Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Demonstrate adding findsecbugs to spotbugs. #137

Draft
wants to merge 1 commit into
base: master
from

Conversation

@jeffret-b
Copy link
Contributor

jeffret-b commented Feb 24, 2020

Demonstrate adding findsecbugs to spotbugs. This commit is a demonstration and is not intended to be merged as-is.

With no changes, findsecbugs reports several findings for this plugin. The MD5 warning is common in Jenkins and exists in core. In this case, it is used for tracking and not for security so it can be suppressed though even here it would be better to eventually upgrade to a better algorithm.

The PATH_TRAVERSAL_IN findings here are particularly interesting. These relate to CVE-2019-10320 from Jenkins Security Advisory 2019-05-21. At this time, these findings are only used for migrating old data and do not represent real vulnerabilities. As we approach a year since the release of the fix, we should consider removing the migration code to remove the suppression. If we had run findsecbugs on this plugin prior to 2019-05-21 it would have detected a valid security vulnerability.


My plan is to add findsecbugs at the plugin pom after sufficient testing and communication. At that point, it would make sense to add the suppressions, but not the pom file changes from this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

1 participant
You can’t perform that action at this time.