Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

appcircle-enterprise-store-plugin #3968

Closed
guvenkaranfil opened this issue Jun 10, 2024 · 22 comments
Closed

appcircle-enterprise-store-plugin #3968

guvenkaranfil opened this issue Jun 10, 2024 · 22 comments
Labels
bot-check-complete Automated hosting checks passed hosting-request Request to host a component in jenkinsci security-audit-done The hosting request code passed the security audit with success

Comments

@guvenkaranfil
Copy link

guvenkaranfil commented Jun 10, 2024
edited
Loading

Repository URL

https://github.com/appcircleio/appcircle-enterprise-app-store-plugin

New Repository Name

appcircle-enterprise-store-plugin

Description

appcircle-enterprise-store-plugin is a easy way to publish builds in Appcicle Enterprise Store. It is a module at appcircleio. Users can use the module to publish their app to end users easily.

GitHub users to have commit permission

@guvenkaranfil

Jenkins project users to have release permission

appcircle

Issue tracker

GitHub issues
@guvenkaranfil guvenkaranfil added the hosting-request Request to host a component in jenkinsci label Jun 10, 2024
@github-actions GitHub Actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

@jenkins-cert-app
Copy link
Collaborator

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

  • /audit-ok => the audit is complete, the hosting can continue 🎉.
  • /audit-skip => the audit is not necessary, the hosting can continue 🎉.
  • /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

  • /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
  • /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.28.6)

@github-actions github-actions bot added the bot-check-complete Automated hosting checks passed label Jun 10, 2024
@jenkins-cert-app jenkins-cert-app added the security-audit-todo The security team needs to audit the hosting request code label Jun 10, 2024
@jenkins-cert-app
Copy link
Collaborator

The Jenkins Security Scan discovered 9 finding(s) 🔍.

Please follow the instructions below for every identified issues:

  • Implement the recommended fix to address the issue.
  • If you think it's a false positive, suppress the warning directly within the code.
  • Alternative, you write an explanation here about why you think it's irrelevant. That will require a manual review, leading to a slower process.

After addressing the findings through one of the above methods:

  • If all modifications have been made to the code, please initiate a new security scan by triggering the /request-security-scan command.
  • If there are any unresolved findings (those not corrected or suppressed), request a review from the Jenkins security team by using the /audit-review command.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AppcircleBuilder.java#256 
Potential CSRF vulnerability: If DescriptorImpl#doCheckMessage connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
AppcircleBuilder.java#251 
Potential CSRF vulnerability: If DescriptorImpl#doCheckProfileId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
AppcircleBuilder.java#246 
Potential CSRF vulnerability: If DescriptorImpl#doCheckAppPath connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
AppcircleBuilder.java#241 
Potential CSRF vulnerability: If DescriptorImpl#doCheckAccessToken connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Stapler: Missing permission check

You can find detailed information about this finding here.

AppcircleBuilder.java#256 
Potential missing permission check in DescriptorImpl#doCheckMessage
AppcircleBuilder.java#251 
Potential missing permission check in DescriptorImpl#doCheckProfileId
AppcircleBuilder.java#246 
Potential missing permission check in DescriptorImpl#doCheckAppPath
AppcircleBuilder.java#241 
Potential missing permission check in DescriptorImpl#doCheckAccessToken

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

AppcircleBuilder.java#32 
Field should be reviewed whether it stores a password and is serialized to disk: accessToken

@jenkins-cert-app jenkins-cert-app added security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request and removed security-audit-todo The security team needs to audit the hosting request code labels Jun 10, 2024
@guvenkaranfil
Copy link
Author

/request-security-scan

@jenkins-cert-app jenkins-cert-app added security-audit-todo The security team needs to audit the hosting request code and removed security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request labels Jun 10, 2024
@jenkins-cert-app
Copy link
Collaborator

The Jenkins Security Scan discovered 9 finding(s) 🔍.

Please follow the instructions below for every identified issues:

  • Implement the recommended fix to address the issue.
  • If you think it's a false positive, suppress the warning directly within the code.
  • Alternative, you write an explanation here about why you think it's irrelevant. That will require a manual review, leading to a slower process.

After addressing the findings through one of the above methods:

  • If all modifications have been made to the code, please initiate a new security scan by triggering the /request-security-scan command.
  • If there are any unresolved findings (those not corrected or suppressed), request a review from the Jenkins security team by using the /audit-review command.

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

AppcircleBuilder.java#256 
Potential CSRF vulnerability: If DescriptorImpl#doCheckMessage connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
AppcircleBuilder.java#251 
Potential CSRF vulnerability: If DescriptorImpl#doCheckProfileId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
AppcircleBuilder.java#246 
Potential CSRF vulnerability: If DescriptorImpl#doCheckAppPath connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
AppcircleBuilder.java#241 
Potential CSRF vulnerability: If DescriptorImpl#doCheckAccessToken connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Stapler: Missing permission check

You can find detailed information about this finding here.

