►
Description
Hacktoberfest launch as part I of the Jenkins Contributor Summit October 2, 2021. Includes guidance and examples for new contributors to assist with
* User experience improvements
* Plugin documentation migration to GitHub
* Content Security Policy improvements for core and plugins
* Plugin modernization
00:00 Introduction
05:29 Welcome to Hacktoberfest
15:06 User experience improvements
38:50 Migrating plugin documentation to GitHub
56:09 Implementing Content Security Policy
1:50:33 Modernizing plugins
2:28:30 End of the session
Meetup page: https://www.meetup.com/Jenkins-online-meetup/events/281083403/
A
Welcome
everyone.
This
is
jenkins
online
meetup
and
the
jenkins
contributor
summit,
it's
october,
2nd
2021,
and
it's
depending
on
what
part
of
the
world
you're
in
it's
midday
saturday
in
india.
It's
early
morning,
saturday
in
europe
or
it's
the
middle
of
the
night
saturday
in
the
united
states,
where
I
am
thanks,
everybody
for
being
here,
I'm
going
to
go
ahead
and
share
my
screen
and
let's,
let's
get
started.
A
Let's
see
this
one
there
we
go
all
right,
so
everyone,
what
you
should
see
is
slides,
perfect
welcome
to
hacktoberfest
2021.
These
slides
are
archived
at
this
location.
Bitly
jenkins
dash
hacktoberfest
2021,
so
you
can
go
find
them
later.
If
you
need
to
you
know
what
I
should
probably
paste
the
link
to
those
slides
into
the
chat.
Let's
do
that.
A
No,
I
can't
in
presenter
mode
sorry
I'll
have
to
have
somebody
else
to
help
me
with
that.
Welcome
everyone.
Let's
get
going
so
we've
got
three
presenters
today:
uli
hoffner,
vadik
fallonier
and
me
I'm
mark
waite
uli
comes
to
us
from
the
technical
universe,
technical
university
of
munich
ule.
Could
you
clarify
for
me
technical?
I
I
never
get
the
title
quite
right,
go
ahead
and
introduce
yourself
for
it.
A
B
It's
a
university
of
applied
sciences,
it's
called
of
in
germany
in
munich
here
in
bavaria,
and
I'm
teaching
about
software
engineering,
where
I'm
always
using
jenkins
to
show
continuous
integration
and
yeah.
I'm
also
a
long-time
jenkins
committer.
I
think
it's
now
15
years
that
I'm
committing
to
jenkins.
I
started
with
the
findbox
plugin
and
now
I'm
author
of
the
warnings
plug
in
the
git
forensics
plugin
and
the
plugin
I'm
talking
about
today
is
the
code
coverage
api
plugin,
which
I
am
now
a
co-maintainer.
A
C
Yeah
sure
I'm
located
in
switzerland,
I'm
working
especially
in
the
jenkins
security
area,
meaning
correcting
finding
vulnerabilities
and
coordinating
all
the
release
of
the
security
correction.
That's
a
bit
the
tough
part
with
the
community.
We
have
to
care
about
all
the
things
to
be
done
at
the
same
time
to
prevent
any
disclosure-
and
things
like
this
and
during
my
regular
vulnerability
finding
research,
I'm
discovering
some
bugs
that
I'm
correcting
at
the
same
time,
that's
a
bit
advised.
A
There
thank
you
and
I'm
mark
waite,
I'm
the
jenkins
documentation
officer
and
I
maintain
the
jenkins
git
plugin
and
try
to
help
the
community
as
well.
We've
also
got
one
or
two
additional
helpers
with
us
today.
We've
got
dhiraj
singh
jodha,
who
is
is
has
joined
us
and
he'll
be
assisting
as
a
moderator.
A
Looking
for
your
questions,
so
if
you
have
questions
and
one
and
the
presenter
happens
to
miss
those
questions,
we'll
rely
on
dhiraj
to
help
us
with
that
dhiraj.
Thanks
very
much
for
being
here.
We
sure
appreciate
your
help
and
we
we
hope
to
have
one
other,
but
that
that
moderator
may
arrive
a
little
bit
later.
So
thanks
everyone
for
being
here.
A
So
today
we're
going
to
talk
about
jenkins
and
hacktoberfest.
A
contributor
summit
for
jenkins
is
a
chance
for
people
to
get
together
to
work
together.
