Wiz Scanner Plugin

[wiz-jenkins-deploy]

Repository URL

https://github.com/wiz-sec-public/wiz-scanner-plugin

New Repository Name

wiz-scanner-plugin

Description

This Jenkins plugin enables integrate Wiz CLI to detect sensitive data, secrets, misconfigurations, and vulnerabilities in container images, directories and IaC files.

GitHub users to have commit permission

@wiz-jenkins-deploy

Jenkins project users to have release permission

wizdeploy

Issue tracker

GitHub issues

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository.
It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command.

Security team only:

• /audit-ok => the audit is complete, the hosting can continue 🎉.
• /audit-skip => the audit is not necessary, the hosting can continue 🎉.
• /audit-findings => the audit reveals some issues that require corrections ✏️.

Anyone:

• /request-security-scan => the findings from the Jenkins Security Scan were corrected, this command will re-scan your repository 🔍.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings 👀. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.32.13)

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The jelly file https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/c8ff129391d389772f46952f98fab624b6196800/src/main/resources/io/jenkins/plugins/wiz/WizScannerAction/index.jelly contains an inline <style> tag
• ⛔ Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: wizdeploy (reports are re-synced hourly, wait to re-check for a bit after logging in)
• ⛔ Required: The dependency org.bouncycastle:bcprov-jdk18on should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:bouncycastle-api
• ⛔ Required: The dependency org.apache.commons:commons-lang3 should be replaced with a dependency to the api plugin io.jenkins.plugins:commons-lang3-api
• ⛔ Required: The dependency net.bytebuddy:byte-buddy should be replaced with a dependency to the api plugin io.jenkins.plugins:byte-buddy-api
• ℹ️ Info: One or more usages of inline javascript tags, style tags or event handlers have been identified. See https://www.jenkins.io/doc/developer/security/csp/ for more information how to make your jelly files CSP compliant

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[jenkins-cert-app]

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! 🎉

---

💡 The Security team recommends that you are setting up the scan in your repository by following our guide.

[mawinter69]

• In WizCliDownloader practically all file handling will not work when the build is running on an agent. Look at FilePath.write() to write the downloaded things directly to the remote location.
• You have several other places where you use workspace.getRemote(). Those places use it in the wrong way. You need to test this with a real agent that runs on a remote machine. What will not work is setting up an agent on the same machine so that the controller process has write access to agents root directory.
• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/c8ff129391d389772f46952f98fab624b6196800/src/main/java/io/jenkins/plugins/wiz/WizScannerAction.java#L21 You store the run in the action twice once in line 21 and one in line 24. You should only use the one in line 21 as the build object shouldn't be persisted. The run is injected when reloading it from disk.
• As you do calls to external urls you will need to implement proxy handling, ideally via ProxyConfiguration
• With dark-mode plugin in use the action becomes unusable
• Take a look at the design-library this should allow to create a UI that is in sync with other pages in Jenkins, e.g. use jenkins-table , see also the pages for colors, spacing, symbols
• save the svg here to the file resources/images/symbolswiz.svg. Then you can use it with <l:icon src="symbol-wiz plugin-wizscanner" class="icon-md"/>. You can then also remove the png and use the svg for the action here by using symbol-wiz plugin-wizscanner (one thing due to a bug in Jenkins that was only fixed in a newer release than what you define, the color of the svg is broken, can be fixed by putting adding fill="#0254ec" to the svg root element and removing the style definition and the class attribute)
• You could remove the inline svgs by using symbols as explained here . You can use the ionicons symbols.
• The pom is a mess right now will provide more at a later point in time

[mawinter69]

Took your action and tweaked it a bit. How about this:

Probably it is better to remove those colored bubbles with the severity, as it only duplicates the header

[mawinter69]

• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/c8ff129391d389772f46952f98fab624b6196800/src/main/resources/io/jenkins/plugins/wiz/WizScannerAction/index.jelly#L10 you can't wrap jelly in jelly, so remove the inner <j:jelly and <html>, <head> and <body> , those are all already defined by <l:layout>

