On Mon, Mar 20, 2023 at 3:13 AM Basil Crow wrote:
> Does the Jenkins Security Scan need to be adapted to use the artifact
> caching proxy?
>
The workflow would need to be adapted to use the caching proxy, but given
uncertainty around unauthenticated future use of Artifactory I
am hesitant to
On Sun, Mar 19, 2023 at 7:13 PM Basil Crow wrote:
> Does the Jenkins Security Scan need to be adapted to use the artifact
> caching proxy?
Any answer to this question?
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from
Does the Jenkins Security Scan need to be adapted to use the artifact
caching proxy?
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
Hi everyone,
Some feedback the Jenkins security team received for code scanning was that
it is inconvenient to mark findings as false positives through the GitHub
UI.
Thanks to work by https://github.com/yaroslavafenkin the Jenkins Security
Scan now supports two different ways to suppress
On Mon, Feb 28, 2022 at 8:00 PM Basil Crow wrote:
> After upgrading a dozen or so plugins to Security Scan v2, the Jenkins
> Security Scan workflow on the main branch failed with:
>
> Called workflows cannot be queued onto self-hosted runners across
> organisations/enterprises. Failed to queue
After upgrading a dozen or so plugins to Security Scan v2, the Jenkins
Security Scan workflow on the main branch failed with:
Called workflows cannot be queued onto self-hosted runners across
organisations/enterprises. Failed to queue this job. Labels:
'ubuntu-latest'.
List of example plugins
On Fri, Feb 25, 2022 at 11:49 AM Daniel Beck wrote:
>
> It looks like GitHub's action can do what I cannot because it uses an
> undocumented API.
>
>
> I'll update this thread once it works, meanwhile you can watch
> https://github.com/jenkins-infra/jenkins-security-scan/issues/3
>
I've updated
On Fri, Feb 25, 2022 at 2:43 PM Jean-Marc Meessen
wrote:
>
> In the meantime, I will (try) to turn code scanning off so that I can get
> the PRs through CI.
>
Removing
Thanks for looking into this, Daniel, and let us know about the status.
Looks trickier than expected.
In the meantime, I will (try) to turn code scanning off so that I can get
the PRs through CI.
/- Jmm
Le ven. 25 févr. 2022 à 11:50, 'Daniel Beck' via Jenkins Developers <
On Wed, Feb 23, 2022 at 10:03 PM Daniel Beck wrote:
>
> Interesting. It probably happens because it's a PR from a fork and the
> GITHUB_TOKEN used only has read permission for SecurityEvents. I'll look
> into solutions tomorrow.
>
It looks like GitHub's action can do what I cannot because it
Thanks a lot Herve!
It would be awesome to build/improve Jenkins (and all the family) with
Jenkins tools provided by the Jenkins community running on platforms
provided and maintained by the Jenkins community.
On Wed, 23 Feb 2022 at 06:10, 'Herve Le Meur' via Jenkins Developers <
On Wed, Feb 23, 2022 at 9:29 PM Basil Crow wrote:
>
> curl: (22) The requested URL returned error: 403
> Failed to upload results
> Error: Process completed with exit code 1.
>
Interesting. It probably happens because it's a PR from a fork and the
GITHUB_TOKEN used only has read permission for
On Wed, Feb 23, 2022 at 3:29 PM Basil Crow wrote:
> curl: (22) The requested URL returned error: 403
> Failed to upload results
>
I get the same on a trunk commit.
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from
I added this to all the plugins I maintain. Very nice!
After adding this, new unrelated pull requests (see, for example,
jenkinsci/email-ext-plugin#346, which just adds a line to the readme)
all seem to fail in the "Run Scan" step with:
Interpreting results.
[…]
curl: (22) The requested URL
On Tue, Feb 22, 2022 at 4:41 PM 'Daniel Beck' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:
> PR-specific results are shown directly and publicly in the PR. GitHub
> compares results from the PR to results from the target branch to only show
> differences.
>
Oh nice.
> And if
On Tue, Feb 22, 2022 at 10:17 PM 'Jesse Glick' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:
> I suppose any results would appear in `/security/code-scanning` to repo
> admins only?
>
PR-specific results are shown directly and publicly in the PR. GitHub
compares results from
Tried it out on a plugin I maintain. Seems to work. I suppose any results
would appear in `/security/code-scanning` to repo admins only? Will the
*Checks* tab of a PR or trunk commit always be green so long as scanning
completed, even if there are violations?
The scan should pass `-ntp` to Maven
> I'm not sure how feasible that is without defeating the purpose of the GitHub
> action, though I'm dropping his feedback here nevertheless :P
I know one of my goals when i get a minute is to try to update
analytics/warnings-ng to support the github log format -
I thought about integrating it in ci.jenkins.io shared pipelines, but
didn't took the time to discuss it with Daniel yet.
This first GHA step will be nice to round the corners before eventually
planning a larger integration I think.
Hervé
On Tue, Feb 22, 2022 at 8:41 PM Alex wrote:
> Huge +1
Huge +1 from me.
It's nice to have the rules publicly available and it overall integrating
seamless with GitHub's code scan alerts. Hopefully we can get some more
feedback on it, due it now being available to everyone and super simple to
enable for plugin devs.
olamy commented on my security
On Tue, Feb 22, 2022 at 6:59 PM 'Jesse Glick' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:
> Do we generally recommend this for any plugin? If so, it would be great to
> add this to `archetypes`.
>
> That's where I think we should end up, but I'd like to get some more scan
Do we generally recommend this for any plugin? If so, it would be great to
add this to `archetypes`.
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
Hi everyone,
I've published the previously private[1] Jenkins code scanning rules for
CodeQL. These are static analysis rules covering mostly Jenkins-specific
issues, like unprotected Stapler web methods and use of APIs that are
generally not a good idea in the context of Jenkins plugins.
While
23 matches
Mail list logo