We
usually
start
the
contributor
summit
with
a
presentation
segment,
and
today's
presentation
segment
will
focus
on
three
or
four
different
ways
that
you
can
contribute
to
hacktoberfest
in
jenkins.
A
Then,
after
that
we
will
switch
from
this
zoom
webinar
format
to
a
zoom
meeting
format.
You'll
need
to
join
a
new
zoom
meeting
and
we're
going
to
do
breakout
rooms
there
and
we'll
allow
vodick
to
have
his
breakout
room
I'll,
have
my
breakout
room
and
if
ooly's
willing,
he'll
have
his,
and
each
of
us
will
try
to
answer
questions
for
you
and
I
believe,
dhiraj
has
agreed,
he's
willing
to
run
a
breakout
room
as
well.
A
D
A
A
A
We've
done
hacktoberfest
for
many
many
years
in
the
jenkins
project
and
have
thoroughly
enjoyed
our
interactions
with
community
members
and
the
way
we
learn
together
how
to
contribute
to
open
source
looking
forward
to
it
again
this
year.
So
as
a
reminder,
everyone
can
contribute
to
oktoberfest.
You
don't
have
to
be
a
programmer.
You
don't
have
to
be
some
guru
expert.
You
just
need
willingness
and
interest
and
we'll
help
you
through
it.
There
are
online
events
highlighted
at
the
digital
ocean
site
and
sometimes
even
in
covet
19.
There
are
people
who
run
local
events
now.
A
Their
recommendation
right
now
is
please,
let's
stay
mostly
virtual,
like
this
session,
so
contributing
to
jenkins
in
general,
looks
like
this.
You
could
open
the
jenkins.io
website
for
the
hacktoberfest
page,
it's
under
the
events
menu
and
there
you
can
see
some
of
the
featured
projects
that
are
available
and
there
truly
are
hundreds
of
open
issues
that
have
been
identified,
specifically
as
good.
First
time,
issues
or
issues
that
are
well
suited
to
a
new
contributor,
so
jenkins,
dot,
io,
slash
event.
A
Slash
hacktoberfest
will
give
you
insights
into
ways
that
you
can
help
and
just
for
clarity,
any
pull
request,
counts
towards
hacktoberfest
and
counts
towards
well,
can
count
towards
hack
hacktoberfest
and
helps
the
project.
So
if
you
want
to
do
code
great,
if
you
want
to
do
documentation
great
as
well,
we
manage
our
blog
posts
and
our
artwork
through
pull
requests.
So
if
you
are
a
graphic
designer
and
would
like
to
do
a
new
jenkins
logo,
we've
got
the
place
for
you
to
do
it
and
you
can
do
it
as
part
of
hacktoberfest.
A
A
So
where
should
you
contribute
well,
user
experience
and
uli
is
going
to
take
us
through
a
detailed
tour
and
show
a
demonstration
of
things
that
he's
prepared
and
places
you
could
help
very
immediately
with
your
javascript
skills
or
with
java
and
javascript
skills
in
combination
I'll
show
how
you
can
contribute
to
user
documentation
and
learn
something
about
asciidoc
vatek
is
going
to
show
us
how
to
contribute
to
content
security
policy.
I
believe
that's
predominantly
java,
as
is
plug-in
modernization
where
it's
maven
and
java,
it's
even
easier
for
content
security.
C
A
A
We
also
have
opportunities
to
improve
terminology
in
jenkins.
We've
been
using
terminology
that
is
uncomfortable
and
indelicate,
and
so,
for
instance,
several
years
ago
we
switched
from
using
the
term
master
to
describe
the
jenkins
central
central
system
to
call
it
a
controller
and
we've
switched
from
using
the
term
slave
to
using
the
term
agent.
But
there
are
lots
of
places
that
need
those
translations
I'll
need
that
that
change.
A
A
A
I've
got
to
go
off
screen
for
just
a
minute.
Hang
on.
I
want
to
be
sure
I
show
you
the
exact
right
place.
I
thought
I
had
that
hyperlink
correct.
It
is
the
following.
I
want
friendly
issues,
because
this
is
the
thing
that
you
need
to
see
what
it
is.
It's
a
nice
little
table
that
shows
issues
by
component.
A
A
If
you're
interested
in
subversion,
here's
the
subversion
plug-in
you
can
help
with
if
you're
interested
in
user
experience,
improvements,
warnings,
ng
analysis
model.
