Host Perforce Static Analysis Plugin

[michael-baron]

Repository URL

https://github.com/michael-baron/P4SA-Jenkins-Plugin

New Repository Name

P4SA-plugin

Description

This is a joint plugin for Perforce Static Analysis tools (Klocwork and Helix QAC). Helps automate the scans and retrieval of issue metrics for quality gating.

GitHub users to have commit permission

@michael-baron

Jenkins project users to have release permission

michael_baron

Issue tracker

GitHub issues

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

• /audit-ok => the audit is complete, the hosting can continue 🎉.
• /audit-skip => the audit is not necessary, the hosting can continue 🎉.
• /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

• /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.32.7)

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: michael_baron (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: michael_baron (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The 'artifactId' from the pom.xml (p4sa-plugin) is incorrect, it should be p4sa ('New Repository Name' field with "-plugin" removed)
• ⛔ Required: The <groupId> from the pom.xml should be io.jenkins.plugins instead of com.perforce

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[jenkins-cert-app]

The Jenkins Security Scan discovered 3 finding(s) 🔍.

For every identified issue, please do one of the following:

• Implement the recommended fix to address the issue.
• If you think it's a false positive, suppress the warning directly within the code.
• Alternative, you write an explanation here about why you think it's irrelevant. That will require a manual review, leading to a slower process.

After addressing the findings through one of the above methods:

• If all modifications have been made to the code, please initiate a new security scan by triggering the /request-security-scan command.
• If there are any unresolved findings (those not corrected or suppressed), request a review from the Jenkins security team by using the /audit-review command.

---

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

AnalysisBuilderPipelineConfig.java#13

Field should be reviewed whether it stores a password and is serialized to disk: validateApiToken

ValidateAPIConnector.java#26

Field should be reviewed whether it stores a password and is serialized to disk: ltoken

Jenkins: Generally unsafe method calls

You can find detailed information about this finding here.

ValidateAPIConnector.java#37

Potentially unsafe invocation of SSLContext#init
Potentially unsafe invocation of HttpsURLConnection#setSSLSocketFactory

[mawinter69]

• the class AnalysisPipelineBuilder is unnecessary. All it does is calling the AnalysisBuilder#perform . Just annotate the descriptor at https://github.com/michael-baron/P4SA-Jenkins-Plugin/blob/b979953ddcbdf231ce4058199cb41ec860130e8c/src/main/java/com/perforce/sa/AnalysisBuilder.java#L106 with @Symbol("p4StaticAnalysis"). p4StaticAnalysis is then the step name you can use in a Jenkinsfile (pipeline steps should use camelCase syntax so I changed that a bit).
• As you have no tests, you can remove all test dependencies https://github.com/michael-baron/P4SA-Jenkins-Plugin/blob/b979953ddcbdf231ce4058199cb41ec860130e8c/pom.xml#L72-L91
• The dependency to strcuts is not needed: https://github.com/michael-baron/P4SA-Jenkins-Plugin/blob/b979953ddcbdf231ce4058199cb41ec860130e8c/pom.xml#L69
• The dependencies to commons-lang and commons-text are not used so should be removed https://github.com/michael-baron/P4SA-Jenkins-Plugin/blob/b979953ddcbdf231ce4058199cb41ec860130e8c/pom.xml#L56-L63

[mawinter69]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: michael_baron (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: michael_baron (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The 'artifactId' from the pom.xml (p4sa-plugin) is incorrect, it should be p4sa ('New Repository Name' field with "-plugin" removed)
• ⛔ Required: The <groupId> from the pom.xml should be io.jenkins.plugins instead of com.perforce

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[mawinter69]

• are you really using the echarts-api plugin? You load it here but you also load chart.js here and the usages of echarts are commented out.
• The chart.js seems to be a rather old version with 2.7.2. It is also available as a jenkins plugin https://plugins.jenkins.io/chartjs-api/ in version 4.2.1
• Inline javascript usage https://github.com/michael-baron/P4SA-Jenkins-Plugin/blob/b979953ddcbdf231ce4058199cb41ec860130e8c/src/main/resources/com/perforce/sa/AnalysisProjectDashboard/index.jelly#L30. Please move all javascript to dedicated files to be compliant with CSP.
• I would not store url, text and icon of actions as class members (https://github.com/michael-baron/P4SA-Jenkins-Plugin/blob/b979953ddcbdf231ce4058199cb41ec860130e8c/src/main/java/com/perforce/sa/AnalysisProjectDashboard.java#L19). It is totally fine (and common practice) to return them directly in the getter methods (also here)
• proxy usage not covered. You doing http calls but when a proxy is required this will fail (src/main/java/com/perforce/sa/ValidateAPIConnector.java). https://javadoc.jenkins.io/hudson/ProxyConfiguration.html prvodes methods to get a preconfigured http client
• disabling all certificate checks is a nogo: https://github.com/michael-baron/P4SA-Jenkins-Plugin/blob/b979953ddcbdf231ce4058199cb41ec860130e8c/src/main/java/com/perforce/sa/ValidateAPIConnector.java#L42

Do you have the image https://github.com/michael-baron/P4SA-Jenkins-Plugin/blob/master/src/main/webapp/icon/p4.png as svg? When you use your plugin with dark theme I think it will be hard to see the image

[mawinter69]

Seems your repo in github is not indexed. Not sure what is causing this but it prevents some checks to run properly.

[timja]

Seems your repo in github is not indexed. Not sure what is causing this but it prevents some checks to run properly.

Seems to be a few complaints here:
https://github.com/orgs/community/discussions/45538#discussioncomment-11109104