Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add findsecbugs plugin to spotbugs. #361

Merged
merged 5 commits into from
Dec 27, 2019
Merged

Add findsecbugs plugin to spotbugs. #361

merged 5 commits into from
Dec 27, 2019

Conversation

jeffret-b
Copy link
Contributor

Add findsecbugs plugin to spotbugs. And suppress existing warnings. We should clean some of them up, but that's for different PRs at a later time.

Some of the issues findsecbugs just misidentifies. With some it doesn't understand enough context.

As always with these sort of of analysis tools, adding them to existing code correctly can be a bit of a challenge. It's easier to suppress things that aren't really problems than to clean all of them up. Most of the benefit from applying these tools comes from checking newly added code and preventing new issues from creeping in.

@jeffret-b jeffret-b requested a review from jvz December 5, 2019 18:23
jvz
jvz reviewed Dec 6, 2019
View reviewed changes
src/main/java/hudson/remoting/Checksum.java
@@ -72,6 +74,7 @@ static Checksum forFile(File file) throws IOException {
/**
* Returns the checksum for the given URL.
*/
@SuppressFBWarnings(value = "URLCONNECTION_SSRF_FD", justification = "This is only used for managing the jar cache as files, not URLs.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add an assertion that the URL's scheme is file or at least not http/s?

Copy link
Contributor Author

@jeffret-b jeffret-b Dec 10, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean something like this?

assert url.getProtocol().equalsIgnoreCase("file") : "Non-file URL protocol generating checksum";

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah basically. Might want to support vfs type URLs for some servlet runtimes (JBoss/Wildfly used to do this for files in the war rather than unzipping it like Tomcat/Jetty do).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm concerned here by your comment that there might be other types we might want to also include in the assert. That was why I was reluctant to add the assertion initially. I suppose it won't hurt, but since we're not certain about the total set maybe it would be better to leave it off for now.

jvz
jvz reviewed Dec 6, 2019
View reviewed changes
Copy link
Member

@jvz jvz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good. Could you add deprecation annotations to the things you noted should be deprecated?

jvz
jvz suggested changes Dec 16, 2019
View reviewed changes
Copy link
Member

@jvz jvz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did a more thorough look through the various warnings. Some need better descriptions, while others could potentially be updated to guard against the bug even if it's not exploitable in the current ecosystem.

src/main/java/hudson/remoting/Launcher.java Show resolved Hide resolved
src/main/java/hudson/remoting/Pipe.java Outdated Show resolved Hide resolved
src/main/java/hudson/remoting/RemoteClassLoader.java Show resolved Hide resolved
src/main/java/hudson/remoting/RemoteInputStream.java Outdated Show resolved Hide resolved
src/main/java/hudson/remoting/URLDeserializationHelper.java Show resolved Hide resolved
src/main/java/hudson/remoting/Util.java Show resolved Hide resolved
src/main/java/hudson/remoting/forward/ForwarderFactory.java Show resolved Hide resolved
src/main/java/hudson/remoting/forward/PortForwarder.java Show resolved Hide resolved
src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpointResolver.java Show resolved Hide resolved
src/main/java/org/jenkinsci/remoting/util/KeyUtils.java Show resolved Hide resolved
@jeffret-b
Copy link
Contributor Author

@jvz, thanks for the review! I've updated the PR for many of the findings and responded to some of your comments / questions. Please respond again or take another look.

jvz
jvz approved these changes Dec 17, 2019
View reviewed changes
Copy link
Member

@jvz jvz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks to be in a generally good state now.

@jeffret-b
Copy link
Contributor Author

Try building again.

@jeffret-b
Copy link
Contributor Author

With a close

@jeffret-b jeffret-b closed this Dec 26, 2019
@jeffret-b jeffret-b reopened this Dec 26, 2019
@jeffret-b jeffret-b added chore For changelog: A maintenance chore with no functional changes ready-to-merge labels Dec 26, 2019
@jeffret-b jeffret-b merged commit 946602b into jenkinsci:master Dec 27, 2019
@jsoref jsoref mentioned this pull request Jan 22, 2020
Merged
@jglick jglick mentioned this pull request Nov 3, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oleg-nenashev oleg-nenashev oleg-nenashev left review comments

@jvz jvz jvz approved these changes

@daniel-beck daniel-beck Awaiting requested review from daniel-beck

@Wadeck Wadeck Awaiting requested review from Wadeck

Assignees
No one assigned
Labels
chore For changelog: A maintenance chore with no functional changes ready-to-merge
Projects
None yet
Milestone
No milestone
3 participants
@jeffret-b @jvz @oleg-nenashev