I want to host a plugin in the Jenkins organization #3564
Comments
|
Security audit, information and commands The security team is auditing all the hosting requests, to ensure a better security by default. This message informs you that a Jenkins Security Scan was triggered on your repository. CommandsThe bot will parse all comments, and it will check if any line start with a command. Security team only:
Anyone:
Only one command can be requested per comment. (automatically generated message, version: 1.26.3) |
jenkins-cert-app
added
the
security-audit-todo
|
Hello from your friendly Jenkins Hosting Checker It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting |
|
The Jenkins Security Scan discovered 16 finding(s) 🔍. Once you're done, either re-run the scan with Remoting: Unsafe CallableYou can find detailed information about this finding here. OsNameTask.java#22Stapler: Missing POST/RequirePOST annotationYou can find detailed information about this finding here. SecurityScanStep.java#408Stapler: Missing permission checkYou can find detailed information about this finding here. SecurityScanStep.java#408Jenkins: Plaintext password storageYou can find detailed information about this finding here. ScannerGlobalConfig.java#67ScannerGlobalConfig.java#61ScannerGlobalConfig.java#37ScannerGlobalConfig.java#25SecurityScanStep.java#87SecurityScanStep.java#73SecurityScanStep.java#57SecurityScanStep.java#43Api.java#17Project.java#16BlackDuck.java#16User.java#16Polaris.java#14 |
jenkins-cert-app
added
security-audit-needs-correction
|
Hello from your friendly Jenkins Hosting Checker It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting |
|
/hosting re-check |
|
Hello from your friendly Jenkins Hosting Checker It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting |
|
/hosting re-check |
|
Hello from your friendly Jenkins Hosting Checker It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting |
|
Please recreate your repository using the Jenkins archetype for the maven plugin as base layout: https://www.jenkins.io/doc/developer/tutorial/create/ |
|
@NotMyFault |
|
Yes, @jahid1209, @NotMyFault is requesting that you use Apache Maven for your plugin rather than Gradle. The build tooling improvements that have been made over the last 12-18 months have been implemented in Apache Maven. Jenkins core, Jenkins libraries, and the vast majority of Jenkins plugins use Apache Maven. You'll have a better Jenkins development experience if you use Apache Maven. As an unrelated note, will Synopsys be removing the Prototype.js JavaScript library use from the Synopsys Coverity plugin as noted in JENKINS-71308? The May 2023 blog post announced that the Prototype.js library will be removed from Jenkins. Weekly releases beginning with 2.426 (Oct 3, 2023) no longer include that JavaScript library. LTS releases beginning Nov 15, 2023 will no longer include that library. Instructions on the steps to remove that library are in the blog post. |
|
@MarkEWaite Also, thanks for the heads up about Synopsys Coverity plugin. We will get back to you after necessary changes are done. |
|
Hello @MarkEWaite Is this recommendation or absolute requirement? I am only asking since it is saying "Warning". Our current build/release pipelines are based out of gradle just like other plugins. Those all need to be changed. Can we make that change at a later point? Please advise. Thank you for your prompt responses! |
|
I believe that @NotMyFault is trying to guide you to future success on this new plugin. Switching this plugin from gradle to maven gives you a low risk location to explore the changes you'll need to make in your internal build and release processes. This plugin has no users currently, since it is not yet released. That's the safest place to learn more about the transition. I'll leave it to @NotMyFault to answer if it is mandatory or a recommendation. There have been discussions in the developer mailing list, but I don't recall the details of the discussions. |
|
We're not accepting new plugin hosting requests using any other build tool but maven anymore. The declining interest of contributors to implement, document and maintain feature parity of the Gradle JPI plugin with the maven ecosystem led to this decision put in place. |
|
Ok. Thanks for responses. This seems a bit restrictive to me. Gradle is widely used and might be daunting change for existing build systems depending on the usage. But if it is absolute requirement now, we will evaluate the changes needed on our end and get back. |
If someone wants to provide and support the Maven based Jenkins tooling updates for Gradle projects, they are welcome to do so. We've not had anyone offer to do that. Are you interested in doing that? |
|
Noting previous context: https://groups.google.com/g/jenkinsci-dev/c/lHQAiEepBiw/m/TiXBGbkpAwAJ |
|
/request-security-scan |
jenkins-cert-app
added
security-audit-todo
|
The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉 💡 The Security team recommends that you are setting up the scan in your repository by following our guide. |
jenkins-cert-app
added
security-audit-done
|
/hosting re-check |
github-actions
bot
added
bot-check-complete
|
Hello Jenkins hosting team! cc: @MarkEWaite and @NotMyFault Now that all checks are complete and I believe we are good from the above comment, can you provide us an ETA if possible when hosting will be complete on to jenkinsci org? Thank you for all your help! |
|
/request-security-scan |
jenkins-cert-app
added
security-audit-todo
|
The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉 💡 The Security team recommends that you are setting up the scan in your repository by following our guide. |
jenkins-cert-app
added
security-audit-done
|
/hosting re-check |
|
Hello from your friendly Jenkins Hosting Checker It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience. Hosting team members can host this request with |
Hi @NotMyFault Than you for your feedbacks. We have addressed all the feedbacks. Please have a look on it, re-review and provide us further feedbacks if you get any. Thank you for all your help! |
|
/request-security-scan |
|
/hosting re-check |
jenkins-cert-app
added
security-audit-todo
|
Hello from your friendly Jenkins Hosting Checker It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience. Hosting team members can host this request with |
|
The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉 💡 The Security team recommends that you are setting up the scan in your repository by following our guide. |
jenkins-cert-app
added
security-audit-done
|
@NotMyFault All the items in your last comment are addressed now. Can you please let us know the ETA for hosting on "jenkinsci" org to be complete? Thank you for all your help. |
|
/hosting host |
|
Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/synopsys-security-scan-plugin GitHub issues has been selected for issue tracking and was enabled for the forked repo. A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file. Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented. You will also need to do the following in order to push changes and release your plugin:
In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content: Welcome aboard! |
Repository URL
https://github.com/synopsys-sig/synopsys-security-scan-plugin
New Repository Name
synopsys-security-scan-plugin
Description
Synopsys Security Scan for Jenkins
Synopsys Security Scan Plugin for Jenkins enables you to configure your Jenkins pipeline to run Synopsys security testing and take action on the results. Synopsys Security Scan leverages Synopsys Bridge, allowing you to run tests for several Synopsys products from the command line.
Install and configure Synopsys Security Scan plugin and Jenkins pipeline as described in the Readme section.
Synopsys Security Scan will use the following Synopsys products leveraging Synopsys-Bridge.
Polaris
Black Duck
Coverity
GitHub users to have commit permission
@sig-tithi
@kishorikumar
@dmamidisynopsys
Jenkins project users to have release permission
sig_tithi
kishorikumar
dmamidisynopsys
Issue tracker
GitHub issues
The text was updated successfully, but these errors were encountered: