ZohoQEngine Jenkins Plugin

[balasankarJ]

Repository URL

https://github.com/zohoqengine/jenkins-plugin

New Repository Name

zohoqengine-plugin

Description

The Jenkins integration with Zoho QEngine automates testing within a CI/CD pipeline. By leveraging Jenkins' orchestration capabilities alongside Zoho QEngine's testing expertise, users can seamlessly integrate automated test plans into their continuous integration process. This ensures that every test case change is validated through rigorous testing, enabling early detection of defects and accelerating the delivery of efficient applications or services. Zoho QEngine offers a plugin to automate test execution within the Jenkins Pipeline.

GitHub users to have commit permission

zohoqengine

Jenkins project users to have release permission

zohoqengine

Issue tracker

Jira

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

• /audit-ok => the audit is complete, the hosting can continue 🎉.
• /audit-skip => the audit is not necessary, the hosting can continue 🎉.
• /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

• /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.32.7)

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.414.3</jenkins.version> to at least 2.440.3 in your pom.xml. Take a look at the baseline recommendations.
• ⛔ Required: The parent pom version '4.80' should be at least '4.85' or higher.
• ⛔ Required: The dependency org.json:json should be replaced with a dependency to the api plugin io.jenkins.plugins:json-api
• ⛔ Required: The dependency org.apache.httpcomponents:httpclient should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:apache-httpcomponents-client-4-api

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[jenkins-cert-app]

The Jenkins Security Scan discovered 3 finding(s) 🔍.

For every identified issue, please do one of the following:

• Implement the recommended fix to address the issue.
• If you think it's a false positive, suppress the warning directly within the code.
• Alternative, you write an explanation here about why you think it's irrelevant. That will require a manual review, leading to a slower process.

After addressing the findings through one of the above methods:

• If all modifications have been made to the code, please initiate a new security scan by triggering the /request-security-scan command.
• If there are any unresolved findings (those not corrected or suppressed), request a review from the Jenkins security team by using the /audit-review command.

---

Stapler: Missing permission check

You can find detailed information about this finding here.

QEnginePluginBuilder.java#66

Potential missing permission check in Descriptor#doCheckApiKey

QEnginePluginBuilder.java#51

Potential missing permission check in Descriptor#doCheckTestPlanUrl

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

QEnginePluginBuilder.java#20

Field should be reviewed whether it stores a password and is serialized to disk: apiKey

[mawinter69]

• please move your classes to a dedicated package io.jenkins.plugins.zohoqengine and not directly under io.jenkins.plugins
• your builder should implement SimpleBuildStep so it is usable in pipeline jobs, currently it is limited to freestyle jobs. When you do this replace the perform(AbstractBuild...) with perform(Run ...) defined in SimpleBuildStep
• add an annotation @Symbol("zohoQEngineTestPlanExecution") (or choose a shorter name) to your Descriptor, this will be the step name you can use in pipeline jobs
• https://github.com/zohoqengine/jenkins-plugin/blob/0a7796fac188a76444407a984197b75d53078f56/src/main/java/io/jenkins/plugins/QEnginePluginBuilder.java#L26 Do not store the PrintStream in the class. You must only use it locally. Pass it as parameter to the CommonUtils class. Otherwise you will get wrong output in the logs of the same freestyle job when it runs in parallel
• You should not store the values that you extract from the testPlanUrl into class fields. Better use a temporary class that takes the values and pass it around

[mawinter69]

You're doing http requests, you should add support for proxies, you can use ProxyConfiguration to get ready to use httpclient (without the apache classes)

[mawinter69]

The way you check the url here is a bit strange. I assume that only http urls will works. but something like foo//bar/baz/.../ would be valid as well. Maybe using URIis more reliable to check for valid urls As you extract certain things from the url likeportalName, projectIdandtestPlanID` I wonder if it's not better to make those things configurable and construct the testPlanURL on the fly from those values if possible.

[balasankarJ]

The way you check the url here is a bit strange. I assume that only http urls will works. but something like foo//bar/baz/.../ would be valid as well. Maybe using URIis more reliable to check for valid urls As you extract certain things from the url likeportalName, projectIdandtestPlanID` I wonder if it's not better to make those things configurable and construct the testPlanURL on the fly from those values if possible.

Yes, you are correct. We can make this configurable; however, we believe that providing the test plan URL from the product side will make it easier for the end user to configure. Additionally, we have multiple data centers (DC) across the globe, which means the domain name will vary for each DC.

