Comments (4)
daniel-beck
commented on August 20, 2024
9
Alvaro Muรฑoz @pwntester
The Jenkins project currently uses custom code scanning rules defined using GitHub's CodeQL for the Jenkins Security Scan functionality, due to a lack of support for the Stapler web framework used in Jenkins when it was introduced.
In 2023, in an effort to improve the security of the OSS ecosystem, Alvaro and his colleague Tony Torralba added support for Stapler to the default rules of CodeQL. Demonstrating the success of their effort, they reported more than 30 vulnerabilities in various Jenkins plugins to us, including the popular Blue Ocean plugins. These vulnerabilities got addressed and published over the next few months (1, 2, 3, 4, 5, 6).
While the Jenkins Security Scan currently still uses the initial custom rules, their work demonstrates the power of CodeQL and shows us an interesting path forward for our own scan.
(Alvaro was credited for most of the vulnerabilities reported, so I'm nominating him. Sorry Tony!)
from jenkins.io.
Wadeck
commented on August 20, 2024
3
Full name: Yaniv Nizry (@Yaniv-git)
Contribution: Main vulnerability of the January 24 security release. As the vulnerability was reported to Jenkins Security in November and the collaboration continues even after the release, I think it could count for 2023 or 2024 ;-)
Links:
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
- https://www.jenkins.io/blog/2024/01/25/sonar-vulnerability-report/
- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
Additional (and more detailed) information from Daniel (thanks!):
In January 2024, for the first time in several years, we published fixes for a critical vulnerability in Jenkins, and it's thanks to Yaniv's report that we went through the effort of identifying it as such.
Yaniv's November 2023 report of two vulnerabilities in Jenkins was remarkable because it completely changed our understanding of the impact of merely being able to read file contents. When previously we announced those as leading to compromised confidentiality of data on disk, by creating an administrator's "remember me" cookie using information from the Jenkins file system it demonstrated much more severe impact. We were able to build on this new perspective, and it ultimately enabled us to provide administrators with detailed information about the potential risk to their environment, as well as workarounds for those unable to immediately update.
Throughout the entire process, Yaniv was great to work with and set an example in terms of responsiveness, collaboration, and willingness to share information.
from jenkins.io.
alyssat
commented on August 20, 2024
Voting is open on February 22, closes on March 22.
The Jenkins Award voting is done by the community. Cast your vote HERE
from jenkins.io.
MarkEWaite
commented on August 20, 2024
Voting has concluded. Award winners will be announced at cdCon in Seattle, April 16-18 2024
from jenkins.io.
Related Issues (20)
- Jenkins folder creation issue HOT 2
- Use `main` as primary branch
- Update `/projects/gsoc/students/` to `/projects/gsoc/contributors/` HOT 3
- Download page paragrapgs are misaligned HOT 2
- issue with mac installation HOT 1
- Clicks are ignored on ratings images of the changelog page HOT 1
- link is not working HOT 1
- Wrong link in release notes HOT 1
- Debian installer no longer supports Ubuntu 18.04 or Debian 9 HOT 2
- job configuration UI is broken after Upgrade (ver 2.235.3 -> 2.450) HOT 1
- Advisories RSS feed is invalid HOT 1
- Typo on webpage
- Unable to checkout on Windows node agent HOT 1
- Pipeline steps doc generator is missing the `build` step HOT 2
- Remove references to โinstanceโ HOT 4
- Wrong "Pipeline Syntax" link in the docs the "Pipeline, Using a Jenkinsfile, Handling failure" section HOT 4
- Inside Search field text overlap with search icon HOT 1
- Commenting Test Files HOT 1
- Issue reporting instructions for plugins are unclear HOT 3
- helm search repo jenkinsci
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jenkins.io.