Hosting request for testwheel-api

[aprasanth3192]

Repository URL

https://github.com/Yakshna-Corporation/testwheel-trigger

New Repository Name

testwheel-trigger-plugin

Description

TestWheel- Jenkins Plugin. You use this plugin to trigger test automation through Jenkins CI.

GitHub users to have commit permission

@baskerganesan
@prakashp1987
@aprasanth3192

Jenkins project users to have release permission

baskerGanesan
prakashp1987
prasantha

Issue tracker

GitHub issues

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

• /audit-ok => the audit is complete, the hosting can continue 🎉.
• /audit-skip => the audit is not necessary, the hosting can continue 🎉.
• /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

• /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.29.18)

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: You must specify an <scm> block in your pom.xml. See https://maven.apache.org/pom.html#SCM for more information.
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88, prasantha (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The dependency org.json:json should be replaced with a dependency to the api plugin io.jenkins.plugins:json-api
• ⛔ Required: The dependency org.apache.httpcomponents.client5:httpclient5 should be replaced with a dependency to the api plugin io.jenkins.plugins:apache-httpcomponents-client-5-api
• ⛔ Required: The 'artifactId' from the pom.xml (api-plugin) is incorrect, it should be my-api ('New Repository Name' field with "-plugin" removed)
• ⛔ Required: Please specify a license in your pom.xml file using the <licenses> tag. See https://maven.apache.org/pom.html#Licenses for more information.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[jenkins-cert-app]

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉

---

💡 The Security team recommends that you are setting up the scan in your repository by following our guide.

[mawinter69]

• Please give you plugin a meaningful name instead of my-api or just api e.g. testwheel-trigger
  So the repo name should be testwheel-trigger-plugin and the artifactid should then be testwheel-trigger
• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/src/main/java/org/yakshna/testwheel/apiplugin/APICallBuilder.java#L126, use e.g. testwheelTrigger for the Symbol, this is what you will use in a pipeline job and apiCallBuilder doesn't give any hint what the step is doing
• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/src/main/java/org/yakshna/testwheel/apiplugin/APICallBuilder.java#L131 use TestWheel Trigger in the displayname so people know in the build step dropdown in a freestyle job what the step is doing
• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/src/main/java/org/yakshna/testwheel/apiplugin/APICallBuilder.java#L74 this code will not work when the job runs on an agent. You will need to use https://javadoc.jenkins.io/hudson/FilePath.html -> write()
• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/src/main/resources/index.jelly#L3 please fill in a meaningful description here what the plugin is doing. This is shown in the plugin manager to users
• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/pom.xml#L15 use a better name that includes TestWheel
• remove https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/pom.xml#L19-L24, the plugin should be built with jdk11 for now
• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/pom.xml#L18 stick to the jenkins version that you have specified in the bom at line 30
• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/pom.xml#L38 the dependency is not required you get it implicitly
• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/pom.xml#L44 the dependency to structs is not required
• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/pom.xml#L73 the dependency to common-io is not required
• The code is limited to freestyle jobs because of https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a36232abb70c80ed7f1de25f71b8d1eaca48e408/src/main/java/org/yakshna/testwheel/apiplugin/APICallBuilder.java#L131, there is no reason for this limitation

[aprasanth3192]

/hosting re-check

[aprasanth3192]

@jenkinsci/jenkins-maintainers

Hello, I've made the required changes as per the feedback. Could you please review the updates and let me know if any further changes are needed? Thank you!

[timja]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The 'artifactId' from the pom.xml (testwheel-trigger) is incorrect, it should be my-api ('New Repository Name' field with "-plugin" removed)
• ⛔ Required: Please specify a license in your pom.xml file using the <licenses> tag. See https://maven.apache.org/pom.html#Licenses for more information.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[timja]

Hi please review the title and the description you haven't addressed the first feedback from #4116 (comment)

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be my-api ('New Repository Name' field with "-plugin" removed)
• ⛔ Required: Please specify a license in your pom.xml file using the <licenses> tag. See https://maven.apache.org/pom.html#Licenses for more information.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[aprasanth3192]

@jenkinsci/jenkins-maintainers

1. I want to change my repository name to testwheel-api-plugin as mentioned in my POM.
2. We have updated username across jira, github and artifactory as prakashp1987 with all necessary permissions.

[aprasanth3192]

@jenkinsci/jenkins-maintainers
/hosting re-check

Hi. I have made a change as per requirement feedback. could you please review the updates and let me know if any further changes are needed. Thank you

[timja]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: prakashkp88
• ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be my-api ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: prakashkp88
• ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: prakashkp88
• ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: prakashkp88
• ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)
• ⛔ Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)
• ⛔ Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[baskerganesan]

Logged in using baskerGanesan

[timja]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[baskerganesan]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[aprasanth3192]

@jenkinsci/jenkins-maintainers
/hosting re-check

Hi. I have made a change as per requirement feedback. could you please review the updates and let me know if any further changes are needed. Thank you

[prakashp1987]

@jenkinsci/jenkins-maintainers
/hosting host

[mawinter69]

• Please don't let the artifact-id end with -api. It is used for plugins that expose an api for other plugins to use which this plugin doesn't do. I think testwheel-trigger fits best for what the plugin does.

