I would like to have a plugin hosted to have project acting as remote Maven Build cache server

[olamy]

Repository URL

https://github.com/olamy/maven-cache-plugin

New Repository Name

maven-cache-plugin

Description

This plugin will turn any project as a remote server for storage of Apache Maven build cache extension

Just install the plugin and enable the cache at a project level and the job will host a cache server with url $joburl/maven-cache/repository

GitHub users to have commit permission

@olamy

Jenkins project users to have release permission

olamy

Issue tracker

GitHub issues

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

• /audit-ok => the audit is complete, the hosting can continue 🎉.
• /audit-skip => the audit is not necessary, the hosting can continue 🎉.
• /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

• /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.26.13)

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @olamy (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @olamy (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The 'name' field in the pom.xml should not contain "Jenkins"

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @olamy (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @olamy (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The 'name' field in the pom.xml should not contain "Jenkins"

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[jenkins-cert-app]

The Jenkins Security Scan discovered 2 finding(s) 🔍.
For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

---

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

MavenCachePluginAction.java#97

Potential CSRF vulnerability: If MavenCachePluginAction#doDynamic connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Stapler: Missing permission check

You can find detailed information about this finding here.

MavenCachePluginAction.java#97

Potential missing permission check in MavenCachePluginAction#doDynamic

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The 'name' field in the pom.xml should not contain "Jenkins"

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[olamy]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The 'name' field in the pom.xml should not contain "Jenkins"

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[olamy]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[NotMyFault]

A bit of feedback:

• https://github.com/olamy/maven-cache-plugin/blob/aabc39b4b70d7379b313085a40a4f94beda583cb/src/main/resources/index.jelly#L3 It would be nice to have the TODO filled in, to have a small description available, e.g. for the plugin manager.
• https://github.com/olamy/maven-cache-plugin/blob/aabc39b4b70d7379b313085a40a4f94beda583cb/src/main/java/io/jenkins/plugins/maven/cache/MavenCachePluginAction.java#L68 This seems to be unintentional, we have no such icon ;)
• Instead of managing prism yourself, I'd recommend using the Jenkins prism-api plugin: https://plugins.jenkins.io/prism-api/
  Bonus points of using the plugin are addressing the CSP violations in https://github.com/olamy/maven-cache-plugin/blob/master/src/main/resources/io/jenkins/plugins/maven/cache/tags/import.jelly#L21-L27
  Alternatively, you may use a node-approach, like the dark-theme-plugin, and package prism via NPM or Yarn.

[olamy]

yup sorry todo and icon fixed.

but regarding prism-api this will mean to add plenty of dependencies just use some javascript/css. sounds like a bit over complicated (same as NPM which will complicated the build_)

[NotMyFault]

but regarding prism-api this will mean to add plenty of dependencies just use some javascript/css. sounds like a bit over complicated (same as NPM which will complicated the build_)

Loading them via stapler adjunct should be fine as a temporary solution.

[olamy]

ATM I'm happy with the current code.
If you want to contribute your proposal via a PR, I will be happy to review and merge it.
Otherwise, can we get this hosting moving forward? Thanks

[NotMyFault]

Inline script tags are banned per CSP, and there is an ongoing effort to address CSP violations in Jenkins core and plugins.
Introducing new plugins with preexisting violations causing more work seems undesired.
I recommend addressing the violations by loading the files using stapler adjuncts (st:adjunct includes="...")

[olamy]

Frankly I don't understand the point to add dependencies on commons-lang commons-text etc... just to use CSS and js files,
Sounds really weird...

[NotMyFault]

Frankly I don't understand the point to add dependencies on commons-lang commons-text etc... just to use CSS and js files, Sounds really weird...

Not sure what you mean by that 🤔

[olamy]

Frankly I don't understand the point to add dependencies on commons-lang commons-text etc... just to use CSS and js files, Sounds really weird...

Not sure what you mean by that 🤔

prism needs to add dependencies on plenty of plugins I don't need here. That's too complicated.

frankly I just want to have this plugin being used by people to help them and it works.
can be improved in the future for sure. but release early release often..

[NotMyFault]

Frankly I don't understand the point to add dependencies on commons-lang commons-text etc... just to use CSS and js files, Sounds really weird...

Not sure what you mean by that 🤔

prism needs to add dependencies on plenty of plugins I don't need here. That's too complicated.

frankly I just want to have this plugin being used by people to help them. If you think there is something you can provide a PR.

No worries, #3566 (comment) works without that too

The design-library contains a few working examples, like loading a js file correctly and CSP compliant.