AppcircleBuilder.java#256 
Potential missing permission check in DescriptorImpl#doCheckMessage
AppcircleBuilder.java#251 
Potential missing permission check in DescriptorImpl#doCheckProfileId
AppcircleBuilder.java#246 
Potential missing permission check in DescriptorImpl#doCheckAppPath
AppcircleBuilder.java#241 
Potential missing permission check in DescriptorImpl#doCheckAccessToken

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

AppcircleBuilder.java#32 
Field should be reviewed whether it stores a password and is serialized to disk: accessToken

@jenkins-cert-app jenkins-cert-app added security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request and removed security-audit-todo The security team needs to audit the hosting request code labels Jun 10, 2024
@guvenkaranfil
Copy link
Author

/request-security-scan

@jenkins-cert-app jenkins-cert-app added security-audit-todo The security team needs to audit the hosting request code and removed security-audit-needs-correction The security audit revealed issues that must be corrected from the hosting request labels Jun 14, 2024
@jenkins-cert-app
Copy link
Collaborator

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉

💡 The Security team recommends that you are setting up the scan in your repository by following our guide.

@jenkins-cert-app jenkins-cert-app added security-audit-done The hosting request code passed the security audit with success and removed security-audit-todo The security team needs to audit the hosting request code labels Jun 14, 2024
@mawinter69
Copy link
Contributor

mawinter69 commented Jul 22, 2024
edited
Loading

How does this differentiate from #3955?
It looks as if you should put both in the same plugin. A Jenkins plugin can implement many build steps and other things
Other problems:

  • the package name io.jenkins.plugins.ac is very generic, it should better be io.jenkins.plugins.appcircle
  • both plugins define the class AppcircleBuilder in the same package, this can't work full qualified name of classes must be unique within Jenkins
  • in https://github.com/appcircleio/appcircle-testing-distribution-plugin/blob/b74a86df23be9d0d8395da255fbde1db52de1b8f/src/main/java/io/jenkins/plugins/ac/AppcircleBuilder.java#L127 the symbol is used as the name in pipelines, so it should reflect that it is doing (both plugins use greet), e.g. appCircleTestingDistribution
  • the files in src/main/resources/assets look as if the are for documentation. So they should be outside of the src folder, e.g. in docs/images. Right now they get packed in the resulting jar file and will only make the plugin bigger.
  • the Messages.properties contains unused properties, also it refers to HelloWorldBuilder from the archetype
  • The permission checks all use Jenkins.ADMINISTER that means that only admins will be able to configure the steps, not sure if this really what you want. As all checks just check if not empty you can also omit the checks and apply annotations so the security scanner will not complain.
  • Can the accessToken that is used in both plugins be the same when I use both plugins? In general it would be better to use credentials as they can be defined once per Jenkins instance. So when the accessToken changes you only need to change it in one place, right now you would need to adjust each and every job (freestyle) that uses the accessToken.
  • the getInputValue method looks as if you want to make use of environment variables, not sure if this a good idea to allow this for the accessToken.
  • Consider that the command that you execute with launcher.launch() will be printed to the log, so the accessToken will also be printed in freestyle jobs (in pipeline jobs I could use a withCredentials step to set the accessToken and then it gets masked automatically.

There might be more problematic things

The plugins expect that the program appcircle is installed on the machine. And they are not doing much more than calling that program. I can achieve this also with a simple shell step in a pipeline.

@mawinter69 mawinter69 mentioned this issue Jul 23, 2024
Closed
@guvenkaranfil
Copy link
Author

/hosting re-check

@github-actions GitHub Actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

@guvenkaranfil
Copy link
Author

@NotMyFault Hello,

I have fixed the comments mentioned by mawinter69. Could you please review and approve the hosting request

@github-actions GitHub Actions
Copy link

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

@guvenkaranfil
Copy link
Author

Hello @mawinter69,

Could you please review and host the plugin? Let me know if anything I need to do

@mawinter69
Copy link
Contributor

@guvenkaranfil
Copy link
Author

@mawinter69 I have fixed the comments

@mawinter69
Copy link
Contributor

the version at https://github.com/appcircleio/appcircle-enterprise-app-store-plugin/blob/8d653566f8b71336e764bde21c450f91dbdd8e38/pom.xml#L49 is not existing

@mawinter69
Copy link
Contributor

I think the dependency https://github.com/appcircleio/appcircle-enterprise-app-store-plugin/blob/8d653566f8b71336e764bde21c450f91dbdd8e38/pom.xml#L65 is not required

@guvenkaranfil
Copy link
Author

@mawinter69 I removed the dependency

@guvenkaranfil
Copy link
Author

Could you please review the hosting request? Let me know if there is anything I need to do.

@timja
Copy link
Member

timja commented Sep 9, 2024

All the comments from #3955 (comment) apply to this one as well.

Also non blocking I will host it now.

@timja
Copy link
Member

timja commented Sep 9, 2024

/hosting host

@jenkins-infra-bot jenkins-infra-bot mentioned this issue Sep 9, 2024
Merged
@jenkins-infra-bot
Copy link
Contributor

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/appcircle-enterprise-store-plugin

GitHub issues has been selected for issue tracking and was enabled for the forked repo.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

Welcome aboard!

@alecharp alecharp mentioned this issue Dec 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bot-check-complete Automated hosting checks passed hosting-request Request to host a component in jenkinsci security-audit-done The hosting request code passed the security audit with success
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@NotMyFault @mawinter69 @timja @guvenkaranfil @jenkins-infra-bot @jenkins-cert-app