• remove all settings from the pom regarding the compiler class version (lines 18, 19, 20, 22). This is already set by the parent pom.

• the dependency to jenkins-core is not needed (https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a07160af536c7b0195b496618b334dcee267f91c/pom.xml#L53)

• you're missing to define the property jenkins.version in the pom (add it after line 17, it should be 2.452.4 probably)

• I would not use 2.479 as baseline for the bom, better would be 2.454 I think (be in sync here with the jenkins.version property)

• you have no tests so no need to include dependencies with scope test so remove lines 57-76

• the build section is not required and can be removed (lines 102-114)

• Do not use any jenkins tag libs in https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a07160af536c7b0195b496618b334dcee267f91c/src/main/resources/index.jelly#L1. This should just be a <div> with plain html. As this is shown in the plugin manager UI, it should be like 1 or 2 lines of text.

• testwheelTriggerBuilder is a bad name for a pipeline step. Remove the Builder from it, Builder is terminology only used in freestyle jobs https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a07160af536c7b0195b496618b334dcee267f91c/src/main/java/org/yakshna/testwheel/apiplugin/TestWheelTriggerBuilder.java#L125

• https://github.com/Yakshna-Corporation/testwheel-trigger/blob/a07160af536c7b0195b496618b334dcee267f91c/src/main/java/org/yakshna/testwheel/apiplugin/TestWheelTriggerBuilder.java#L136 is shown in the drop down of build steps in free style jobs. Do not use camel case here and also don't include the word Builder (everything shown there is a builder), so Testwheel Trigger is sufficient.

A security concern:
You can specify a url and from the readme one needs an account to use it. It would be bad to use a url that contains username and password in the form https://user:pass@host. You should either allow to make use of a credential (with the credentials plugin) or add some other form to give authentication details ( e.g. a bearer token). For the latter make sure that things like passwords or tokens are stored in a secure way and not as plain text.

[mawinter69]

• Please remove the target folder from the plugin. Do this in a way that it is removed completely from the git history
• add a .gitignore file taken from the maven archetype for jenkins
• remove the eclipse specific things like .classpath, .project, .settings and .factorypath

[prakashp1987]

@mawinter69
@jenkinsci/jenkins-maintainers
/hosting host

[mawinter69]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The 'artifactId' from the pom.xml (testwheel-trigger) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[mawinter69]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[mawinter69]

Please address my security concern. I can't imagine that the url you enter here doesn't require any kind of authentication.

[prakashp1987]

@mawinter69

Thank you for bringing up your concern regarding URL authentication in the Jenkins plugin we have developed.

I would like to assure you that the plugin we have created has a dependency on our web application, which is a test automation platform. The primary usage of this plugin is for post-deployment test automation of any application via Jenkins pipeline deployment.

To address your security concerns:

1. User Registration Requirement: Any user who wishes to use the plugin is required to register with our application.
2. Test URL Generation: Once registered, users can obtain the test URL from our application. This URL needs to be input into the Jenkins plugin.
3. Security Measures: Our application incorporates robust security measures to ensure that the URL provided is valid and secure.
4. Encrypted Key Validation: The URL generated by our application includes an encrypted key. This key is validated at our application end to confirm its authenticity and integrity.

These measures are in place to guarantee that the Jenkins plugin is used securely and only by authorized users who are registered with our platform.

Please feel free to reach out if you have further concerns or need additional details.

Best regards,
Prakash KP

[prakashp1987]

/hosting host

[mawinter69]

At https://github.com/Yakshna-Corporation/testwheel-trigger/blob/6e173ed3a59ee2ce008a303574da2b588d44c1e9/src/main/java/org/yakshna/testwheel/apiplugin/TestWheelTrigger.java#L51 and https://github.com/Yakshna-Corporation/testwheel-trigger/blob/6e173ed3a59ee2ce008a303574da2b588d44c1e9/src/main/java/org/yakshna/testwheel/apiplugin/TestWheelTrigger.java#L61 you're logging the url that contains your encrypted key to the build log. So anyone that has read permission on the job is able to see the url. It also means that the url is stored unencrypted on the controller file system.
Typically authentication things are sent as part of the header, e.g. with a bearer token, or you explicitly define user and password for the request. I've never seen that someone sends authentication relevant information as part of the url.

[mawinter69]

@Wadeck @Kevin-CB requesting your input on this topic