Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hosting request for testwheel-api #4116

Open
aprasanth3192 opened this issue Oct 4, 2024 · 43 comments
Open

Hosting request for testwheel-api #4116

aprasanth3192 opened this issue Oct 4, 2024 · 43 comments
Labels
bot-check-complete Automated hosting checks passed hosting-request Request to host a component in jenkinsci security-audit-todo The security team needs to audit the hosting request code

Comments

@aprasanth3192
Copy link

aprasanth3192 commented Oct 4, 2024

Repository URL

https://github.com/Yakshna-Corporation/testwheel-trigger

New Repository Name

testwheel-trigger-plugin

Description

TestWheel- Jenkins Plugin. You use this plugin to trigger test automation through Jenkins CI.

GitHub users to have commit permission

@baskerganesan
@prakashp1987
@aprasanth3192

Jenkins project users to have release permission

baskerGanesan
prakashp1987
prasantha

Issue tracker

GitHub issues

@aprasanth3192 aprasanth3192 added the hosting-request Request to host a component in jenkinsci label Oct 4, 2024
@jenkins-cert-app
Copy link
Collaborator

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

  • /audit-ok => the audit is complete, the hosting can continue 🎉.
  • /audit-skip => the audit is not necessary, the hosting can continue 🎉.
  • /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

  • /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
  • /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.29.18)

@jenkins-cert-app jenkins-cert-app added the security-audit-todo The security team needs to audit the hosting request code label Oct 4, 2024
Copy link

github-actions bot commented Oct 4, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: You must specify an <scm> block in your pom.xml. See https://maven.apache.org/pom.html#SCM for more information.
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88, prasantha (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The dependency org.json:json should be replaced with a dependency to the api plugin io.jenkins.plugins:json-api
  • ⛔ Required: The dependency org.apache.httpcomponents.client5:httpclient5 should be replaced with a dependency to the api plugin io.jenkins.plugins:apache-httpcomponents-client-5-api
  • ⛔ Required: The 'artifactId' from the pom.xml (api-plugin) is incorrect, it should be my-api ('New Repository Name' field with "-plugin" removed)
  • ⛔ Required: Please specify a license in your pom.xml file using the <licenses> tag. See https://maven.apache.org/pom.html#Licenses for more information.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@jenkins-cert-app
Copy link
Collaborator

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉


💡 The Security team recommends that you are setting up the scan in your repository by following our guide.

@jenkins-cert-app jenkins-cert-app added security-audit-done The hosting request code passed the security audit with success and removed security-audit-todo The security team needs to audit the hosting request code labels Oct 4, 2024
@mawinter69
Copy link
Contributor

@aprasanth3192
Copy link
Author

/hosting re-check

@aprasanth3192
Copy link
Author

@jenkinsci/jenkins-maintainers

Hello, I've made the required changes as per the feedback. Could you please review the updates and let me know if any further changes are needed? Thank you!

@timja
Copy link
Member

timja commented Nov 5, 2024

/hosting re-check

Copy link

github-actions bot commented Nov 5, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The 'artifactId' from the pom.xml (testwheel-trigger) is incorrect, it should be my-api ('New Repository Name' field with "-plugin" removed)
  • ⛔ Required: Please specify a license in your pom.xml file using the <licenses> tag. See https://maven.apache.org/pom.html#Licenses for more information.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@timja
Copy link
Member

timja commented Nov 5, 2024

Hi please review the title and the description you haven't addressed the first feedback from #4116 (comment)

@aprasanth3192 aprasanth3192 changed the title Hosting request for My-API-Plugin Hosting request for testwheel-api-plugin. Nov 5, 2024
Copy link

github-actions bot commented Nov 5, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be my-api ('New Repository Name' field with "-plugin" removed)
  • ⛔ Required: Please specify a license in your pom.xml file using the <licenses> tag. See https://maven.apache.org/pom.html#Licenses for more information.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@aprasanth3192
Copy link
Author

@jenkinsci/jenkins-maintainers

  1. I want to change my repository name to testwheel-api-plugin as mentioned in my POM.
  2. We have updated username across jira, github and artifactory as prakashp1987 with all necessary permissions.

