I have created another PR to address the issue with the token in the code and the UI https://github.com/jenkinsci/sonar-quality-gates-plugin/pull/34
I am just waiting on the maintainer to see id it looks okay, more than happy for anyone on security team to have a look at it also On Fri, Aug 16, 2024 at 9:31 AM 'Kevin Guerroudj' via Jenkins Developers < jenkinsci-dev@googlegroups.com> wrote: > It indeed looks like this PR fixed the vulnerability for the password. > > However, as previously mentioned by Daniel, before removing this warning, > we would also like to see the token stored and transmitted as a Secret and > masked in the UI. > > > On Tue, Aug 13, 2024 at 10:56 AM Kirk Fitzsimons <fitzsimonsk...@gmail.com> > wrote: > >> The following PR >> https://github.com/jenkinsci/sonar-quality-gates-plugin/pull/30 has been >> merged, can the security team re-evaluate the security advisory? >> >> On Fri 9 Aug 2024, 00:01 Kirk Fitzsimons, <fitzsimonsk...@gmail.com> >> wrote: >> >>> I have created the follwing PR which i believe addressed he issue >>> https://github.com/jenkinsci/sonar-quality-gates-plugin/pull/30 >>> If the PR is approved/merged, what is the process for removing the >>> warning? Can this be updated by the security team? >>> Or does the maintainer need to create a PR against >>> https://github.com/jenkins-infra/update-center2/#security-warnings >>> >>> Kirk >>> >>> On Thursday, August 8, 2024 at 5:34:43 PM UTC+1 db...@cloudbees.com >>> wrote: >>> >>>> On Thu, Aug 8, 2024 at 3:15 PM Kirk Fitzsimons <fitzsim...@gmail.com> >>>> wrote: >>>> >>>>> When i inspect the html this is what I see, maybe I misunderstood, but >>>>> I thought if the password was transmitted in plain text I would see the >>>>> actual password e.g 'kirkpassword', not an encrypted password. >>>>> If i have misunderstood and the update the the getters and settings is >>>>> still needed, what should i expect to see in the html? >>>>> >>>> >>>> Testing plugin version1.3.1, the latest at the time of the advisory, on >>>> Jenkins 2.204.3, recent at the time, the password is sent in plain text >>>> when loading the global config form. The same should apply to hpi:run at >>>> its 2020 state. >>>> >>>> Since 2.236, Jenkins always round-trips f:password values in their >>>> encrypted form, so the behavior from the 2020 security advisory no longer >>>> applies to more recent Jenkins releases. I forgot I added that, sorry for >>>> the misleading first response. Switching the types around will still >>>> prevent constant re-encryption of a plaintext value, which changes the >>>> actual value stored on disk (and probably makes e.g. jobConfigHistory >>>> worse). >>>> >>>> Looking at the UI, I would like the token to be stored and transmitted >>>> as a Secret and masked on the UI, before removing this warning, That's >>>> essentially the same issue, and I cannot reconstruct why we didn't pick up >>>> on it at the time. >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-dev+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/13481880-4c38-4ed3-ba2d-440aca7b578bn%40googlegroups.com >>> <https://groups.google.com/d/msgid/jenkinsci-dev/13481880-4c38-4ed3-ba2d-440aca7b578bn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CAD0tVJGNA3QdVWyM9LqbKyXWYSgNj8t_0OdPuS_z%2Bch-6aPU2g%40mail.gmail.com >> <https://groups.google.com/d/msgid/jenkinsci-dev/CAD0tVJGNA3QdVWyM9LqbKyXWYSgNj8t_0OdPuS_z%2Bch-6aPU2g%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > <jtal...@cloudbees.com> > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAKG2iZiguxssL49%3DqYig0uknFwc9FfXackykVdvZMfd5S6T_UQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CAKG2iZiguxssL49%3DqYig0uknFwc9FfXackykVdvZMfd5S6T_UQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAD0tVJFOBHSm_p1MZrTbB8KE_O5XTG60zQAT-a2nOC3vHOji-g%40mail.gmail.com.
