-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hosting request for Zimperium zScan plugin #4102
Comments
Security audit, information and commands The security team is auditing all the hosting requests, to ensure a better security by default. This message informs you that a Jenkins Security Scan was triggered on your repository. CommandsThe bot will parse all comments, and it will check if any line start with a command. Security team only:
Anyone:
Only one command can be requested per comment. (automatically generated message, version: 1.29.12) |
Hello from your friendly Jenkins Hosting Checker It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.
You can re-trigger a check by editing your hosting request or by commenting |
The Jenkins Security Scan discovered 4 finding(s) 🔍. Please follow the instructions below for every identified issues:
After addressing the findings through one of the above methods:
Stapler: Missing permission checkYou can find detailed information about this finding here. ZDevUploadPlugin.java#548
Jenkins: Plaintext password storageYou can find detailed information about this finding here. LoginResponse.java#14
LoginResponse.java#10
RefreshCredentials.java#5
|
/request-security-scan |
The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉 💡 The Security team recommends that you are setting up the scan in your repository by following our guide. |
/hosting re-check |
Hello from your friendly Jenkins Hosting Checker It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience. Hosting team members can host this request with |
Hello from your friendly Jenkins Hosting Checker It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience. Hosting team members can host this request with |
1 similar comment
Hello from your friendly Jenkins Hosting Checker It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience. Hosting team members can host this request with |
Hello Jenkins Hosting Team, How can we move this request forward? Thanks! |
https://github.com/Zimperium/zscan-plugin-jenkins/blob/472b13cff152e2d5a54f30325e807f5bdd00050d/src/main/java/com/zimperium/plugins/zDevJenkinsUploadPlugin/ZDevUploadPlugin.java#L589 is never correct. This permission may be granted, but it's too unspecific to check. Instances using plugins like https://plugins.jenkins.io/matrix-auth/ will only allow admins to take this action (which might be intentional, but it's not clear from the code). You probably want one of the two approaches from https://www.jenkins.io/doc/developer/security/form-validation/#checking-permissions, depending on whether this appears in a job configuration, or the global configuration. Also https://github.com/Zimperium/zscan-plugin-jenkins/blob/472b13cff152e2d5a54f30325e807f5bdd00050d/src/main/java/com/zimperium/plugins/zDevJenkinsUploadPlugin/ZDevUploadPlugin.java#L579 is now obsolete. The comment misses that Server-Side Request Forgery is a potential problem. |
Repository URL
https://github.com/Zimperium/zscan-plugin-jenkins
New Repository Name
zscan-upload-plugin
Description
The plugin uploads mobile builds to zScan for analysis and (optionally) downloads security and privacy assessment reports. While there are other mobile security scanning plugins in the marketplace, the upload process is specific to Zimperium and it is beneficial to have an official plugin for our cusotmers to use. More information: Zimperium zScan.
GitHub users to have commit permission
@Oliver-Zimperium
@exlegalalien
Jenkins project users to have release permission
legalalien
oliver_williams
Issue tracker
Jira
The text was updated successfully, but these errors were encountered: