Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Jenkins / Google Summer of Code Office Hours / 9 Jun 2021
Jenkins / Google Summer of Code Office Hours / 9 Jun 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Jenkins in GSoC 2021, Jun 9, 2021 Office Hours

Description

Jenkins office hours for Google Summer of Code 2021. June 9, 2021

A

So hello, uh we are doing a quick overview of how the security notifications work in jenkins. So it's one of the projects for drinking is kubernetes operator. The idea is to expose security warnings there and we will just go through how the ecosystem works. So just to start the from public side, we have security advisories. There is a junk security team working on that and yeah. Here. If you go to security advisories, you can find a lot of advisories being reduced by particular plugins, etc.

A

So this is what we see in public, and here you can see that that is warning, for example, that there is a verity level like high high medium high, something like that. So this is information we have um and we also have information being exposed on the plugin side. So, for example, let's take a look, uh for example, file system triggers plugin, it's nice use case, because I used to be a maintainer of this plugin, sorry about that uh and yeah.

A

So here you can see that uh right now there is a previous security warnings, excessive vulnerability and it points you to security advisor. So this information is being retrieved from api provided by the update site, etc. So we have uh two companies for that.

A

We could have you already investigated the infrastructure.

A

Okay, so if not, I will just uh show it to you, uh so there is update uh center v2. So basically it's update center, which serves all the data for jenkins. It's built regularly and you can see a community like it warnings to the advisory, and here you can see a file.

A

So this is basically the information which is available about security vulnerabilities in our metadata. So here you can see that we have id type name message, url and versions. So this is the information which is available in a player update center and when we build the jenkins plug inside. So this plugins drink, as I was showing there so plugin strings io, consists of two components.

A

One component is a api, so.

A

Against.

A

Inside table, so I have no memory of this place, so there are two repositories: one is plug-in side, which is rather front-end. It's currently a static front-end being built with gatsby. So there is a lot of built-in things and to build. It actually uses the data from the blade center, like this metadata in the warnings json, and it also uses a metadata provided by plugin site api.

A

At the same time, plugin site api also provides some runtime api, so you can get an api for particular plugins. Maybe you could help me here with the url. So what is a fast trigger api.

A

Right.

B

The plugin is like to be specified.

A

Later.

B

So first then you specify api, then the then.

A

You have to.

B

Specify plugin, then the name of the plugin.

A

Okay, so here we get this api which has shown before so here you can see some information, including security.

A

Yes, security warnings, so this is information we expose and, as you can see, this information is actually just exposed from here, so let's find it so trigger yeah fs trigger. So this is the method which we inject and here's an answer to your question. There is no data which would expose severity there, but at the same time, when we work on security issues, actually we assign cve numbers so what you may have seen for advisories.

A

um So, for example, again, let's take this issue, so this is cve 2021 21 657, so this is official cve registered in all the databases, because jenkins is a cna daniel back as security officer set up the process. So we issue our own security advisories and they become available uh in uh all standard databases, so the scanning tools can pick them up, etc and yeah. Here's a sample of this snapshot. So here you can see that yeah. This information is still to be determined and there is no cv score.

A

Let's try to find something else, because there should be interest with cv score for this issue yeah for example. Here so again, you can see that it's basically information supplied by the jenkins project as a part of security release, and here you can see that the severity level is high, so this 8.8 and there is a attack vector. So it's standard see this string. You can see some decoding here. This is too small, yeah yeah.

A

So basically, this is what you can get, and this is what our security team submits uh as a cna. So at some point we have this data assigned and I cannot describe how exactly it's assigned because it's a part of security process, so I would be happy to show it, but I am just afraid about showing uh um some sensitive data on the screen sharing and recording.

A

So maybe we could talk later to daniel back or you could raise a question to the developer managers. But what actually happens? We have this cvs course long before we release the advisor, because when we prepare the advisor et cetera all this process generation of this metadata for meter etc, they are all automated.

A

So we, what we would just need is to update our process to also inject this cvss score here. That could be, for example, two fields, one with severity and another one with cvscore, and once once it's exposed in the update center, you can also propagate it uh to the plugin site api and expose it for your needs.

A

Do you follow me.

B

Yeah, I am like getting the gist yeah.

