Re: sonar-quality-gates plugin security issue

2024-08-16 Thread Kirk Fitzsimons
I have created another PR to address the issue with the token in the code and the UI https://github.com/jenkinsci/sonar-quality-gates-plugin/pull/34 I am just waiting on the maintainer to see id it looks okay, more than happy for anyone on security team to have a look at it also On Fri, Aug 16, 2

Re: sonar-quality-gates plugin security issue

2024-08-16 Thread 'Kevin Guerroudj' via Jenkins Developers
It indeed looks like this PR fixed the vulnerability for the password. However, as previously mentioned by Daniel, before removing this warning, we would also like to see the token stored and transmitted as a Secret and masked in the UI. On Tue, Aug 13, 2024 at 10:56 AM Kirk Fitzsimons wrote:

Re: sonar-quality-gates plugin security issue

2024-08-13 Thread Kirk Fitzsimons
The following PR https://github.com/jenkinsci/sonar-quality-gates-plugin/pull/30 has been merged, can the security team re-evaluate the security advisory? On Fri 9 Aug 2024, 00:01 Kirk Fitzsimons, wrote: > I have created the follwing PR which i believe addressed he issue > https://github.com/jen

Re: sonar-quality-gates plugin security issue

2024-08-08 Thread Kirk Fitzsimons
I have created the follwing PR which i believe addressed he issue https://github.com/jenkinsci/sonar-quality-gates-plugin/pull/30 If the PR is approved/merged, what is the process for removing the warning? Can this be updated by the security team? Or does the maintainer need to create a PR agains

Re: sonar-quality-gates plugin security issue

2024-08-08 Thread 'Daniel Beck' via Jenkins Developers
On Thu, Aug 8, 2024 at 3:15 PM Kirk Fitzsimons wrote: > When i inspect the html this is what I see, maybe I misunderstood, but I > thought if the password was transmitted in plain text I would see the > actual password e.g 'kirkpassword', not an encrypted password. > If i have misunderstood and t

Re: sonar-quality-gates plugin security issue

2024-08-08 Thread Kirk Fitzsimons
I made an attempt at his, i am not sure if it correct as I have not noticed any difference https://github.com/kirk-fitz/sonar-quality-gates-plugin/commit/72201ae973f6299e35f530154617dff6e4db52da On Thursday, August 8, 2024 at 2:15:04 PM UTC+1 Kirk Fitzsimons wrote: > Thanks for your reply. > > W

Re: sonar-quality-gates plugin security issue

2024-08-08 Thread Kirk Fitzsimons
Thanks for your reply. When i inspect the html this is what I see, maybe I misunderstood, but I thought if the password was transmitted in plain text I would see the actual password e.g 'kirkpassword', not an encrypted password. If i have misunderstood and the update the the getters and settings

Re: sonar-quality-gates plugin security issue

2024-08-08 Thread 'Daniel Beck' via Jenkins Developers
On Thu, Aug 8, 2024 at 12:34 PM Kirk Fitzsimons wrote: > The plugin has a security issue opened up against it: > > Credentials transmitted in plain text by Sonar Quality Gates Plugin > > > I would like to see if I can resolve it