First results from using GitHub CodeQL to discover security vulnerabilities in Jenkins plugins

amurleopard

A little over a month ago, GitHub announced the general availability of its code scanning solution. It’s based on CodeQL, which makes it pretty easy to write queries for it and run them using the CodeQL GitHub action, CodeQL command line tools, or on lgtm.com.

Many of the security vulnerabilities discovered in Jenkins plugins are fairly similar to each other, and unfortunately they’re usually specific to Jenkins, which means existing generic tools would not be able to discover them. So I decided to write CodeQL queries for Jenkins-specific issues and invited maintainers to sign their plugins up for a "private beta" of code scanning for these issues.

Today’s security advisory is the first one that includes findings discovered through that initiative. All these issues were discovered with assistance by this tooling:

• SECURITY-2101 in AWS Global Configuration Plugin,

• SECURITY-2102 and SECURITY-2103 in Kubernetes Plugin,

• SECURITY-2104 and SECURITY-2115 in Mercurial Plugin,

• SECURITY-2110 in Azure Key Vault Plugin, and

• SECURITY-2126 in Active Directory Plugin

While there were of course also false positives we had to review and mark as ignored, the integration with the GitHub UI made this pretty straightforward. Overall I’m very happy with the results so far, especially considering how new this initiative is.

Interested in making the plugin you are maintaining more secure? Sign up now by filing an INFRA issue in the github component and list the plugin repositories you’d like to have scanned.

http://feedproxy.google.com/~r/ContinuousBlog/~3/oAWCJHIqEVQ/