A

So.

B

Right like right now, there is like no way to access the api right so.

A

Well, uh yes, and no, you can still retrieve this data directly from uh sites like mitre, etc, because all of them have api, which you can use to extract this data. So in theory, you should be able to retrieve the data somehow from here.

B

How exactly.

A

Like do you have to scrape.

B

Html or something like that.

A

Yeah, so what would you need to do you have this metadata so and again, here's a problem. This method data doesn't uh include cv.

B

Yes,.

A

This.

B

Is security so.

A

Yeah, but uh when you where you can find cv, so let's assume you do some, uh I'm not sure what exactly you're doing at the moment and how you plan to implement it and still take you to take a look but yeah. There is this of this center metadata and the results are jenkins ion. So our jenkins iowa, all the advisories, are also managed by configuration score, and here, for example, we can go to content data and he is.

A

I believe that no, I was wrong, so it's uh in security, so in security there is advisory and, let's again, take a look at our last advisory yeah, this one so yeah. This is our advisory right and what you can see here that if you switch to the raw format, you will see that that actually, this advisory is implemented as a set of metadata.

A

So again, zooming in a bit, so here you can see. For example, where was our plugin? You were talking about.

A

Yeah yeah so fs trigger. So what you can see here, you can see that the metadata ordering is quite strange because it's uh auto generated, so we probably could do better on that. But what you can see that actually by just pulling this data- and you can predefine the url- because this url can be extracted from this url.

B

Yeah yeah yeah.

A

uh So you can create this data just from github and you can get cvss and severity from here yeah. So once.

B

The.

A

Advisory is out, you can retrieve the data from here apply by applying some magic tricks. So and basically, in your case, you have two options. One is just somehow tweak uh the implementation. uh For example, in your code, you can just put all these files parts to them and expose metadata from there. It's one of the approaches and another approach would be to go and to actually update abby center, 2 and plugin site api to expose this metadata and the likelihood advisor regeneration scripts.

A

So this metadata is automatically injected because daniel back and other security leads do not write it on by hand. They have tools which generate that, so these tools would also need to be updated uh to inject these entries. But technically it's possible.

B

Okay, okay,.

A

Okay, so basically, you have a classic uh choice of any open source developer, whether you implement a hug by using another data source or they implement the proper solution.

B

Yeah.

A

And I have no advice: what has to take, I suggest talking to your mentors. uh Maybe daniel beck would be willing to provide some guidance. I can assure you that implementation is quite easy, but it may take some time to deliver these companies because it needs review witness release. We do continuous delivery of all the companies, so basically it requires some reviews and I'm a maintenance of this repositories.

A

I can help uh but yeah it's your choice, whether you want to do that- and my action item is to actually share this video so that you can decide how you approach that.

B

Okay, okay,.

A

Sure, okay, any questions.

B

Oh, nothing else, I'll look into it. So oh I'll, try something it's okay, yeah.

A

Yeah.

B

Thank you.

A

Too so I guess uh I will stop the recording then, and if you have no other questions, yeah, just thanks. Everyone and let's talk later.

C

Sounds good so.

A

Yeah application, if you have such questions, don't hesitate to ask in the chat, uh I'm not so you're using histoschlabs like at the moment right or so I'm in this slug, and you are totally welcome to pink me. If you have any questions.

A

Implementation.

B

Thanks all right, thanks christian.

C

Yeah you're welcome. Actually I do have a question, so I heard that we have a discord now. Is it or is that that's more of a no okay.

A

No, we do have a discourse now, so let me show it to you.

C

Okay, so.

A

Full disclaimer it's yet to be announced uh because uh it's in the discovery state okay, uh so we have community jenkins scion.

A

So this is discord which is actually sponsored by the company which currently develops a discourse and yeah thanks a lot to them. So here we have initiated some initial category, uh it's in preview, uh so yeah some things uh might be different. uh Some things might not work, but here, for example, we created an entry for g-shock.

A

um There is just a quick summary about how to get information, etc, and if you want to discuss something, we can try using this channel, because I can totally imagine that for some use cases a discourse could be better than a million keys in the chats, especially now the situation when you have cdf, slug and guitar with jenkins.