If
you
want
to
learn
more
about
git,
there's
the
get
plug-in
ready
to
go
that
that
list
of
friendly
issues
is
there
to
help
you
decide
where
you
might
like
to
contribute,
and
these
are
places
where
we
can
really
use
the
help.
So
we
look
forward
to
your
help
there.
Likewise,
if
you'd
prefer
to
do
see
issues
possibly
on
github,
maybe
you
want
to
do
something
with
documentation.
A
That's
that's
the
caliber
of
things
that
we're
looking
for.
We
would
love
to
have
your
help
now.
How
do
you
get
started
sign
into
oktoberfest
on
their
event
website
and
join
our
getter
channel?
So
our
getter
channel
looks
like
this
join
up
and
have
conversations
with
us
we'll
be
delighted
to
have
you
there
and
then
just
start
creating
pull
requests.
A
Now,
when
you
create
a
pull
request,
you'll
help.
All
of
us
if
you'll
put
the
word
hacktoberfest
in
the
pull
request
title
and
if
you're
a
jenkins
maintainer
help
us
by
labeling
the
pull
request
as
hacktoberfest
that
way
it
qualifies
for
and
marks
it
correctly,
so
that
the
hacktoberfest
counting
system
will
correctly
detect
it.
So
again,
please
be
sure
you
put
hacktoberfest
in
the
title,
if
you
didn't
get
it
into
the
title,
put
it
into
the
text
of
the
of
the
poll
request
that
you're
submitting.
A
A
Now,
if
you
need
some
more
advanced
places
to
contribute,
there
is
the
the
jenkins
zh.
So
the
jenkins
china
repository
for
the
localization
to
chinese
there's
the
jenkins-infra
repository
where
we
do
infra
maintenance,
so
things
like
hosting
our
web
servers
and
maintaining
the
plug-in
site
and
all
sorts
of
things
like
that
are
in
jenkins.
Infra.
We're
also
happy
if
you
contribute
to
upstream
projects
like
apache,
apache,
maven
or
others
like
it.
A
C
Just
a
quick
comment,
the
question
and
answer
panel
is
more
for
question.
If
you
are
just
a
discussion
that
you
want
to
have
with
us
with
older
people,
just
use
the
chat,
it
will
be
easier
because
otherwise,
for
the
q,
a
we
have
to
reply
to
the
different
questions
separately.
It's
not
the
best
tool
for
that.
I
will
say
thank
you.
B
B
B
B
Yes,
just
like
this
is
just
two
slides
just
when
I
talked
I
noticed
there
is
something
missing.
How.
A
B
This
one
yeah
this
and
the
next
slide
yeah.
So
what
I
wanted
to
start
with
is
jenkins
is
yes,
I
think
it's
almost
15
years
now
old
and
the
user
interface
is
quite
old
as
well,
because
jenkins
uses
mostly
static
html.
So
this
is
very
helpful.
If
we
have
plugins
that
want
to
extend
the
user
interface,
you
can
provide
your
own
views.
B
So
we
have
in
chance
notice
that
we
need
to
put
some
work
on
this
and
therefore
we
created
a
jenkins
user
experience
group
to
improve
the
user
interface,
and
what
we
want
to
do
is
some
kind
of
step-by-step
improvement.
That
means
we
want
to
make
small
things
in
every
release
of
tanks
and
a
big
bang
integration
as
blue
ocean
try
to
do
so.
B
The
idea
is
that
we
start
by
improving
the
plugins
it's
step
by
step
and
then
take
one
part
that
works
well
to
the
other
plugins,
so
that
everybody
can
have
a
nice
user
interface,
and
in
this
group
we
have
some
jenkins
developers.
But-
and
if
someone
of
you
is
a
ui
engineer
or
a
javascript
professional,
it
would
be
really
helpful
because
we
have
a
lot
of
java
developers,
but
not
so
many
javascript
developers.
B
So
the
meetings
in
our
group
are
every
four
weeks
you
find
it
in
the
event
calendar
so
welcome
to
join
here.
If
you
want
to
help,
can
you
switch
to
the
test
and
now
about
the
background
of
my
talk
today,
the
the
code
coverage
plugin,
as
I
already
had
mentioned,
is
some
kind
of
old
user
interface,
which
I
wanted
to
improve,
and
what
I've
done
is
I'm
not
sure
if
anybody
knows
my
warnings
plugin,
but
in
the
warnings
plugin.