@aprasanth3192
Copy link
Author

@jenkinsci/jenkins-maintainers
/hosting re-check

Hi. I have made a change as per requirement feedback. could you please review the updates and let me know if any further changes are needed. Thank you

@timja
Copy link
Member

timja commented Nov 5, 2024

/hosting re-check

Copy link

github-actions bot commented Nov 5, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: prakashkp88
  • ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be my-api ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

Copy link

github-actions bot commented Nov 6, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: prakashkp88
  • ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@aprasanth3192 aprasanth3192 changed the title Hosting request for testwheel-api-plugin. Hosting request for testwheel-api Nov 6, 2024
Copy link

github-actions bot commented Nov 6, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: prakashkp88
  • ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

Copy link

github-actions bot commented Nov 6, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan, prakashkp88 (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'GitHub Users to Authorize as Committers' are not valid GitHub usernames or are Organizations: prakashkp88
  • ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)
  • ⛔ Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

Copy link

github-actions bot commented Nov 6, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The 'artifactId' from the pom.xml (testwheel-api-plugin) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)
  • ⛔ Required: 'New Repository Name' must end with "-plugin" (disregard if you are not requesting hosting of a plugin)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

Copy link

github-actions bot commented Nov 6, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)
  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@baskerganesan
Copy link

Logged in using baskerGanesan

@timja
Copy link
Member

timja commented Nov 8, 2024

/hosting re-check

Copy link

github-actions bot commented Nov 8, 2024

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: baskerGanesan (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@baskerganesan
Copy link

/hosting re-check

Copy link

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

@github-actions github-actions bot added bot-check-complete Automated hosting checks passed and removed needs-fix labels Nov 13, 2024
@aprasanth3192
Copy link
Author

@jenkinsci/jenkins-maintainers
/hosting re-check

Hi. I have made a change as per requirement feedback. could you please review the updates and let me know if any further changes are needed. Thank you

@prakashp1987
Copy link

@jenkinsci/jenkins-maintainers
/hosting host

@mawinter69
Copy link
Contributor

mawinter69 commented Dec 15, 2024

A security concern:
You can specify a url and from the readme one needs an account to use it. It would be bad to use a url that contains username and password in the form https://user:pass@host. You should either allow to make use of a credential (with the credentials plugin) or add some other form to give authentication details ( e.g. a bearer token). For the latter make sure that things like passwords or tokens are stored in a secure way and not as plain text.

@mawinter69
Copy link
Contributor

  • Please remove the target folder from the plugin. Do this in a way that it is removed completely from the git history
  • add a .gitignore file taken from the maven archetype for jenkins
  • remove the eclipse specific things like .classpath, .project, .settings and .factorypath

@prakashp1987
Copy link

prakashp1987 commented Dec 26, 2024

@mawinter69
@jenkinsci/jenkins-maintainers
/hosting host

@mawinter69
Copy link
Contributor

/hosting re-check

Copy link

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

  • ⛔ Required: The 'artifactId' from the pom.xml (testwheel-trigger) is incorrect, it should be testwheel-api ('New Repository Name' field with "-plugin" removed)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

@github-actions github-actions bot removed the bot-check-complete Automated hosting checks passed label Dec 26, 2024
@mawinter69
Copy link
Contributor

/hosting re-check

Copy link

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

@github-actions github-actions bot added bot-check-complete Automated hosting checks passed and removed needs-fix labels Dec 26, 2024
Copy link

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

@mawinter69
Copy link
Contributor

Please address my security concern. I can't imagine that the url you enter here doesn't require any kind of authentication.

@prakashp1987
Copy link

@mawinter69

Thank you for bringing up your concern regarding URL authentication in the Jenkins plugin we have developed.

I would like to assure you that the plugin we have created has a dependency on our web application, which is a test automation platform. The primary usage of this plugin is for post-deployment test automation of any application via Jenkins pipeline deployment.

