Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Host Finite State Third Party Upload Plugin #3930

Closed
cpfarherFinitestate opened this issue May 17, 2024 · 13 comments
Closed

Host Finite State Third Party Upload Plugin #3930

cpfarherFinitestate opened this issue May 17, 2024 · 13 comments
Labels
hosting-request Request to host a component in jenkinsci needs-fix security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request

Comments

@cpfarherFinitestate
Copy link

cpfarherFinitestate commented May 17, 2024
edited by NotMyFault

Repository URL

https://github.com/FiniteStateInc/third-party-upload-jenkins

New Repository Name

finite-state-third-party-upload-plugin

Description

The Finite State third-party-upload allows you to easily integrate the Finite State Platform into Jenkins.

GitHub users to have commit permission

@cpfarherFinitestate @phillipcurl

Jenkins project users to have release permission

finitestateinc

Issue tracker

GitHub issues
@cpfarherFinitestate cpfarherFinitestate added the hosting-request Request to host a component in jenkinsci label May 17, 2024
@jenkins-cert-app
Copy link
Collaborator

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

  • /audit-ok => the audit is complete, the hosting can continue 🎉.
  • /audit-skip => the audit is not necessary, the hosting can continue 🎉.
  • /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

  • /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
  • /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.28.4)

@jenkins-cert-app jenkins-cert-app added the security-audit-todo The security team needs to audit the hosting request code label May 17, 2024
@github-actions GitHub Actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.414.3</jenkins.version> to at least 2.426.3 in your pom.xml. Take a look at the baseline recommendations.
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: cpfarherFinitestate, phillipcurl (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: cpfarherFinitestate, phillipcurl (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The 'artifactId' from the pom.xml (finite-state-third-party-uplopad) is incorrect, it should be finite-state-third-party-upload ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@jenkins-cert-app
Copy link
Collaborator

The Jenkins Security Scan discovered 23 finding(s) 🔍.

Please follow the instructions below for every identified issues:

  • Implement the recommended fix to address the issue.
  • If you think it's a false positive, suppress the warning directly within the code.
  • Alternative, you write an explanation here about why you think it's irrelevant. That will require a manual review, leading to a slower process.

After addressing the findings through one of the above methods:

  • If all modifications have been made to the code, please initiate a new security scan by triggering the /request-security-scan command.
  • If there are any unresolved findings (those not corrected or suppressed), request a review from the Jenkins security team by using the /audit-review command.

Jenkins: Missing permission check on a form fill web method with credentials lookup

You can find detailed information about this finding here.

ThirdPartyUploadRecorder.java#374 
doFillFiniteStateOrganizationContextItems should perform a permission check before calling #lookupCredentials
ThirdPartyUploadRecorder.java#364 
doFillFiniteStateSecretItems should perform a permission check before calling #lookupCredentials
ThirdPartyUploadRecorder.java#354 
doFillFiniteStateClientIdItems should perform a permission check before calling #lookupCredentials

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

ThirdPartyUploadRecorder.java#418 
Potential CSRF vulnerability: If DescriptorImpl#doCheckTestType connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#414 
Potential CSRF vulnerability: If DescriptorImpl#doCheckFilePath connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#410 
Potential CSRF vulnerability: If DescriptorImpl#doCheckVersion connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#406 
Potential CSRF vulnerability: If DescriptorImpl#doCheckAssetId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#401 
Potential CSRF vulnerability: If DescriptorImpl#doCheckFiniteStateOrganizationContext connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#396 
Potential CSRF vulnerability: If DescriptorImpl#doCheckFiniteStateSecret connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#391 
Potential CSRF vulnerability: If DescriptorImpl#doCheckFiniteStateClientId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#374 
Potential CSRF vulnerability: If DescriptorImpl#doFillFiniteStateOrganizationContextItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#364 
Potential CSRF vulnerability: If DescriptorImpl#doFillFiniteStateSecretItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#354 
Potential CSRF vulnerability: If DescriptorImpl#doFillFiniteStateClientIdItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Stapler: Missing permission check

You can find detailed information about this finding here.