B
B
A
Sorry,
oh
sorry,
julie,
forgive
the
interruption,
there's
a
question
that
I
think
this
might
be
a
good
place
to
answer
it.
Schlock
mohanty
asks
is
code
coverage
covered
by
using
sonar
cube.
Maybe
you
could
describe
how
code
coverage
operates
at
the
user
experience
level
and
and
how
people-
or
I
guess,
maybe
you'll-
be
demonstrating
that
so
one
way
or
the
other
I
think
you'll
get
there.
B
B
What
we
try
to
do
in
jenkins
is
we
we
just
hook
into
the
build.
You
have
a
maven,
build,
for
instance,
where
you
produce
your
code
coverage
files
or
you
produce
your
static
analysis
files,
or
you
have
a
node
built
for
javascript,
where
you
produce
as
well
code
coverage,
or
you
produce
some
warnings
from
aslint
or
something
like
that,
and
now
the
jenkins
plug-ins
take
the
results
of
the
build
and
render
it
within
jenkins.
So
you
do
not
need
another
tool,
so
everything
is
included
in
your
build
for
every
build.
B
You
get
the
same
information
that
the
build
has.
So
this
is
the
thing
which
is
kind
of
different
from
tools
like
code
cuff,
which
work
afterwards
or
sonar
cube,
etc,
and
what
I've
done
now
is
to
introduce
some
different
libraries.
I
already
mentioned
bootstrap,
I'm
also
using
fontaison
awesome
to
provide
some
modern
icons.
B
Let's
go
back
here
to
my
screen,
so
the
first
thing
when
you
start
with
the
code
coverage
the
code
coverage,
let's
switch
to
this
tab
when
you
create
a
build
in
jenkins,
every
build
has
some
typical
artifacts
that
are
generated
for
each
build.
Now
we
have
here
the
build
number
38,
and
here
we
have
some
checkout
from
the
git
repository.
You
see.
The
latest
commits
from
the
repository
and
what
I
also
included
here
is
now
a
coverage
report.
B
Where
you
see
what
is
your
line
coverage
and
what
is
your
branch
coverage
of
this
build?
You
also
see
in
this
information
the
the
references
built.
What
we
also
now
try
to
compute
is
for
every
build.
We
would
not
only
want
to
compute
the
the
total
coverage
for
this
build.
We
also
want
to
see
the
increment.
So
did
you
change
the
coverage?
Is
it
better?
Is
it
worse?
So
here
we
have
yeah,
it's
a
little
bit
worse
the
coverage
here,
but
yeah
you
see
it's
not
really
a
big
difference.
B
B
I
think
it's
more
interesting
to
see
how
the
code
coverage
looks
for
the
single
build
and
therefore
you
can
click
on
this
link,
and
then
you
will
navigate
to
a
detailed
view
and
the
detail
view
looks
or
is
split
into.
B
So
now
we
have,
the
screen
is
already
prepared
for
different
screen
resolutions.
That
means
we
have
a
different
components
on
the
screen
that
rendered
differently
on
your
ipad
or
on
your
big
screen
and
now
you've.
Seen.
If
I
make
the
screen
a
little
bit
smaller,
then
some
suddenly
the
screen
is
too
small.
Then
yeah.
B
You
can
show
different
ui
elements,
and
this
is
one
thing
I
started,
but
this
is
not
really
finished,
so
I
think,
if
you're
on
the
ipad
or
even
if
you're
on
your
phone,
you
you
need
some
different
screen
because
on
your
phone,
you
are
maybe
not
interest
on
the
overview
or
you
may
not
be
interested
on
the
details
here
and
in
the
bottom
level.
B
So
this
is
one
thing
where
you
can
help
to
improve
the
the
detail.
View
consists
of
four
parts,
so
we
have
the
trend
chart.
We
have
the
overview.
B
We
have
a
kind
of
package
overview
where
you
see
for
all
your
files,
the
code
coverage,
and
you
have
some,
let's
say
a
table
where
you
see
the
the
details
for
your
table
for
your
files.
That
means
you
see
the
package
where
your
code
is
placed
the
file
names,
and
then
you
have
some
elements
that
show
the
line
coverage
and
one
thing
which
works.
