I'm circling back to this discussion here on the dev list. I've gotten findsecbugs integrated into several Jenkins projects, including Jenkins itself. I pushed draft PRs demonstrating what it will look like in a handful of plugins.

I put together information on my observation and recommendations for developers when they start working with findsecbugs. My blog post is at https://jenkins.io/blog/2020/03/02/findsecbugs/ and my Jenkins Online Meetup recording is available at https://youtu.be/fotttu20Mf4 .

Now we're ready to start pushing findsecbugs integration more widely, particularly into parent poms. StefanSpieker has had a PR for adding it into the Jenkins parent pom since November: https://github.com/jenkinsci/pom/pull/61 . It's time to get that moving forward.

Jeff

On 12/19/19 9:22 AM, Jeff Thompson wrote:

Yes, my goal is to also enable findsecbugs in the plugin parent pom. I think it's well worth it, just as regular spotbugs provides valuable findings in a number of cases.

I've currently got PRs awaiting review and approval for jenkins and remoting. I've got one approval for remoting so I'll proceed to merge that in before long.

I've also prepared branches for about half a dozen plugins where I've added it into their local configuration. I have planned on pushing those soon.

My idea is to prove it out with a selected set of projects and then work to roll it out more widely. I'm not sure how we want to proceed with adding it into the plugin parent pom. I'd like to just make it a standard part, but I think we might need to make it opt-in, such as with a profile, at least for an introductory period.

Thanks for the response,

Jeff

On 12/19/19 6:41 AM, Ullrich Hafner wrote:
If it helps to prevent some errors I think it would make sense to enable it for plugins as well (in the parent pom). Can the execution of this additional plugin be removed in a specific plugin pom afterwards? I’m not sure how maven handles it.

I enabled the checker in my plugins and needed to disable it for tests as there where too many false positives have been reported:

<Match>
  <Bug category="SECURITY"/>
  <Class name="~.*Test.*" />
</Match>

 Additionally, I deactivated the following rules that seem to produce too many false positives:

<Match>
  <Bug pattern="DESERIALIZATION_GADGET, FORMAT_STRING_MANIPULATION, PATH_TRAVERSAL_IN, WEAK_FILENAMEUTILS"/>
</Match>

Maybe it makes sense to gather feedback from some other plugins as well before changing the parent pom.

--
You received this message because you are subscribed to the Google Groups "Jenkins 
Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/7e79e121-0962-da3a-8071-c37a0a05080a%40cloudbees.com.

Reply via email to