Sofy Upload Jenkins Plugin

[SOFYDEVELOPER]

Repository URL

https://github.com/SOFYDEVELOPER/sofy-app-upload-jenkins-plugin

New Repository Name

sofy-app-upload-jenkins-plugin

Description

The plugin in question is designed for customer interaction and facilitates the seamless uploading of their builds to our platform, Sofy.ai. This customer-facing tool serves as a valuable resource, streamlining the process of submitting their software builds to enhance the overall user experience on our platform. Through this plugin, customers can efficiently contribute their builds, fostering a more collaborative and user-friendly environment on Sofy.ai.

GitHub users to have commit permission

@Ayeshasaifsofy
@SOFYDEVELOPER

Jenkins project users to have release permission

sofydevelopers

Issue tracker

GitHub issues

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

• /audit-ok => the audit is complete, the hosting can continue 🎉.
• /audit-skip => the audit is not necessary, the hosting can continue 🎉.
• /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

• /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.26.21)

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.164.3</jenkins.version> to at least 2.401.3 in your pom.xml. Take a look at the baseline recommendations.
• ⛔ Required: You must use HTTPS for the <connection> tag in your <scm> block in your pom.xml. You can use this sample: <connection>scm:git:https://github.com/jenkinsci/${project.artifactId}-plugin.git</connection>
• ⛔ Required: The parent pom version '4.16' should be at least '4.75' or higher.
• ⛔ Required: The 'name' field in the pom.xml should not contain "Jenkins"
• ⛔ Required: The 'artifactId' from the pom.xml (sofy-app-upload) is incorrect, it should be sofy-app-upload-jenkins ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[jenkins-cert-app]

The Jenkins Security Scan discovered 2 finding(s) 🔍.
For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

---

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

TestMobileAppWithSofy.java#174

Potential CSRF vulnerability: If DescriptorImpl#doCheckAuthTokenValidity connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

TestMobileAppWithSofy.java#47

Field should be reviewed whether it stores a password and is serialized to disk: apiToken

[Wadeck]

👋 Related to the scan, some additional information:

• TestMobileAppWithSofy.java#L57, the Secret class is meant to be put in the variable directly, as it supports serialization. Putting directly the encrypted value could lead to migration issue in the future.
• TestMobileAppWithSofy.java#L177-L182 This is checking for admin permission but the result is not used. By your try/catch, you prevent the check to be effective.

[mawinter69]

• depends on Jenkins 2.164.3 (that is 5 years old)
• The pom.xml contains many unused dependencies
• direct usage of apache httpcomponents instead of using the httpcomponent jenkins plugin
• direct usage of jackson instead of using the jackson jenkins plugin
• findbugs findings don't lead to a build error
• the provided recorder can only be used in freestyle projects and not in pipelines, so it is of little value nowadays
• The code can only run successfully, when the build runs on the controller. If run on an agent is must fail as there is no remoting support (TestMobileAppWithSofy.java#L66 , converts the FilePath to a string and appends the configured location, all the code runs on the controller, thus when the build was run on an agent it must fail to find the file in line 99)

All the plugin does is uploading a file to a hard coded url. In a Jenkins pipeline this can be easily achieved with the https://plugins.jenkins.io/http_request/ plugin. Put some glue code in a pipeline library and you have an easy to use step in your pipeline.
I assume you plan to provide some sort of feedback about the result of the scan.

[mawinter69]

This looks pretty much identical to the existing plugin https://plugins.jenkins.io/sofy-ai/

[SOFYDEVELOPER]

This looks pretty much identical to the existing plugin https://plugins.jenkins.io/sofy-ai/

@mawinter69 Unfortunately, due to unforeseen circumstances, we have lost access to our previous account. In light of this, we have setup a new account to resume our activities. Therefore, the need for a new Jenkins plugin. We won't be using our previous plugin anymore. Currently we are working on the changes mentioned above.

[NotMyFault]

we have lost access to our previous account.

We can surely grant you access to the existing plugin, there's no need for an additional plugin.

[SOFYDEVELOPER]

@NotMyFault Can you please elaborate how? As our previous account is not to be considered but only the new account (SOFYDEVELOPERS). Your help would be appreciated.

[NotMyFault]

We can grant you access to the existing plugin while you propose your changes as pull request, which we will review.

If all changes made are according to our requirements for plugins, we can grant you release access.

[NotMyFault]

I've invited both users mentioned in the initial issue body to https://github.com/jenkinsci/upload-build-to-sofy-plugin.

Please file your proposed plugin as PR to the existing plugin and link it here for a review. Once reviewed, we will grant you release permission.

[NotMyFault]

I'll go ahead and close the request given you have been granted access to the existing resource.