But
it's
not
perfect
is
now
you
have
a
horizontal
scrolling,
for
instance,
that
means
what
one
can
do
is
to
improve
the
number
of
columns.
B
According
to
your
screen
resolution,
this
is
possible
with
the
libraries
I'm
using,
but
I
did
not
find
the
time
yet
to
do
it.
So
this
is
would
be
one
part
to
improve
the
table,
so
I
make
it
a
little
bit
bigger.
So
if
you
make
the
table
bigger,
then
everything
is
visible,
but
if
you
make
it
smaller,
it
would
be
helpful
if
maybe
some
columns
will
pop
off
and
will
not
be
shown
at
all.
B
So
this
is
the
detail
view
which
I'm
would
be
or
which
I'm
using
as
an
architect.
I
would
like
to
see
these
are
my
files,
and
I
want
to
see
I
y
is
here
in
this
file
the
code
coverage
good
or
bad.
Then
I
can
click
on
the
link,
and
now
I
see
the
overview
for
this
file
here
I
see
the
branch
coverage
for
the
file.
B
I
the
the
line
and
instruction
coverage
for
the
file,
the
number
of
methods
and
the
number
of
classes
in
this
file,
and
if
I
want
to
see
a
detailed
view
of
the
source
code,
this
is
possible
as
well,
and
then
I
can
here.
I
have
a
look
at
the
source
code
and
you
see,
according
to
the
coloring
green
lines
are
covered,
red
lines
are
not
covered
and
yellow
lines
are
partially
covered.
B
So
this
is
a
good
help
for
an
architect
or
for
you
as
a
developer
and
yeah
here
it
would
be
helpful
if
we
yeah,
I'm
not
sure
if
this
part
of
a
hackathon
or
a
oktoberfest
issue,
because
currently
the
the
text
is
kind
of
yeah
just
plain
text,
it
would
be
helpful
if
there
was
some
syntax
highlighting,
etc.
B
Okay,
so
here
we
let's
jump
back
here,
we
see
the
details
for
one
build
and
what's
also
provided
by
my
plugin.
Is
this
kind
of
trend
chart?
That
means
you
have
the
opportunity
to
see
the
results
for
build
to
build.
That
means
a
trend.
Are
you
decreasing
your
coverage
or
are
you
increasing
the
coverage
and
this
same
information
is
shown
on
the
main
view
of
jenkins?
That
means,
if
you
start
on
the
main
view,
you
see
this
coverage
branch
and
line
coverage,
a
trend
and
there
you
can
see
yeah.
How
behaves
your
coverage?
B
So
this
was
the
introduction
to
the
user
interface,
which
is
now
almost
ready,
and
for
this
interface
a
lot
of
things
can
be
improved,
for
instance,
the
trend
chart.
Here
we
have
only
a
single
trend
chart.
B
So
you
can
put
these
things,
you
can
say:
okay,
I
only
want
to
see
five
builds
and
if
you
save
it,
then
the
trend
chart
changes
and
what
we
also
can
help.
What
would
be
helpful
if
we
show
a
kind
of
delta
view
that
you
see
not
the
total
coverage,
but
you
see
how
did
you
increase
by
each
build
or
decrease
by
each
build
the
code
coverage?
B
So
this
is
one
thing
that
you
can
improve
the
chance.
One
thing
that
one
can
improve
is
the
coloring
of
the
charts,
for
instance.
Currently,
the
coloring
is
a
hard-coded
in
my
java
files,
and
maybe
it
would
be
helpful
if
we
can
provide,
for
instance,
in
this
dialog
that
we
say
okay,
I
want
to
show
it
in
different
colors
and
add
here
a
customization
of
the
colors
for
instance.
B
So
this
is
one
thing
we
can
add
and
there
are
a
lot
of
other
things
we
can
add.
We
can
add
a
columns
for
the
jenkins
view.
B
Let's
say
I
go
to
the
jenkins
dashboard
back,
so
here
we
have
our
the
chops
here
on
my
instance
on
and
here
you
see,
for
instance,
the
the
name
of
the
project
and
the
last
success,
and
you
see
the
number
of
static
analysis
warnings
and
it
would
be
helpful
if
you
also
see
the
branch
coverage
or
the
line
coverage
in
this
table
view,
though
this
would
be
also
one
enhancement
that
you
can
provide
at
a
column
that
shows
the
branch
coverage
and
some
other
elements
you
can
show
or
help
to
show,
for
instance,
here
this
table,
I
just
provided
two
columns.