ThirdPartyUploadRecorder.java#418 
Potential missing permission check in DescriptorImpl#doCheckTestType
ThirdPartyUploadRecorder.java#414 
Potential missing permission check in DescriptorImpl#doCheckFilePath
ThirdPartyUploadRecorder.java#410 
Potential missing permission check in DescriptorImpl#doCheckVersion
ThirdPartyUploadRecorder.java#406 
Potential missing permission check in DescriptorImpl#doCheckAssetId
ThirdPartyUploadRecorder.java#401 
Potential missing permission check in DescriptorImpl#doCheckFiniteStateOrganizationContext
ThirdPartyUploadRecorder.java#396 
Potential missing permission check in DescriptorImpl#doCheckFiniteStateSecret
ThirdPartyUploadRecorder.java#391 
Potential missing permission check in DescriptorImpl#doCheckFiniteStateClientId
ThirdPartyUploadRecorder.java#374 
Potential missing permission check in DescriptorImpl#doFillFiniteStateOrganizationContextItems
ThirdPartyUploadRecorder.java#364 
Potential missing permission check in DescriptorImpl#doFillFiniteStateSecretItems
ThirdPartyUploadRecorder.java#354 
Potential missing permission check in DescriptorImpl#doFillFiniteStateClientIdItems

@jenkins-cert-app jenkins-cert-app added security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request and removed security-audit-todo The security team needs to audit the hosting request code labels May 17, 2024
@github-actions GitHub Actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.414.3</jenkins.version> to at least 2.426.3 in your pom.xml. Take a look at the baseline recommendations.
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @cpfarherFinitestate, @phillipcurl (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @cpfarherFinitestate, @phillipcurl (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The 'artifactId' from the pom.xml (finite-state-third-party-uplopad) is incorrect, it should be finite-state-third-party-upload ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@github-actions GitHub Actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.414.3</jenkins.version> to at least 2.426.3 in your pom.xml. Take a look at the baseline recommendations.
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @FiniteStateInc (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @FiniteStateInc (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: finitestateinc
  • ⛔ Required: The 'artifactId' from the pom.xml (finite-state-third-party-uplopad) is incorrect, it should be finite-state-third-party-upload ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@github-actions GitHub Actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.414.3</jenkins.version> to at least 2.426.3 in your pom.xml. Take a look at the baseline recommendations.
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @FiniteStateInc (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @FiniteStateInc (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: cpfarherFinitestate phillipcurl
  • ⛔ Required: The 'artifactId' from the pom.xml (finite-state-third-party-uplopad) is incorrect, it should be finite-state-third-party-upload ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@github-actions GitHub Actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.414.3</jenkins.version> to at least 2.426.3 in your pom.xml. Take a look at the baseline recommendations.
  • ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: cpfarherFinitestate phillipcurl
  • ⛔ Required: The 'artifactId' from the pom.xml (finite-state-third-party-uplopad) is incorrect, it should be finite-state-third-party-upload ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@alecharp
Copy link
Contributor

In addition to other comments from the bot, I'd invite you to provide a description of your plugin in https://github.com/FiniteStateInc/third-party-upload-jenkins/blob/7da850e81091fb80701dc43c3866ebabbaf941e3/src/main/resources/index.jelly#L3.

Rather than depending on the docker-java library directly, could you depend on https://github.com/jenkinsci/docker-java-api-plugin so you can be certain of which library version you have at runtime?

@cpfarherFinitestate
Copy link
Author

/request-security-scan

@jenkins-cert-app jenkins-cert-app added security-audit-todo The security team needs to audit the hosting request code and removed security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request labels May 21, 2024
@jenkins-cert-app
Copy link
Collaborator

The Jenkins Security Scan discovered 23 finding(s) 🔍.

Please follow the instructions below for every identified issues:

  • Implement the recommended fix to address the issue.
  • If you think it's a false positive, suppress the warning directly within the code.
  • Alternative, you write an explanation here about why you think it's irrelevant. That will require a manual review, leading to a slower process.

After addressing the findings through one of the above methods:

  • If all modifications have been made to the code, please initiate a new security scan by triggering the /request-security-scan command.
  • If there are any unresolved findings (those not corrected or suppressed), request a review from the Jenkins security team by using the /audit-review command.

Jenkins: Missing permission check on a form fill web method with credentials lookup

You can find detailed information about this finding here.

ThirdPartyUploadRecorder.java#374 
doFillFiniteStateOrganizationContextItems should perform a permission check before calling #lookupCredentials
ThirdPartyUploadRecorder.java#364 
doFillFiniteStateSecretItems should perform a permission check before calling #lookupCredentials
ThirdPartyUploadRecorder.java#354 
doFillFiniteStateClientIdItems should perform a permission check before calling #lookupCredentials

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

ThirdPartyUploadRecorder.java#418 
Potential CSRF vulnerability: If DescriptorImpl#doCheckTestType connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#414 
Potential CSRF vulnerability: If DescriptorImpl#doCheckFilePath connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#410 
Potential CSRF vulnerability: If DescriptorImpl#doCheckVersion connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#406 
Potential CSRF vulnerability: If DescriptorImpl#doCheckAssetId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#401 
Potential CSRF vulnerability: If DescriptorImpl#doCheckFiniteStateOrganizationContext connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#396 
Potential CSRF vulnerability: If DescriptorImpl#doCheckFiniteStateSecret connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#391 
Potential CSRF vulnerability: If DescriptorImpl#doCheckFiniteStateClientId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#374 
Potential CSRF vulnerability: If DescriptorImpl#doFillFiniteStateOrganizationContextItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#364 
Potential CSRF vulnerability: If DescriptorImpl#doFillFiniteStateSecretItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#354 
Potential CSRF vulnerability: If DescriptorImpl#doFillFiniteStateClientIdItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Stapler: Missing permission check

You can find detailed information about this finding here.