[balasankarJ]

• please move your classes in a dedicated package io.jenkins.plugins.zohoqengine and not directly under io.jenkins.plugins
• your builder should implement SimpleBuildStep so it is usable in pipeline jobs, currently it is limited to freestyle jobs. When you do this replace the perform(AbstractBuild...) with perform(Run ...) defined in SimpleBuildStep
• add an annotation @Symbol("zohoQEngineTestPlanExecution") (or choose a shorter name) to your Descriptor, this will be the step name you can use in pipeline jobs
• https://github.com/zohoqengine/jenkins-plugin/blob/0a7796fac188a76444407a984197b75d53078f56/src/main/java/io/jenkins/plugins/QEnginePluginBuilder.java#L26 Do not store the PrintStream in the class. You must only use it locally. Pass it as parameter to the CommonUtils class. Otherwise you will get wrong output in the logs of the same freestyle job when it runs in parallel
• You should not store the values that you extract from the testPlanUrl into class fields. Better use a temporary class that takes the values and pass it around

Thank you for pointing out the problem. I will change it as you suggested and will let you know.

[balasankarJ]

You're doing http requests, you should add support for proxies, you can use ProxyConfiguration to get ready to use httpclient (without the apache classes)

Certainly, @mawinter69, I will make this change as well.

[balasankarJ]

@mawinter69 I have made all the changes you suggested earlier. Please review and let me know.

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[mawinter69]

• The bom is not in sync with the jenkins version. You need to use bom-2.452.x https://github.com/zohoqengine/jenkins-plugin/blob/5852e60a5f37f364f8fef735fbe468e938c523f2/pom.xml#L45
• Once the bom is aligned you can remove the version for the dependency to json https://github.com/zohoqengine/jenkins-plugin/blob/5852e60a5f37f364f8fef735fbe468e938c523f2/pom.xml#L56 as you get it from the bom
• your builder should implement SimpleBuildStep so it is usable in pipeline jobs, currently it is limited to freestyle jobs. When you do this replace the perform(AbstractBuild...) with perform(Run ...) defined in SimpleBuildStep
• add an annotation @symbol("zohoQEngineTestPlanExecution") (or choose a shorter name) to your Descriptor, this will be the step name you can use in pipeline jobs
• the method parseAndVerifyParams can be removed https://github.com/zohoqengine/jenkins-plugin/blob/5852e60a5f37f364f8fef735fbe468e938c523f2/src/main/java/io/jenkins/plugins/zohoqengine/QEnginePluginBuilder.java#L141C18-L141C38

[balasankarJ]

• your builder should implement SimpleBuildStep so it is usable in pipeline jobs, currently it is limited to freestyle jobs. When you do this replace the perform(AbstractBuild...) with perform(Run ...) defined in SimpleBuildStep
• add an annotation @symbol("zohoQEngineTestPlanExecution") (or choose a shorter name) to your Descriptor, this will be the step name you can use in pipeline jobs

Regarding Freestyle jobs: We developed this plugin for freestyle jobs and configured the build steps itself. Is it necessary to implement SimpleBuildStep? Please excuse me if I am wrong.

Regarding Annotation: We have already implemented the "getDisplayName" method in the Builder class. Can you please explain why we need to add an annotation? If it is necessary, can I use "Zoho QEngine Test Plan Execution"?

@mawinter69 I will make the other changes and inform you once they are done.

Once again thank you so much for your quick reply.

[balasankarJ]

@mawinter69 I have made the other two changes. I updated the BOM version and removed the method "parseAndVerifyParams." Please verify it.

[balasankarJ]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan discovered 1 finding(s) 🔍.

For every identified issue, please do one of the following:

• Implement the recommended fix to address the issue.
• If you think it's a false positive, suppress the warning directly within the code.
• Alternative, you write an explanation here about why you think it's irrelevant. That will require a manual review, leading to a slower process.

After addressing the findings through one of the above methods:

• If all modifications have been made to the code, please initiate a new security scan by triggering the /request-security-scan command.
• If there are any unresolved findings (those not corrected or suppressed), request a review from the Jenkins security team by using the /audit-review command.

---

Stapler: Missing permission check

You can find detailed information about this finding here.

QEnginePluginBuilder.java#47

Potential missing permission check in Descriptor#doCheckTestPlanUrl

[balasankarJ]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉

---

💡 The Security team recommends that you are setting up the scan in your repository by following our guide.