B
For
instance,
one
column
shows
the
percentage
as
a
number
and
the
other
column
shows
the
percentage
as
a
chart
or
as
a
background.
So
maybe
it
would
be
helpful
if
someone
can
create
a
single
column
that
shows
both
in
one
cell
then
we
have
not.
The
width
is
better
used
and
yeah.
I
think
it's
even
easier
to
read
if
we
just
have
one
column
that
shows
it.
B
What
can
also
be
helpful
if
we
currently,
I
only
show
the
branch
and
the
line
coverage
in
the
detail
fuse.
Maybe
someone
is
in
interest
in
the
instruction
coverage
or
in
the
method
coverage.
I'm
not
really
interested
as
an
architect,
because
for
me
only
the
lines
count,
but
maybe
other
uses
of
changes
require
some
different
views.
B
So
it
would
be
helpful
if
you
can
extend
the
plugin
by
making
some
things
more
configurable,
which
are
now
hard
coded
or,
for
instance,
in
this
chart
here,
where
you
see
the
the
package
overview
here,
you
see
the
the
code
coverage
elements
of
my
classes
and
these
so,
for
instance,
if
it's
red
you
have
a
poor
coverage.
If
it's
green,
you
have
a
good
coverage,
so
you
can
click
and
see.
This
is
the
eclipse
eclipse.
B
So
you
see,
if
you
get
a
little
bit
familiar
with
this
plug-in,
you
will
find
a
lot
of
ideas
where
you
can
improve.
What
I
try
to
make
is
I
created
several
issues
here
in
github,
which
I
marked
with
hakatoberfest.
B
A
B
It
can
present
results
from
every
system
that
is
supported.
The
code
coverage
plug-in
works
a
little
bit
like
the
warnings
plug-in.
We
have
the
tools
separated
from
the
jenkins
plugin.
That
means
you
need
to
run
the
tool
in
your
build.
The
build
produces
some
kind
of
json
file,
xml
file
whatever,
and
then
the
code
coverage
plugin
comes
reads:
the
results
and
presents
the
results.
B
That
means-
and
if
we
do
not
have
support
yet
one
can
write
a
simple,
adapter
or
parser
who
and
this
person
needs
to
read
the
xml
file
and
to
create
the
java
model,
and
this
would
be
an
enhancement
as
well.
So
if
someone
wants
to
not
participate
in
the
user
interface-
and
he
wants
to
show
let's
say,
coverage
data
of
javascript
and
we
do
not
have
a
parser
yet
then
just
write
the
parser
and
the
plugin
will
work
out
of
the
box.
B
For
these
elements,
so
it's
there
is
nothing
in
java
which,
which
is
basically
in
the
plugin.
The
only
thing
is
maybe
that
we
have
source
files
that
may
contain
classes
which
is
not
given
in
every
other
language.
So,
but
normally
we
in
in
every
language,
you
have
some
kind
of
files.
You
have
some
kind
of
methods.
You
have
some
kind
of
lines
and
branch
coverage,
so
yeah
everything
should
work.
What
you,
what
you
have.
A
A
B
I
think
I,
when
you
switch
to
the
presentation,
I
have
one
link
where,
in
the
slides,
where
you
see
the
the
issues
that
are
open,
okay,.
B
Yes,
it's
a
camera,
so
the
issues
I've
talked
about.
This
is
the
first
link
here.
You
will
be
right
redirected
to
github,
where
you
see
the
github,
I
you
know
oktoberfest
elements.
B
The
second
link
is,
if
you
want
to
have
some
beginner
topics
in
the
warnings
plugin
there.
This
is
not
only
ui,
it's
also
plain
java.
So
have
a
look
here.
There
are
a
lot
of
small
things
where
I
don't
find
the
time
it
would
be
helpful
if
someone
can
help-
and
I
think
the
last
link
is
the
same-
you
already
presented
it's
just
for
the
user
interface.
I
think.
A
B
B
A
Great,
so
so
the
next
the
next
stop
then
on
our
our
journey
here
is:
maybe
you
feel
more
comfortable
contributing
to
something
that's
a
little
different
than
code.
