Jenkins-specific warnings for GitHub code scanning

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Jenkins-specific warnings for GitHub code scanning

Daniel Beck
Hi everyone,

GitHub announced last week that their code scanning functionality is now generally available[1].

The Jenkins security team has worked on queries specifically for Jenkins and Jenkins plugins.

I'd now like to share them with a limited audience to get some initial feedback before we start rolling them out more widely.

If you're interested in getting your plugin code scanned and the results to appear on the GitHub UI, please file an issue in the Jenkins Jira INFRA project for the 'github' component with a list of plugins/repos you're maintaining and would like code scanning result to be reported to. I encourage all maintainers to sign up for this. I think the findings are generally reasonably high quality, and even if not, the GitHub UI makes it really easy to hide irrelevant warnings.

Please note we're only scanning the default branch (typically 'master'), and only in irregular intervals. Future enhancements could integrate this with pull requests, and to happen on every commit on certain branches, but this is all still very new.

For now our queries aren't accessible publicly. If you're a regular contributor to Jenkins and interested in contributing to these Jenkins-specific code scanning queries, please reach out to me directly.


1: https://github.blog/2020-09-30-code-scanning-is-now-available/

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/63EFC305-9466-4DBF-B38E-9B9730705732%40beckweb.net.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins-specific warnings for GitHub code scanning

tzach solomon
Hi Daniel,

Thank you for this one.
How can I register the plugin https://plugins.jenkins.io/bitbucket/ for the security scans?

Thanks,
Tzach

On Fri, Oct 9, 2020 at 9:00 PM Daniel Beck <[hidden email]> wrote:
Hi everyone,

GitHub announced last week that their code scanning functionality is now generally available[1].

The Jenkins security team has worked on queries specifically for Jenkins and Jenkins plugins.

I'd now like to share them with a limited audience to get some initial feedback before we start rolling them out more widely.

If you're interested in getting your plugin code scanned and the results to appear on the GitHub UI, please file an issue in the Jenkins Jira INFRA project for the 'github' component with a list of plugins/repos you're maintaining and would like code scanning result to be reported to. I encourage all maintainers to sign up for this. I think the findings are generally reasonably high quality, and even if not, the GitHub UI makes it really easy to hide irrelevant warnings.

Please note we're only scanning the default branch (typically 'master'), and only in irregular intervals. Future enhancements could integrate this with pull requests, and to happen on every commit on certain branches, but this is all still very new.

For now our queries aren't accessible publicly. If you're a regular contributor to Jenkins and interested in contributing to these Jenkins-specific code scanning queries, please reach out to me directly.


1: https://github.blog/2020-09-30-code-scanning-is-now-available/

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/63EFC305-9466-4DBF-B38E-9B9730705732%40beckweb.net.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgKLM1MgKCNsO-NRJ42Ej9fEk79v8tz960eqKnJ5t_ZMAQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins-specific warnings for GitHub code scanning

Ulli Hafner
As Daniel wrote, please create a Jira task. Example: https://issues.jenkins-ci.org/browse/INFRA-2768
 

Am 12.10.2020 um 10:59 schrieb tzach solomon <[hidden email]>:

Hi Daniel,

Thank you for this one.
How can I register the plugin https://plugins.jenkins.io/bitbucket/ for the security scans?

Thanks,
Tzach

On Fri, Oct 9, 2020 at 9:00 PM Daniel Beck <[hidden email]> wrote:
Hi everyone,

GitHub announced last week that their code scanning functionality is now generally available[1].

The Jenkins security team has worked on queries specifically for Jenkins and Jenkins plugins.

I'd now like to share them with a limited audience to get some initial feedback before we start rolling them out more widely.

If you're interested in getting your plugin code scanned and the results to appear on the GitHub UI, please file an issue in the Jenkins Jira INFRA project for the 'github' component with a list of plugins/repos you're maintaining and would like code scanning result to be reported to. I encourage all maintainers to sign up for this. I think the findings are generally reasonably high quality, and even if not, the GitHub UI makes it really easy to hide irrelevant warnings.

Please note we're only scanning the default branch (typically 'master'), and only in irregular intervals. Future enhancements could integrate this with pull requests, and to happen on every commit on certain branches, but this is all still very new.

For now our queries aren't accessible publicly. If you're a regular contributor to Jenkins and interested in contributing to these Jenkins-specific code scanning queries, please reach out to me directly.