[mawinter69]

• https://github.com/zohoqengine/jenkins-plugin/blob/ae58eea6881f425bf0739209927d44d570ac1b41/src/main/resources/io/jenkins/plugins/zohoqengine/QEnginePluginBuilder/config.jelly#L12 make this <f:number>, that fits better for integers (see here)
• https://github.com/zohoqengine/jenkins-plugin/blob/ae58eea6881f425bf0739209927d44d570ac1b41/src/main/java/io/jenkins/plugins/zohoqengine/QEnginePluginBuilder.java#L52 this will not work. You need to get the job by adding @AncestorInPath job and perform the permission check on the job (if it is not null). But I think at the moment it is safe to remove this and annotate the method to ignore the missing permission check with @SuppressWarnings("lgtm[jenkins/no-permission-check]"). The method has no side effects or returns sensitive data.

Yes please implement SimpleBuildStep as this will enable to use it in pipeline jobs. Freestyle jobs are old fashioned and you should expect that most of your customers will work with pipeline jobs. Afaik the getDisplayName is only used in Freestyle jobs, in pipeline jobs the @Symbol defines the name of the step that you can use in a Jenkinsfile.
The annotation is good (maybe start with lower case) it must not contain blanks.

[balasankarJ]

@mawinter69 Thank you for your explanation. I will make the changes and let you know for the review.

[balasankarJ]

• https://github.com/zohoqengine/jenkins-plugin/blob/ae58eea6881f425bf0739209927d44d570ac1b41/src/main/resources/io/jenkins/plugins/zohoqengine/QEnginePluginBuilder/config.jelly#L12 make this <f:number>, that fits better for integers (see here)
• https://github.com/zohoqengine/jenkins-plugin/blob/ae58eea6881f425bf0739209927d44d570ac1b41/src/main/java/io/jenkins/plugins/zohoqengine/QEnginePluginBuilder.java#L52 this will not work. You need to get the job by adding @AncestorInPath job and perform the permission check on the job (if it is not null). But I think at the moment it is safe to remove this and annotate the method to ignore the missing permission check with @SuppressWarnings("lgtm[jenkins/no-permission-check]"). The method has no side effects or returns sensitive data.

Yes please implement SimpleBuildStep as this will enable to use it in pipeline jobs. Freestyle jobs are old fashioned and you should expect that most of your customers will work with pipeline jobs. Afaik the getDisplayName is only used in Freestyle jobs, in pipeline jobs the @Symbol defines the name of the step that you can use in a Jenkinsfile. The annotation is good (maybe start with lower case) it must not contain blanks.

Hi @mawinter69 I have made all the necessary changes. Please review them and let me know your thoughts.

[mawinter69]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉

---

💡 The Security team recommends that you are setting up the scan in your repository by following our guide.

[mawinter69]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[mawinter69]

/hosting host

[jenkins-infra-bot]

Hosting request complete, the code has been forked into the jenkinsci project on GitHub as https://github.com/jenkinsci/zohoqengine-plugin

A Jira component named [zohoqengine-plugin](https://issues.jenkins.io/issues/?jql=project+%3D+JENKINS+AND+component+%3D+ zohoqengine-plugin)has also been created with zohoqengine as the default assignee for issues.

A pull request has been created against the repository permissions updater to setup release permissions. Additional users can be added by modifying the created file.

Please delete your original repository (if there are no other forks), under 'Danger Zone', so that the jenkinsci organization repository is the definitive source for the code. If there are other forks, please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994). Also, please make sure you properly follow the documentation on documenting your plugin so that your plugin is correctly documented.

You will also need to do the following in order to push changes and release your plugin:

• Accept the invitation to the Jenkins CI Org on Github
• Add additional users for upload permissions, if needed
• Releasing your plugin

Welcome aboard!

[mawinter69]

@balasankarJ
Please consider setting up security scans according to https://www.jenkins.io/redirect/jenkins-security-scan/

[balasankarJ]

@mawinter69 Of course, I will take care of it. Thank you once again!

[balasankarJ]

@mawinter69 I deleted the old repository, but the Jenkins plugin repository still shows it as forked from another repository. How did this happen? What should I do now?

[mawinter69]

please contact GitHub support to make the jenkinsci repo the root of the fork network (mention that Jenkins approval was given in support request 569994)

[balasankarJ]

ok @mawinter69