►
From YouTube: Jenkins in GSoC 2021, Jun 9, 2021 Office Hours
Description
Jenkins office hours for Google Summer of Code 2021. June 9, 2021
A
So
hello,
we
are
doing
a
quick
overview
of
how
the
security
notifications
work
in
jenkins.
So
it's
one
of
the
projects
for
drinking
is
kubernetes
operator.
The
idea
is
to
expose
security
warnings
there
and
we
will
just
go
through
how
the
ecosystem
works.
So
just
to
start
the
from
public
side,
we
have
security
advisories.
There
is
a
junk
security
team
working
on
that
and
yeah.
Here.
If
you
go
to
security
advisories,
you
can
find
a
lot
of
advisories
being
reduced
by
particular
plugins,
etc.
A
So
this
is
what
we
see
in
public,
and
here
you
can
see
that
that
is
warning,
for
example,
that
there
is
a
verity
level
like
high
high
medium
high,
something
like
that.
So
this
is
information
we
have
and
we
also
have
information
being
exposed
on
the
plugin
side.
So,
for
example,
let's
take
a
look,
for
example,
file
system
triggers
plugin,
it's
nice
use
case,
because
I
used
to
be
a
maintainer
of
this
plugin,
sorry
about
that
and
yeah.
A
So
here
you
can
see
that
right
now
there
is
a
previous
security
warnings,
excessive
vulnerability
and
it
points
you
to
security
advisor.
So
this
information
is
being
retrieved
from
api
provided
by
the
update
site,
etc.
So
we
have
two
companies
for
that.
A
A
So
this
is
basically
the
information
which
is
available
about
security
vulnerabilities
in
our
metadata.
So
here
you
can
see
that
we
have
id
type
name
message,
url
and
versions.
So
this
is
the
information
which
is
available
in
a
player
update
center
and
when
we
build
the
jenkins
plug
inside.
So
this
plugins
drink,
as
I
was
showing
there
so
plugin
strings
io,
consists
of
two
components.
A
A
Inside
table,
so
I
have
no
memory
of
this
place,
so
there
are
two
repositories:
one
is
plug-in
side,
which
is
rather
front-end.
It's
currently
a
static
front-end
being
built
with
gatsby.
So
there
is
a
lot
of
built-in
things
and
to
build.
It
actually
uses
the
data
from
the
blade
center,
like
this
metadata
in
the
warnings
json,
and
it
also
uses
a
metadata
provided
by
plugin
site
api.
A
A
A
A
Yes,
security
warnings,
so
this
is
information
we
expose
and,
as
you
can
see,
this
information
is
actually
just
exposed
from
here,
so
let's
find
it
so
trigger
yeah
fs
trigger.
So
this
is
the
method
which
we
inject
and
here's
an
answer
to
your
question.
There
is
no
data
which
would
expose
severity
there,
but
at
the
same
time,
when
we
work
on
security
issues,
actually
we
assign
cve
numbers
so
what
you
may
have
seen
for
advisories.
A
So,
for
example,
again,
let's
take
this
issue,
so
this
is
cve
2021
21
657,
so
this
is
official
cve
registered
in
all
the
databases,
because
jenkins
is
a
cna
daniel
back
as
security
officer
set
up
the
process.
So
we
issue
our
own
security
advisories
and
they
become
available
in
all
standard
databases,
so
the
scanning
tools
can
pick
them
up,
etc
and
yeah.
Here's
a
sample
of
this
snapshot.
So
here
you
can
see
that
yeah.
This
information
is
still
to
be
determined
and
there
is
no
cv
score.
A
Let's
try
to
find
something
else,
because
there
should
be
interest
with
cv
score
for
this
issue
yeah
for
example.
Here
so
again,
you
can
see
that
it's
basically
information
supplied
by
the
jenkins
project
as
a
part
of
security
release,
and
here
you
can
see
that
the
severity
level
is
high,
so
this
8.8
and
there
is
a
attack
vector.
So
it's
standard
see
this
string.
You
can
see
some
decoding
here.
This
is
too
small,
yeah
yeah.
A
So
basically,
this
is
what
you
can
get,
and
this
is
what
our
security
team
submits
as
a
cna.
So
at
some
point
we
have
this
data
assigned
and
I
cannot
describe
how
exactly
it's
assigned
because
it's
a
part
of
security
process,
so
I
would
be
happy
to
show
it,
but
I
am
just
afraid
about
showing
some
sensitive
data
on
the
screen
sharing
and
recording.
A
So
maybe
we
could
talk
later
to
daniel
back
or
you
could
raise
a
question
to
the
developer
managers.
But
what
actually
happens?
We
have
this
cvs
course
long
before
we
release
the
advisor,
because
when
we
prepare
the
advisor
et
cetera
all
this
process
generation
of
this
metadata
for
meter
etc,
they
are
all
automated.
