2022-06-22T17:00:00Z
June 22, 2022 - 2.346.1, Code coverage, stalled PRs, security reviews
- Attending
- Mark Waite
- Wadeck Follonier
- Kevin Martens
- Ullrich Hafner
- Daniel Beck
- Recording:
- June LTS - Mark
- 2.346.1 released with security fixes, ui improvements, other core improvements
- 2.332.4 release with security fixes
- When choosing a minimum Jenkins version, use the final release of that LTS line
- Mark to check that the version page recommendation has been updated
- 2.356 weekly release with security fixes
- Code coverage improvements - Ullrich
- How to prevent stalled PR situations like in [JENKINS-65790]: Remove injected styles and scripts in form validation by sabberworm · Pull Request #5601 · jenkinsci/jenkins · GitHub - Wadeck Follonier
- Should we systematically review pending UX pull requests in this meeting?
- Security review on UI-related PRs due to recently introduced vulnerabilities - Wadeck Follonier
- Security advisory released today with 5 vulnerabilities introduced in Jenkins core
- Most of them related to the UI
- Uncommon that we have so many new vulnerabilities introduced
- Needed fast work from the security team to correct after pull request merge
- Wadeck requires security team review of UX pull requests to reduce risk before merge
- Will assign people to do the reviews
- If not able to provide the resources, then can revert to not requiring security review of UX improvements
- Much better to detect and correct before release in Jenkins core
- Wadeck will notify Jenkins developer mailing list
- Basil created a label for security review, can use that as well
- Are there ways to detect those issues with static analysis?
- No technique that we can detect Jelly issues with static analysis today
- Requires following code flow through Java, Jelly, with HTML escape and unescape
- Some could be resolved by content security policy, but that’s a large project
- Good description and how to prevent future versions of the same vulnerability?
- Could that be described as a “danger sign”
- Test cases that describe specific vulnerability are included in the source code
- Some of the test cases are somewhat artificial (as is most test cases)
- Don’t build HTML string with user input unless sanitized the input
- Some of the test cases are somewhat artificial (as is most test cases)
- Security advisory released today with 5 vulnerabilities introduced in Jenkins core
- Accessibility assessment - Mark
- Store the report in a Jira epic so that it is available publicly
- Mark to create the Jira epic containing the source document
- See previous from Deutsche Telekom
- Review, prioritize, summarize impacted areas, discuss alternatives in UX SIG
- Further discussion with Cristina Pizzagalli (has attended these sessions previously)
- Store the report in a Jira epic so that it is available publicly