I’m currently reviewing our integration pipeline with an emphasis on controls against supply chain attacks. Looking at Jenkins plugins, I’m wondering how we can make sure a plugin version has been built from the tagged source code in git hub.
On one hand, the contributor commits the code and tag it in Jenkins · GitHub.
On the other hand, unless I missed something, the contributor builds and pushes the hpi in Index of /download/plugins.
How are we sure that the hpi pushed is indeed built from the tagged source code and it has not been modified?
Thank you in advance for your thoughts on this topic.
You can build the plugins from source code at the tagged location and compare the resulting build with the delivered plugin binary.
I did something like that for 100+ plugins and found that so long as I used the same major version of Java as the original maintainer used to build the release, I could confirm that the plugin I built matched the plugin as delivered by the maintainer.
JEP-229: Continuous Delivery of Jenkins Components and Plugins is being used in more and more Jenkins plugins to deliver plugin releases automatically on each merge of a relevant commit to the primary branch of the plugin repository. Progress will continue in that area as more and more plugins adopt the technique.
Thank you very much for your thorough and helpful answer!
JEP-229 is indeed a very good initiative that in most part answers my concern, looking forward it to be the unique way to publish plugins.
As per your suggestion to rebuild the plugin, in fact, I thought about that possible workaround: prevent any automated plugin installation (with a firewall rule), review the source code of the desired plugins, build them and install them manually. I wondered if it was a bit too much, but it is not far from what you suggest.