A
So
we,
what
we
would
just
need
is
to
update
our
process
to
also
inject
this
cvss
score
here.
That
could
be,
for
example,
two
fields,
one
with
severity
and
another
one
with
cvscore,
and
once
once
it's
exposed
in
the
update
center,
you
can
also
propagate
it
to
the
plugin
site
api
and
expose
it
for
your
needs.
A
A
Well,
yes,
and
no,
you
can
still
retrieve
this
data
directly
from
sites
like
mitre,
etc,
because
all
of
them
have
api,
which
you
can
use
to
extract
this
data.
So
in
theory,
you
should
be
able
to
retrieve
the
data
somehow
from
here.
A
B
A
A
Yeah,
but
when
you
where
you
can
find
cv,
so
let's
assume
you
do
some,
I'm
not
sure
what
exactly
you're
doing
at
the
moment
and
how
you
plan
to
implement
it
and
still
take
you
to
take
a
look
but
yeah.
There
is
this
of
this
center
metadata
and
the
results
are
jenkins
ion.
So
our
jenkins
iowa,
all
the
advisories,
are
also
managed
by
configuration
score,
and
here,
for
example,
we
can
go
to
content
data
and
he
is.
A
I
believe
that
no,
I
was
wrong,
so
it's
in
security,
so
in
security
there
is
advisory
and,
let's
again,
take
a
look
at
our
last
advisory
yeah,
this
one
so
yeah.
This
is
our
advisory
right
and
what
you
can
see
here
that
if
you
switch
to
the
raw
format,
you
will
see
that
that
actually,
this
advisory
is
implemented
as
a
set
of
metadata.
A
A
Yeah
yeah
so
fs
trigger.
So
what
you
can
see
here,
you
can
see
that
the
metadata
ordering
is
quite
strange
because
it's
auto
generated,
so
we
probably
could
do
better
on
that.
But
what
you
can
see
that
actually
by
just
pulling
this
data-
and
you
can
predefine
the
url-
because
this
url
can
be
extracted
from
this
url.
A
So
you
can
create
this
data
just
from
github
and
you
can
get
cvss
and
severity
from
here
yeah.
So
once.
B
A
Advisory
is
out,
you
can
retrieve
the
data
from
here
apply
by
applying
some
magic
tricks.
So
and
basically,
in
your
case,
you
have
two
options.
One
is
just
somehow
tweak
the
implementation.
For
example,
in
your
code,
you
can
just
put
all
these
files
parts
to
them
and
expose
metadata
from
there.
It's
one
of
the
approaches
and
another
approach
would
be
to
go
and
to
actually
update
abby
center,
2
and
plugin
site
api
to
expose
this
metadata
and
the
likelihood
advisor
regeneration
scripts.
A
A
Okay,
so
basically,
you
have
a
classic
choice
of
any
open
source
developer,
whether
you
implement
a
hug
by
using
another
data
source
or
they
implement
the
proper
solution.
B
A
And
I
have
no
advice:
what
has
to
take,
I
suggest
talking
to
your
mentors.
Maybe
daniel
beck
would
be
willing
to
provide
some
guidance.
I
can
assure
you
that
implementation
is
quite
easy,
but
it
may
take
some
time
to
deliver
these
companies
because
it
needs
review
witness
release.
We
do
continuous
delivery
of
all
the
companies,
so
basically
it
requires
some
reviews
and
I'm
a
maintenance
of
this
repositories.
A
I
can
help
but
yeah
it's
your
choice,
whether
you
want
to
do
that-
and
my
action
item
is
to
actually
share
this
video
so
that
you
can
decide
how
you
approach
that.
A
A
Too
so
I
guess
I
will
stop
the
recording
then,
and
if
you
have
no
other
questions,
yeah,
just
thanks.
Everyone
and
let's
talk
later.
A
Yeah
application,
if
you
have
such
questions,
don't
hesitate
to
ask
in
the
chat,
I'm
not
so
you're
using
histoschlabs
like
at
the
moment
right
or
so
I'm
in
this
slug,
and
you
are
totally
welcome
to
pink
me.
If
you
have
any
questions.
C
A
Full
disclaimer
it's
yet
to
be
announced
because
it's
in
the
discovery
state
okay,
so
we
have
community
jenkins
scion.
A
So
this
is
discord
which
is
actually
sponsored
by
the
company
which
currently
develops
a
discourse
and
yeah
thanks
a
lot
to
them.
So
here
we
have
initiated
some
initial
category,
it's
in
preview,
so
yeah
some
things
might
be
different.
Some
things
might
not
work,
but
here,
for
example,
we
created
an
entry
for
g-shock.