[eliorpaz]

/hosting re-check

[github-actions]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The dependency org.bouncycastle:bcutil-jdk18on should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:bouncycastle-api
• ⛔ Required: The dependency org.bouncycastle:bcprov-jdk18on should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:bouncycastle-api
• ⛔ Required: The dependency org.bouncycastle:bcpkix-jdk18on should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:bouncycastle-api

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[eliorpaz]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• ⛔ Required: The dependency org.bouncycastle:bcutil-jdk18on should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:bouncycastle-api
• ⛔ Required: The dependency org.bouncycastle:bcprov-jdk18on should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:bouncycastle-api
• ⛔ Required: The dependency org.bouncycastle:bcpkix-jdk18on should be replaced with a dependency to the api plugin org.jenkins-ci.plugins:bouncycastle-api

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

Thank you for the feedback. I am actively working on replacing the Bouncycastle dependencies with the Jenkins API plugin. However, I'm encountering some implementation challenges with this transition. Could you please provide guidance on the recommended way to replace direct Bouncycastle usage with the bouncycastle-api plugin's functionality? Specifically, what is the proper way to access Bouncycastle features through the Jenkins plugin API?

Looking forward to your suggestions.

@mawinter69

[mawinter69]

• Unfortunately bcpg-jdk18on is not includede in the bouncycastly api plugin of Jenkins. So you need to keep this dependency. But all others I think can be replaced. Eventually you will need to define some exclusions to avoid other deps provided by the api plugin are still included. Once the plugin is included you can just use the bouncycastle classes. Jenkins uses api plugins to avoid that every plugin brings it's own copy of certain commonly used dependencies. So it there is an update of the plugin the admin just updates the api plugin and all consumers automatically also use the new version.
• You have a dependency to commons-lang3, but are only using commons-lang2 things. I suggest to adapt the code to commons.lang3
• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/4577e9a09990cc2b0bb65df27f6b27290485f41d/pom.xml#L83 the dependeny to structs plugin is not needed
• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/4577e9a09990cc2b0bb65df27f6b27290485f41d/pom.xml#L93 You're not using bytebuddy I think so you can remove the dependency

[mawinter69]

• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/4577e9a09990cc2b0bb65df27f6b27290485f41d/src/main/java/io/jenkins/plugins/wiz/WizCliDownloader.java#L41-43 this will not work. This code is executed on the controller but I assume you want to have the OS and arch of the agent

[mawinter69]

• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/4577e9a09990cc2b0bb65df27f6b27290485f41d/src/main/java/io/jenkins/plugins/wiz/PGPVerifier.java#L176 Do not log with level info. The admins will thank you when they don't get flooded with unimportant logs
• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/4577e9a09990cc2b0bb65df27f6b27290485f41d/src/main/java/io/jenkins/plugins/wiz/WizCliDownloader.java#L177 again code that is working with getRemote() that is executed on the controller
• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/4577e9a09990cc2b0bb65df27f6b27290485f41d/src/main/java/io/jenkins/plugins/wiz/WizCliSetup.java#L25 except for isWindows, none of the parameters are used

[mawinter69]

• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/4577e9a09990cc2b0bb65df27f6b27290485f41d/pom.xml#L48 The version of the bom is out of sync with the jenkins.version. Ideally you define a property jenkins.baseline that point to 2.462 and use it in here and in line 48

[mawinter69]

• https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/4577e9a09990cc2b0bb65df27f6b27290485f41d/src/main/java/io/jenkins/plugins/wiz/WizScannerBuilder.java#L186 This permission check is wrong. As all you do is to check if the given value is not empty it is safe to remove the check and annotate to method to ignore the missing permission check.
• Add a help file https://github.com/wiz-sec-public/wiz-scanner-plugin/blob/4577e9a09990cc2b0bb65df27f6b27290485f41d/src/main/resources/io/jenkins/plugins/wiz/WizScannerBuilder/config.jelly#L3. It is totally unclear what one should enter here.