Host HiddenLayer Model Scanner Plugin

[ben-m-lucas]

Repository URL

https://github.com/hiddenlayerai/hiddenlayer-jenkins-plugin

New Repository Name

hiddenlayer-model-scanner-plugin

Description

This Plugin can be used to run the HiddenLayer model scanner to ensure your models are secure.

GitHub users to have commit permission

@ben-m-lucas
@aloha

Jenkins project users to have release permission

blucas_hl
travis_hiddenlayer

Issue tracker

GitHub issues

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

• /audit-ok => the audit is complete, the hosting can continue 🎉.
• /audit-skip => the audit is not necessary, the hosting can continue 🎉.
• /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

• /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.32.7)

[jenkins-cert-app]

The Jenkins Security Scan discovered 10 finding(s) 🔍.

For every identified issue, please do one of the following:

• Implement the recommended fix to address the issue.
• If you think it's a false positive, suppress the warning directly within the code.
• Alternative, you write an explanation here about why you think it's irrelevant. That will require a manual review, leading to a slower process.

After addressing the findings through one of the above methods:

• If all modifications have been made to the code, please initiate a new security scan by triggering the /request-security-scan command.
• If there are any unresolved findings (those not corrected or suppressed), request a review from the Jenkins security team by using the /audit-review command.

---

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

HLScanModelBuilder.java#274

Potential CSRF vulnerability: If DescriptorImpl#doCheckFailOnSeverity connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

HLScanModelBuilder.java#263

Potential CSRF vulnerability: If DescriptorImpl#doCheckFolderToScan connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

HLScanModelBuilder.java#256

Potential CSRF vulnerability: If DescriptorImpl#doCheckHlClientSecret connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

HLScanModelBuilder.java#249

Potential CSRF vulnerability: If DescriptorImpl#doCheckHlClientId connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

HLScanModelBuilder.java#242

Potential CSRF vulnerability: If DescriptorImpl#doCheckModelName connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

Stapler: Missing permission check

You can find detailed information about this finding here.

HLScanModelBuilder.java#274

Potential missing permission check in DescriptorImpl#doCheckFailOnSeverity

HLScanModelBuilder.java#263

Potential missing permission check in DescriptorImpl#doCheckFolderToScan

HLScanModelBuilder.java#256

Potential missing permission check in DescriptorImpl#doCheckHlClientSecret

HLScanModelBuilder.java#249

Potential missing permission check in DescriptorImpl#doCheckHlClientId

HLScanModelBuilder.java#242

Potential missing permission check in DescriptorImpl#doCheckModelName

[ben-m-lucas]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉

---

💡 The Security team recommends that you are setting up the scan in your repository by following our guide.

[mawinter69]

Could you please move the plugin code to the project root. In the current setup, it will not be possible to build your plugin on https://ci.jenkins.io or to use the automated plugin release process.
It also prevents that some checks for the hosting are executed.

[mawinter69]

/hosting re-check

[ben-m-lucas]

Could you please move the plugin code to the project root. In the current setup, it will not be possible to build your plugin on https://ci.jenkins.io or to use the automated plugin release process. It also prevents that some checks for the hosting are executed.

Thank you for the feedback. We've gone ahead and moved the plugin code to the project root.

[mawinter69]

• Could you move your code to package io.jenkins.plugins.hiddenlayer please
• https://github.com/hiddenlayerai/hiddenlayer-jenkins-plugin/blob/784ed83be277202c89f8bf2c8742a4d9e1db5984/pom.xml#L38 Is there a reason that you already require 2.479.2? Does your sdk require Java 17? New plugins should not target the latest LTS but usually 2 major LTS versions before, so 2.452.4.
• The dependencies to annotation-indexer, symbol-annotations and structs are not needed. You can remove them
• The test dependency to junit is not needed, you get it from the parent pom
• The version for mockito-core can be removed you get it via the parent pom
• https://github.com/hiddenlayerai/hiddenlayer-jenkins-plugin/blob/784ed83be277202c89f8bf2c8742a4d9e1db5984/src/main/java/io/jenkins/hiddenlayer/ModelScanServiceFactory.java#L8 this is not an Extension so remove the annotation
• https://github.com/hiddenlayerai/hiddenlayer-jenkins-plugin/blob/784ed83be277202c89f8bf2c8742a4d9e1db5984/src/main/java/io/jenkins/hiddenlayer/HLScanModelBuilder.java#L154 This will not work when you run on agents. Consider that the perform method runs on the controller and not the agent. Use FilePath#act to execute code on the agent (your test that works with an agent succeeds because the agent there is running on the same machine as the same user). This probably requires that you make the ScanReportV3 serializable (if it is not yet already).
• https://github.com/hiddenlayerai/hiddenlayer-jenkins-plugin/blob/784ed83be277202c89f8bf2c8742a4d9e1db5984/src/main/java/io/jenkins/hiddenlayer/HLScanModelBuilder.java#L51 I think that should be modeled as an Enum (see also https://reports.jenkins.io/core-taglib/jelly-taglib-ref.html#form:enum how to use it in the config.jelly)
• I don't think you should check for Jenkins.ADMINISTER permissions here but I think the complete checkmethod is not needed as the field is based on a select so you're not able to enter invalid values anyway.
• https://github.com/hiddenlayerai/hiddenlayer-jenkins-plugin/blob/784ed83be277202c89f8bf2c8742a4d9e1db5984/src/main/java/io/jenkins/hiddenlayer/HLScanModelBuilder.java#L283 this method is not needed as it doesn't really do anything (check methods are optional)
• CODING_GUIDELINES.md doesn't really fit. It talks about python which is not used here, also it seems that is a template where `Project Ma,e] wasn't replaced
• same for CONTRIBUTING.md
• SECURITY.md should probably also mention https://www.jenkins.io/security/reporting/
• I assume you plugin is doing http calls in the sdk. Have you considered that might need to go through a proxy? from ProxyConfiguration you can read the global proxy settings of Jenkins.

Your sdk already packs all the jackson libraries, additionally you declare dependencies to those libraries. The result is that everything is then packed twice in the plugins hpi file.
The best solution would be to provide your sdk as a plain jar that doesn't contain any third party things and then add a dependency to the jackson plugin https://plugins.jenkins.io/jackson2-api/. This packs all the jackson dependencies except for the jackson-databind-nullable, so keep that dependency.
Not sure if you need a dep to the javax.annotations that you have in the sdk, those might be compile time only, btw the javax.annotations are from JSR-305 which is deprecated)

[mawinter69]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: travis_hiddenlayer (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: blucas_hl, travis_hiddenlayer (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The dependency com.fasterxml.jackson.core:jackson-databind should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:jackson2-api
• ⛔ Required: The dependency com.fasterxml.jackson.core:jackson-core should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:jackson2-api

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check