A
There
is
just
a
quick
summary
about
how
to
get
information,
etc,
and
if
you
want
to
discuss
something,
we
can
try
using
this
channel,
because
I
can
totally
imagine
that
for
some
use
cases
a
discourse
could
be
better
than
a
million
keys
in
the
chats,
especially
now
the
situation
when
you
have
cdf,
slug
and
guitar
with
jenkins.
C
I
was
like
I
was
like
oh
man
we
have
all
of,
but
I
like
the
thing
I
like
about
getter
is
that
it
also
has
the
reference
on
the
side
to
all
of
the
activity,
especially
if
your
getter
is
tied
to
a
repo
that
you
can
immediately
see
information
about
like
pull,
requests
that
are
open.
I
love
that
you
can
be
able
to
immediately
see,
like
you
know,
stars
or
just
kind
of
who's
cloning
things,
but
mostly
also.
A
C
C
A
Yeah
so
yeah,
basically
it's
currently
in
preview.
I
have
an
action
item
to
actually
make
it
more
explicit
that
it's
in
preview
before
that.
I
just
updated-
welcome
to
this
course.
Okay.
So
this
one,
but
I
think
that
I
will
be
trying
to
make
it
even
more
explicit
with
its
preview.
C
A
And
yeah
for
the
rest,
yeah,
you
are
welcome
to
try
it
out,
but
yeah.
The
intention
is
not
to
introduce
yet
another
channel.
A
To
consider
some
channels
because
yeah,
currently
it's
just
as
probable,
almost
everywhere.
C
A
So
we
want
to
actually
kill
some
of
the
remaining
rc
channels.
We
move
to
liberate
chat
and
we
have
only
four
lc
channel
channels
left.
It's
also
something
we
need
to
announce
formally,
it's
just
in
the
mailing
list,
but
yeah
the
the
things
here
and
there
so
yeah.
And
here,
if
you
want
to
share
your
feedback,
there
is
site
feedback
and
of
course
there
is
a
question
yagni
somewhere.
A
So
just
second
time.
Looking
for
that,
but
yeah.
That
was
definitely
a
question
started
somewhere
about
whether
we
actually
need
that
and
we
are
you're
welcome
to
participate.
A
I'm
just
looking
for
this
chat
goal
and
purpose
of
community
change
is
io
regarding
other
communication
channels.
So
it's
angelic,
who
started
I'll,
probably
drop
it
to
the
main
list,
and
I
had
to
do
that.
A
It's
so
true,
but
yeah.
Actually,
I
think
that
it's
important
to
try,
because
we
had
issues
with
communication
channels
and
junkies
for
a
long
time
and
if
this
course
resolves
our
issue,
I'm
totally
for
that,
and
I
have
no
hard
feelings
about
removing
the
majority
of
guitar
channels.
Okay,
especially
once
we
use
a
koni
because
guitar
threads
are
still
terrible.
C
Yes,
yeah,
the
threads
are
not
good,
but
I
do
agree
with
you
on
that.
The
threads
are
not
great,
but
I
did
like
the
only
thing
I
really
like,
though,
is
like
having
the
reference
to
the
repository
on
the
side
and
like
being
able
to
kind
of
reference
it
like
that,
but
yeah
the
threads
are
not
great
in
getter
at
all.
C
A
Yeah,
so
just
try
it
out,
and
I
think
that
again
is
a
good
opportunity
for
providing
feedback.
I
have
some
personal
interests
in
that
as
events
officer,
for
example,
I
want
to
introduce
language
groups
so
yeah.
You
might
have
seen
some
activities
from
me
on
twitter,
about
espanol,
jenkins
and
jenkins,
francais
and
well.
I
study
french,
as
you
may
have
noticed
from
the
previous
phrase.
A
My
french
is
still
terrible,
but
yeah
I'm
working
on
a
playground
for
language
practice
and
there
is
also
things
through
community,
but
it's
an
experiment
because
actually
yeah
all
our
communities
in
telegram
or
meetup.com
at
the
moment.
A
A
So
things
like
that
and
telegram
doesn't
support
threats
at
all,
so
I
would
say
particularly
for
developer
channel
and
for
russian
speaker
users
channel
it's
a
kind
of
nightmare
because
in
the
user
channel
we
have
something
like
400
messages
per
day
and
there
is
no
threats
in
telegram.
So
how
people
managed
to
have
a
reasonable
conversation
there?
I
don't
know.
I
just
visited
the
channel
so
yeah.
A
Nope,
okay,
then
I'll
stop
screen,
sharing
and
yeah.
Thanks
for
good
questions,
I
will
create
videos-
maybe
I'll
cut
it
to
two,
because
giving
mike
hughes
some
quick
overview
of
this
course
for
his
announcements
and
work
and
yeah.
The
team
can
use
the
security
part
of
their
tv
as
well,
though,
I
would
rather
ask
daniel
to
create
a
bigger,
deep
dive,
but
I
hope
it
helps.