItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

AmazonInspectorBuilder.java#282

Potential CSRF vulnerability: If DescriptorImpl#doFillSecretKeyIdItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

AmazonInspectorBuilder.java#278

Potential CSRF vulnerability: If DescriptorImpl#doFillAccessKeyIdItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Stapler: Missing permission check

You can find detailed information about this finding here.

AmazonInspectorBuilder.java#290

Potential missing permission check in DescriptorImpl#doFillDockerUsernameItems

AmazonInspectorBuilder.java#286

Potential missing permission check in DescriptorImpl#doFillSessionTokenIdItems

AmazonInspectorBuilder.java#282

Potential missing permission check in DescriptorImpl#doFillSecretKeyIdItems

AmazonInspectorBuilder.java#278

Potential missing permission check in DescriptorImpl#doFillAccessKeyIdItems

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

SbomgenRunner.java#21

Field should be reviewed whether it stores a password and is serialized to disk: dockerPassword

[waltwilo]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The parent pom version '4.71' should be at least '4.75' or higher.
• ⛔ Required: The 'artifactId' from the pom.xml (amazon-inspector-container-image-scanner-jenkins) should not contain "Jenkins"
• ⛔ Required: The 'artifactId' amazon-inspector-container-image-scanner-jenkins from the pom.xml is incorrect, it must have less than 37 characters, currently it has 48 characters

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[waltwilo]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The 'artifactId' from the pom.xml (amazon-inspector-image-scanner) is incorrect, it should be amazon-inspector-container-image-scanner-jenkins ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[waltwilo]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉

---

💡 The Security team recommends that you are setting up the scan in your repository by following our guide.

[waltwilo]

/audit-review

I've suppressed the password storage error. It is never stored in config as it's retrieved via the username and never saved to disk. The dockerPassword variable is only used to pass to an SBOM scanning tool in the case that a user wants to scan a private repository.

[alecharp]

Hello, please see what I found on your plugin:

• run mvn tidy:pom on your project, this would help humans to read the pom.xml files.
• do you need https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin/blob/ac12140bddfbc1813f241c09f1634529e3078d8e/pom.xml#L71-L75 in the project code?
• Is sts a sdk from AWS? Could it be made into a plugin like in https://github.com/jenkinsci/aws-java-sdk-plugin? Same for utils, inspectorscan, apache-client and aws-json-protocol?
• Where are the sources for those dependencies?
• could you explain why you need https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin/blob/ac12140bddfbc1813f241c09f1634529e3078d8e/pom.xml#L123C9-L123C44?
• why do you need https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin/blob/ac12140bddfbc1813f241c09f1634529e3078d8e/pom.xml#L133-L136?
• I would suggest not to set the Java version on your pom like you did in https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin/blob/ac12140bddfbc1813f241c09f1634529e3078d8e/pom.xml#L177-L185
• I'm not sure how you are using the index.html file as you are not using a normal output directory for it https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin/blob/ac12140bddfbc1813f241c09f1634529e3078d8e/pom.xml#L152-L175

---

• the Jenkinsfile must be at the root of the repository, not in /docs/ (https://github.com/aws/amazon-inspector-container-image-scanner-jenkins-plugin/blob/main/docs/Jenkinsfile)
• why do you want to stay on Java 11 when the community is set to support 17 and 21 now?

---

• please don't include the empty /docs/SECURITY.md file, there is a security policy in the community that is, I think, enforced on all plugins (cc @jenkins-infra/security)

---

• I don't know how different the Amazon code of conduct is from the Jenkins community but I don't know if we can have a different one from the community standards

---

• I would suggest to use release-drafter to generate your release notes and not use any CHANGELOG file, but that is really just a suggestion.

---

• on AmazonInspectorBuilder, I would suggest not to browse though all the available credentials and stop on the first one having the username configured by the user, because users might be using the same username for many many many different system. Please see https://github.com/jenkinsci/credentials-plugin/blob/master/docs/consumer.adoc to see how to use credentialsId in your configuration. This would also prevent to have another copy of the credentials list in memory (UsernameCredentialsHelper.java)

I need to spend more time on that class. I think there are other potential issues there.

[waltwilo]

Is sts a sdk from AWS? Could it be made into a plugin like in https://github.com/jenkinsci/aws-java-sdk-plugin? Same for utils, inspectorscan, apache-client and aws-json-protocol?

Those dependencies are all used to interact with AWS, unfortunately, they cannot be made into Jenkins plugins. They are all sourced from https://mvnrepository.com/artifact/software.amazon.awssdk

I'm not sure how you are using the index.html file as you are not using a normal output directory

The plugin adds data to index.html at the end of the build which is copied to the workspace as a build report.

I don't know how different the Amazon code of conduct is from the Jenkins community but I don't know if we can have a different one from the community standards.

The code of conducts should be compatible with each other, Amazon's essentially only prevents harassment. https://aws.github.io/code-of-conduct

I would suggest to use release-drafter to generate your release notes and not use any CHANGELOG file, but that is really just a suggestion.

Didn't know this existed, I'll incorporate it into the repo.

[waltwilo]

As for the credentials, I'm looking into it but would it be possible to delay that change until after the plugin is released?

[waltwilo]

I've fixed all comments not mentioned previously by me.

[timja]

Those dependencies are all used to interact with AWS, unfortunately, they cannot be made into Jenkins plugins. They are all sourced from mvnrepository.com/artifact/software.amazon.awssdk

They aren't Jenkins plugins as such that they contribute code, they just wrap libraries so that only one instance of a library is deployed to Jenkins, see the existing AWS ones:
https://github.com/jenkinsci/aws-java-sdk-plugin

https://www.jenkins.io/doc/developer/plugin-development/dependencies-and-class-loading/#bundling-third-party-libraries

[Wadeck]

/audit-ok

No need to request review if the bot is happy with your actions ;)

[alecharp]

For the sdk librairies. I don't think it would be a blocker for the hosting. This can be dealt with later but it has to be dealt with for sure.

The credentials on the other hand is problematic for me. Once you have a customer using the username, you will have to deal with the configuration transformation, which will be a pain or even not possible automatically.
Please transform the username into a credentialsId and use the credentials plugin. That shouldn't be too long as you already used the credentials API in your code.

[waltwilo]

@alecharp Alright I've updated it to use the credential ID instead of the username.

aws/amazon-inspector-container-image-scanner-jenkins-plugin@8440e44

[alecharp]

Thanks.

There are others issues within the code but nothing that cannot be resolved once hosted:

• fixing the configuration file using the credentials select in the configuration (which would let users to create credentials directly from the project page)
• usages of environment variable to get the workspaces to store files in it.

I don't see anything blocking the hosting process to go forward here.

[timja]

/hosting host

[jenkins-infra-bot]

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/amazon-inspector-image-scanner-plugin

GitHub issues has been selected for issue tracking and was enabled for the forked repo.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

• Accept the invitation to the Jenkins CI Org on Github
• Add additional users for upload permissions, if needed
• Releasing your plugin

In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content:
https://github.com/jenkinsci/archetypes/blob/master/common-files/Jenkinsfile

Welcome aboard!

[alecharp]

@waltwilo don't forget to delete the original repository. If you need one, you can fork the jenkinsci one back into aws organization.

[waltwilo]

@alecharp does deletion need to be done before the marketplace release? I was planning on contacting github support to make the jenkins repo the root.

[timja]

@alecharp does deletion need to be done before the marketplace release? I was planning on contacting github support to make the jenkins repo the root.

either works, and yes a support request will do it too