To address your security concerns:

  1. User Registration Requirement: Any user who wishes to use the plugin is required to register with our application.
  2. Test URL Generation: Once registered, users can obtain the test URL from our application. This URL needs to be input into the Jenkins plugin.
  3. Security Measures: Our application incorporates robust security measures to ensure that the URL provided is valid and secure.
  4. Encrypted Key Validation: The URL generated by our application includes an encrypted key. This key is validated at our application end to confirm its authenticity and integrity.

These measures are in place to guarantee that the Jenkins plugin is used securely and only by authorized users who are registered with our platform.

Please feel free to reach out if you have further concerns or need additional details.

Best regards,
Prakash KP

@prakashp1987
Copy link

/hosting host

@mawinter69
Copy link
Contributor

At https://github.com/Yakshna-Corporation/testwheel-trigger/blob/6e173ed3a59ee2ce008a303574da2b588d44c1e9/src/main/java/org/yakshna/testwheel/apiplugin/TestWheelTrigger.java#L51 and https://github.com/Yakshna-Corporation/testwheel-trigger/blob/6e173ed3a59ee2ce008a303574da2b588d44c1e9/src/main/java/org/yakshna/testwheel/apiplugin/TestWheelTrigger.java#L61 you're logging the url that contains your encrypted key to the build log. So anyone that has read permission on the job is able to see the url. It also means that the url is stored unencrypted on the controller file system.
Typically authentication things are sent as part of the header, e.g. with a bearer token, or you explicitly define user and password for the request. I've never seen that someone sends authentication relevant information as part of the url.

@mawinter69 mawinter69 added security-audit-todo The security team needs to audit the hosting request code and removed security-audit-done The hosting request code passed the security audit with success labels Dec 30, 2024
@mawinter69
Copy link
Contributor

@Wadeck @Kevin-CB requesting your input on this topic

@prakashp1987
Copy link

At https://github.com/Yakshna-Corporation/testwheel-trigger/blob/6e173ed3a59ee2ce008a303574da2b588d44c1e9/src/main/java/org/yakshna/testwheel/apiplugin/TestWheelTrigger.java#L51 and https://github.com/Yakshna-Corporation/testwheel-trigger/blob/6e173ed3a59ee2ce008a303574da2b588d44c1e9/src/main/java/org/yakshna/testwheel/apiplugin/TestWheelTrigger.java#L61 you're logging the url that contains your encrypted key to the build log. So anyone that has read permission on the job is able to see the url. It also means that the url is stored unencrypted on the controller file system. Typically authentication things are sent as part of the header, e.g. with a bearer token, or you explicitly define user and password for the request. I've never seen that someone sends authentication relevant information as part of the url.

@mawinter69 . I will remove the logger part #L51 & #L61 from my code and to address your issue, I will change the input parameter from full URL Input to Entering the encrypted Keys alone which user obtained from our web application and from within my plugin code i will bind those keys to API URL and validate from my web application backend to ensure keys are authentic. Will that address your concern?

@prakashp1987
Copy link

/hosting re-check

@mawinter69

@Kevin-CB
Copy link

Kevin-CB commented Jan 6, 2025

Thanks for the ping @mawinter69, I'll take a look at this soonish

@Kevin-CB
Copy link

Kevin-CB commented Jan 6, 2025

I will remove the logger part #L51 & #L61 from my code and to address your issue, I will change the input parameter from full URL Input to Entering the encrypted Keys alone which user obtained from our web application and from within my plugin code i will bind those keys to API URL and validate from my web application backend to ensure keys are authentic. Will that address your concern?

Thank you @prakashp1987, for addressing the logging issue by removing the logger statements.

However, while changing the input to only accept encrypted keys is a step forward, appending the key to the URL still poses a security risk. To fully address the concern, the encrypted key should be sent in the Authorization header or in the body of the request, as this prevents it from being logged, cached, or exposed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bot-check-complete Automated hosting checks passed hosting-request Request to host a component in jenkinsci security-audit-todo The security team needs to audit the hosting request code
Projects
None yet
Development

No branches or pull requests

8 participants