[olamy]

Frankly I don't understand the point to add dependencies on commons-lang commons-text etc... just to use CSS and js files, Sounds really weird...

Not sure what you mean by that 🤔

prism needs to add dependencies on plenty of plugins I don't need here. That's too complicated.
frankly I just want to have this plugin being used by people to help them. If you think there is something you can provide a PR.

No worries, #3566 (comment) works without that too

The design-library contains a few working examples, like loading a js file correctly and CSP compliant.

interesting to see in the link you provide the line just above is using <script src="${resURL}/jsbundles/section-to-tabs.js" type="text/javascript"/>

So I'm a bit confused about your comment. Ok it's maybe nice to have and can be improved in the future but I do not see anything blocker

btw github search give a lot of results using <script src https://github.com/search?q=org%3Ajenkinsci%20%3Cscript%20src%3D%22&type=code

[olamy]

moved to use prism api.
doesn't look right having to add such dependencies https://github.com/olamy/maven-cache-plugin/blob/feadacce1ccc1ab3f485a37d459210591fb9211b/pom.xml#L67
only to add js and CSS files...

Anyway it looks it's way better now than so many plugins already there :)

[NotMyFault]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan discovered 2 finding(s) 🔍.
For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

---

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

MavenCachePluginAction.java#98

Potential CSRF vulnerability: If MavenCachePluginAction#doDynamic connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Stapler: Missing permission check

You can find detailed information about this finding here.

MavenCachePluginAction.java#98

Potential missing permission check in MavenCachePluginAction#doDynamic

[olamy]

I ignored security scan because they are false positive....
https://github.com/olamy/maven-cache-plugin/blob/feadacce1ccc1ab3f485a37d459210591fb9211b/src/main/java/io/jenkins/plugins/maven/cache/MavenCachePluginAction.java#L98

code is

    public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
        checkPermission(this.job, MAVEN_CACHE_READ);
       ....

so the finding Potential missing permission check in MavenCachePluginAction#doDynamic is a false positive...

[NotMyFault]

I ignored security scan because they are false positive.... olamy/maven-cache-plugin@feadacc/src/main/java/io/jenkins/plugins/maven/cache/MavenCachePluginAction.java#L98

code is

    public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
        checkPermission(this.job, MAVEN_CACHE_READ);
       ....

so the finding Potential missing permission check in MavenCachePluginAction#doDynamic is a false positive...

Best to suppress them then: https://github.com/jenkins-infra/jenkins-codeql/blob/main/src/WebMethodMissingPermissionCheck.md#next-steps

[olamy]

ok I give up. too much nit picking for a spare time plugin.

[olamy]

franky adding useless annotations in a code which is safe is a bit ridiculous.
whereas this scanning is not done for a huge majority of the hosted plugins which have more issues than this proposal...

[Wadeck]

For each of them, either apply the recommended correction, suppress the warning or provide a justification.

[From the bot] In this case, the two findings from the bot do not seem to be impacting, so the false positive reply from Olivier was enough. The goal is to force maintainers to have a closer look with additional information. The action to have a clean report from the bot is not required :)

[olamy]

I have reopened it as I feel this is ready.
all the review are best to have but nothing mandatory...
I'd like to see the old good Jenkins spirit of low barrier entry.
If it's not a blocker security we should accept contributions.

[Wadeck]

@NotMyFault @alecharp When time permits, feel free to move this request forward :)

[alecharp]

It looks good enough to me. Contribution section of the readme to change but that is not blocking the hosting for me.
@Wadeck fine to set the security review as ok?

[alecharp]

I take #3566 (comment) as a yes.

/audit-ok

[alecharp]

/hosting host

[jenkins-infra-bot]

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/maven-cache-plugin

GitHub issues has been selected for issue tracking and was enabled for the forked repo.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

• Accept the invitation to the Jenkins CI Org on Github
• Add additional users for upload permissions, if needed
• Releasing your plugin

In order for your plugin to be built by the Jenkins CI Infrastructure and check pull requests, please add a Jenkinsfile to the root of your repository with the following content:
https://github.com/jenkinsci/archetypes/blob/master/common-files/Jenkinsfile

Welcome aboard!

[daniel-beck]

so the finding Potential missing permission check in MavenCachePluginAction#doDynamic is a false positive...

Still identified a bug (or perhaps code smell): you're not supposed to call Functions methods from outside Jelly (one of that method's overloads in particular is also exceptionally awkward with null args because of that). Call this.job.checkPermission(MAVEN_CACHE_READ) instead.