A

But to be honest, I think that maybe it's time to kill, guitar and replace it by this course.

C

Okay, so.

A

Yeah you're against right.

C

I was like I was like oh man we have all of, uh but I like the thing I like about getter is that it also has the reference on the side to all of the activity, especially if your getter is tied to a um repo that you can immediately see information about like pull, requests that are open. um I love that you can be able to immediately see, like you know, stars or just kind of who's cloning things, but mostly also.

A

Like.

C

Mostly the pull, requests and stuff it's it's just an extra reference and.

A

That's why I really like.

C

Getter, but it's mostly based on like a if it truly is, if it's tied to a repository, I think I find it helpful, but I don't know I don't.

A

Know where the.

C

Future is going in different directions.

A

uh Well, it's yet to be decided because currently it's prototype.

C

Okay,.

A

So we are looking in that, where they it can be used, so olivier and gavin are driving. That.

C

Okay, cool yeah.

A

I saw that on this channel. That's.

C

Why I wanted to bring it up, so I was like if I didn't realize it was still in development, but I did see it in the developers and it was like. Oh no, so.

A

Yeah so uh yeah, basically it's currently in preview. I have an action item to actually make it more explicit that it's in preview uh before that. I just updated- welcome to this course. Okay. uh So this one, uh but uh I think that I will be trying to make it even more explicit with its preview.

C

Okay,.

A

um And yeah for the rest, uh yeah, you are welcome to try it out, but yeah. The intention is not to introduce yet another channel.

C

Yes, but.

A

To consider some channels uh because yeah, currently it's just as probable, uh almost everywhere.

C

Right.

A

uh So we want to actually kill some of the remaining rc channels. We move to liberate chat and we have only four lc channel channels left. It's also something we need to announce formally, it's just in the mailing list, uh but yeah uh the the things here and there so yeah. And here, if you want to share your feedback, there is site feedback and of course there is a question uh yagni somewhere.

A

So just second time. Looking for that, but uh yeah. That was definitely a question uh started somewhere about whether we actually need that and we are you're welcome to participate.

A

I'm just looking for this chat uh goal and purpose of community change is io regarding other communication channels. So it's angelic, who started I'll, probably drop it to the main list, and I had to do that.

A

It's so true, but yeah. Actually, I think that it's important to try, because we had issues with uh communication channels and junkies for a long time and if this course resolves our issue, I'm totally for that, and I have no hard feelings about removing the majority of guitar channels. Okay, especially once we use a koni because guitar threads are still terrible.

A

uh Well, it's they're better than these two.

C

Yes, yeah, the threads are not good, but I do agree with you on that. The threads are not great, but I did like the only thing I really like, though, is like having the reference to the repository on the side and like being able to kind of reference it like that, but yeah the threads are not great in getter at all.

C

So.

C

All right cool, that's all! I did.

A

Yeah, so just uh try it out, and I think that again is a good opportunity for providing feedback. I have some personal interests in that as events officer, for example, I want to introduce language groups so yeah. You might have seen some activities from me on twitter, about espanol, jenkins and jenkins, francais and well. I study french, as you may have noticed from the previous phrase.

A

My french is still terrible, uh but yeah I'm working on a playground for uh language practice and there is also things through community, but it's an experiment because actually yeah all our communities in telegram or meetup.com at the moment.

A

But yeah again, I created a placeholder just in case so that everyone who is interested they can go there discover and navigate to our chats and we have a lot, including using jenkins, developing jenkins. So it's in russian but yeah.

A

So things like that and telegram doesn't support threats at all, so I would say particularly for developer channel and for russian speaker users channel it's a kind of nightmare because in the user channel we have something like 400 messages per day and there is no threats in telegram. So how people managed to have a reasonable conversation there? I don't know. I just visited the channel so yeah.

A

Okay, anything else for today.

A

Nope, okay, then I'll stop screen, sharing and yeah. Thanks for good questions, I will create videos- maybe I'll cut it to two, uh because giving uh mike hughes some quick overview of uh this course for his announcements and work and yeah. The team can use the security part of their tv as well, though, I would rather ask daniel to create a bigger, deep dive, but I hope it helps.

A

That's it for today, and thanks all.

B

Thank you. Thank you very.

A

Much.