1: https://github.blog/2020-09-30-code-scanning-is-now-available/

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/63EFC305-9466-4DBF-B38E-9B9730705732%40beckweb.net.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgKLM1MgKCNsO-NRJ42Ej9fEk79v8tz960eqKnJ5t_ZMAQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7BE0BF41-A9FB-481B-B4F6-A7D0DD6D1788%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins-specific warnings for GitHub code scanning

tzach solomon
Ullrich thanks for the example :)

Tzach

On Mon, Oct 12, 2020 at 1:26 PM Ullrich Hafner <[hidden email]> wrote:
As Daniel wrote, please create a Jira task. Example: https://issues.jenkins-ci.org/browse/INFRA-2768
 

Am 12.10.2020 um 10:59 schrieb tzach solomon <[hidden email]>:

Hi Daniel,

Thank you for this one.
How can I register the plugin https://plugins.jenkins.io/bitbucket/ for the security scans?

Thanks,
Tzach

On Fri, Oct 9, 2020 at 9:00 PM Daniel Beck <[hidden email]> wrote:
Hi everyone,

GitHub announced last week that their code scanning functionality is now generally available[1].

The Jenkins security team has worked on queries specifically for Jenkins and Jenkins plugins.

I'd now like to share them with a limited audience to get some initial feedback before we start rolling them out more widely.

If you're interested in getting your plugin code scanned and the results to appear on the GitHub UI, please file an issue in the Jenkins Jira INFRA project for the 'github' component with a list of plugins/repos you're maintaining and would like code scanning result to be reported to. I encourage all maintainers to sign up for this. I think the findings are generally reasonably high quality, and even if not, the GitHub UI makes it really easy to hide irrelevant warnings.

Please note we're only scanning the default branch (typically 'master'), and only in irregular intervals. Future enhancements could integrate this with pull requests, and to happen on every commit on certain branches, but this is all still very new.

For now our queries aren't accessible publicly. If you're a regular contributor to Jenkins and interested in contributing to these Jenkins-specific code scanning queries, please reach out to me directly.


1: https://github.blog/2020-09-30-code-scanning-is-now-available/

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/63EFC305-9466-4DBF-B38E-9B9730705732%40beckweb.net.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgKLM1MgKCNsO-NRJ42Ej9fEk79v8tz960eqKnJ5t_ZMAQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7BE0BF41-A9FB-481B-B4F6-A7D0DD6D1788%40gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgK%3DhuRexs62H4bTP0EWzTUjWv1EDhjCB9xEP_L_PO7rgw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins-specific warnings for GitHub code scanning

Ulli Hafner
In reply to this post by Daniel Beck
Where should we report issues for false positives? I assume that those rules are written by a Jenkins community member, or are these general rules from Semmle?

> Am 09.10.2020 um 20:00 schrieb Daniel Beck <[hidden email]>:
>
> Hi everyone,
>
> GitHub announced last week that their code scanning functionality is now generally available[1].
>
> The Jenkins security team has worked on queries specifically for Jenkins and Jenkins plugins.
>
> I'd now like to share them with a limited audience to get some initial feedback before we start rolling them out more widely.
>
> If you're interested in getting your plugin code scanned and the results to appear on the GitHub UI, please file an issue in the Jenkins Jira INFRA project for the 'github' component with a list of plugins/repos you're maintaining and would like code scanning result to be reported to. I encourage all maintainers to sign up for this. I think the findings are generally reasonably high quality, and even if not, the GitHub UI makes it really easy to hide irrelevant warnings.
>
> Please note we're only scanning the default branch (typically 'master'), and only in irregular intervals. Future enhancements could integrate this with pull requests, and to happen on every commit on certain branches, but this is all still very new.
>
> For now our queries aren't accessible publicly. If you're a regular contributor to Jenkins and interested in contributing to these Jenkins-specific code scanning queries, please reach out to me directly.
>
>
> 1: https://github.blog/2020-09-30-code-scanning-is-now-available/
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/63EFC305-9466-4DBF-B38E-9B9730705732%40beckweb.net.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/660E24A8-64DD-49C5-B86B-9FE03CFD320F%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins-specific warnings for GitHub code scanning

Daniel Beck-2

On Sun, Oct 18, 2020 at 3:05 PM Ullrich Hafner <[hidden email]> wrote:
Where should we report issues for false positives? I assume that those rules are written by a Jenkins community member, or are these general rules from Semmle?

These are Jenkins project specific rules only, we use CodeQL as the tool/language but not the default rules (which is also why we use a custom tool name; no conflict with the normal Semmle stuff if you choose to use that as well). Please reach out to me directly with feedback. There's currently no better (public) feedback channel for this yet.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLdQ9%2Bfr2qf-%3DoMBnSZYoPwK17aE0NLMY7uGEf6oM9ZOw%40mail.gmail.com.