ThirdPartyUploadRecorder.java#418 
Potential missing permission check in DescriptorImpl#doCheckTestType
ThirdPartyUploadRecorder.java#414 
Potential missing permission check in DescriptorImpl#doCheckFilePath
ThirdPartyUploadRecorder.java#410 
Potential missing permission check in DescriptorImpl#doCheckVersion
ThirdPartyUploadRecorder.java#406 
Potential missing permission check in DescriptorImpl#doCheckAssetId
ThirdPartyUploadRecorder.java#401 
Potential missing permission check in DescriptorImpl#doCheckFiniteStateOrganizationContext
ThirdPartyUploadRecorder.java#396 
Potential missing permission check in DescriptorImpl#doCheckFiniteStateSecret
ThirdPartyUploadRecorder.java#391 
Potential missing permission check in DescriptorImpl#doCheckFiniteStateClientId
ThirdPartyUploadRecorder.java#374 
Potential missing permission check in DescriptorImpl#doFillFiniteStateOrganizationContextItems
ThirdPartyUploadRecorder.java#364 
Potential missing permission check in DescriptorImpl#doFillFiniteStateSecretItems
ThirdPartyUploadRecorder.java#354 
Potential missing permission check in DescriptorImpl#doFillFiniteStateClientIdItems

@jenkins-cert-app jenkins-cert-app added security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request and removed security-audit-todo The security team needs to audit the hosting request code labels May 21, 2024
@cpfarherFinitestate
Copy link
Author

/request-security-scan

@jenkins-cert-app jenkins-cert-app added security-audit-todo The security team needs to audit the hosting request code and removed security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request labels May 23, 2024
@jenkins-cert-app
Copy link
Collaborator

The Jenkins Security Scan discovered 10 finding(s) 🔍.

Please follow the instructions below for every identified issues:

  • Implement the recommended fix to address the issue.
  • If you think it's a false positive, suppress the warning directly within the code.
  • Alternative, you write an explanation here about why you think it's irrelevant. That will require a manual review, leading to a slower process.

After addressing the findings through one of the above methods:

  • If all modifications have been made to the code, please initiate a new security scan by triggering the /request-security-scan command.
  • If there are any unresolved findings (those not corrected or suppressed), request a review from the Jenkins security team by using the /audit-review command.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

ThirdPartyUploadRecorder.java#395 
Potential CSRF vulnerability: If DescriptorImpl#doFillFiniteStateOrganizationContextItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#376 
Potential CSRF vulnerability: If DescriptorImpl#doFillFiniteStateSecretItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
ThirdPartyUploadRecorder.java#357 
Potential CSRF vulnerability: If DescriptorImpl#doFillFiniteStateClientIdItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Stapler: Missing permission check

You can find detailed information about this finding here.

ThirdPartyUploadRecorder.java#455 
Potential missing permission check in DescriptorImpl#doCheckTestType
ThirdPartyUploadRecorder.java#450 
Potential missing permission check in DescriptorImpl#doCheckFilePath
ThirdPartyUploadRecorder.java#445 
Potential missing permission check in DescriptorImpl#doCheckVersion
ThirdPartyUploadRecorder.java#440 
Potential missing permission check in DescriptorImpl#doCheckAssetId
ThirdPartyUploadRecorder.java#434 
Potential missing permission check in DescriptorImpl#doCheckFiniteStateOrganizationContext
ThirdPartyUploadRecorder.java#428 
Potential missing permission check in DescriptorImpl#doCheckFiniteStateSecret
ThirdPartyUploadRecorder.java#422 
Potential missing permission check in DescriptorImpl#doCheckFiniteStateClientId

@jenkins-cert-app jenkins-cert-app added security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request and removed security-audit-todo The security team needs to audit the hosting request code labels May 23, 2024
@cpfarherFinitestate
Copy link
Author

@NotMyFault Should I open another PR when I have all the changes merge in main branch?. Nowadays I have open a PR that is waiting to be reviewed that fix all the stuff related with the security scan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hosting-request Request to host a component in jenkinsci needs-fix security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alecharp @NotMyFault @jenkins-cert-app @cpfarherFinitestate