Today the Jenkins project released a security version <https://www.jenkins.io/security/advisory/2022-06-22/> that contains several high severity vulnerabilities. Five vulnerabilities from Jenkins core were introduced very recently during UI improvement work.
Such security issues discovered after a merge implies that we are investing a lot of energy/time to correct it and providing all the necessary data in terms of vulnerability management. The difference between finding them during review and after a release is really huge. For this reason, as the security officer and effective as of today, I want to block the merge of any UI-related PRs until they have received at least one approval from someone in CERT. To set expectations, if a PR is approved but then substantial change is committed, the approval must be dismissed and re-requested. The second approval is expected to be quicker. This process is expected to provide better security coverage of the upcoming changes and thus, reducing the likelihood of introducing vulnerabilities. In order to not be a blocker for the UI improvement project, I will assign more people from my team to review the PRs. The job done by the UI team is amazing and should continue. This new policy will be revised over time and ideally removed in the mid-term. Do you have any concerns related to this? Wadeck Follonier Security Officer -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7846d76d-2bc0-4829-a4a2-d9035e10592fn%40googlegroups.com.