Well,
here's
a
way
you
can
contribute
to
help
with
documentation,
so
jenkins,
plug-in
jenkins.
Documentation
for
plugins
is
let's:
let's
do
it
this
way,
I'm
going
to
pause
here
and
we're
going
to
look
at
this
site.
Plugins.Jenkins.Io.
A
Which
is
the
jenkins
plugin
site?
And
yes,
as
it
says
here,
there
are
1,
800
or
more
jenkins
plugins,
and
when
I
look
for
a
jenkins
plug-in,
it
will
show
me
different
matches
for
my
search.
I
asked
for
the
get
and
it
showed
me
git
and
the
git
client.
So
when
I
click
this
one,
it
shows
me
the
documentation
for
that
plugin.
A
This
documentation
is
maintained,
preferably
in
the
the
repository
of
the
plugin
itself,
so
we
want
to
do
documentation
as
code,
and
so
this
documentation
you
see
on
screen
and
it's
quite
a
lot-
is
part
of
the
get
plug-in
source
code.
Someone
had
to
create
that,
and
someone
had
to
put
it
there
and
that
creation
process
is
part
of
this
exercise.
A
So
the
idea
here
is
that
there
are
plugins
that
need
to
be
migrated,
and
if
we
click
here
on
the
this
sheet,
for
instance,
it's
going
to
take
us
to
one
view
of
plugins
that
need
to
be
migrated.
This
is
this
is
my
view
that
I
did
a
sorting
on,
and
this
view
you
would
could
say
hey.
I
want
to
improve
the
documentation
for
one
of
these
plugins
and,
if
you'll,
right
click
on
a
cell
and
comment,
let's
see
and
I'm
gonna,
I'm
gonna
put
a
very
specific
one,
because
I
want
to
do
my
demo.
A
A
This
is
an
easy
way
for
you
to
say
I'm
going
to
work
on
this
and
still
see
which
what
the
priorities
are.
If
you
don't
do,
this
no
harm
will
detect
it
pretty
quickly
that
you're
working
on
a
particular
plugin,
but
so
that's
first
step
here
find
a
plug-in
to
migrate,
and
I
use
the
sheet
because
it
was
easier
for
me
if
you
prefer.
A
And
oh,
it
didn't
find
for
me
that
way.
I've
got
to
look
this
way
and
scroll
down,
so
we're
going
to
do
here
and
instead
of
appetize
we're
going
to
say,
schedule
build,
and
here
is
the
documentation
as
copied
from
the
jenkins
wiki.
This
is
the
thing
that
I
want
to
convert
to
migrate
it
into
the
jenkins
the
jenkins
plug-in
repository
so
back
to
our
steps,
find
the
exported
readme.
A
You
go
to
this
plugin
wiki
docs
fi
repository
and
find
your
plugin
that
you're
migrating
now
next
step
is:
let's
fork
the
repository
and
create
a
new,
a
new
readme
file
for
it.
So
I'm
going
to
actually
borrow
this
hyperlink
open
the
page,
the
github
link
that
you
saw.
Let's
go
back
there.
You
see
right
over
here
in
the
links.
There's
the
github
link,
I'm
going
to
click
the
github
link,
okay,
here's
the
repository!
A
My
first
task,
then,
is
to
fork
it.
So
I'm
going
to
click
the
fork
button
in
the
top
right
open
up.
It'll
put
it
into
my
repository
notice
that
it's
creating
marquee
weight
schedule
build
plug-in.
So
here's
my
fork
now.
I
need
a
local
copy
of
this,
so
I
can
work
on
it.
So
I
use
the
code
button
copy
here
and
now
in
my
favorite
terminal
system,
I'm
going
to
say
git
clone
there
and
you
could
do
this
on
windows.
You
could
do
this
on
linux.
You
could
do
this
on
mac
os.
A
A
A
And
use
your
favorite
text
editor.
I
think
the
one
true
editor
is
emacs,
but
don't
don't
let
anyone
be
too
distracted
by
that?
Okay,
so
it
has
a
readme
file
already
and
I'm
going
to
go.
Grab
yes,
vi
editor
would
work
as
well.
I
I
actually
use
that
one
as
well
good
good
point,
and
yes,
as
most
people
learning
how
to
exit
vi
is
one
of
the
earliest
things
we
have
to
develop
as
a
skill
very
good.
A
A
A
A
A
A
A
D
So
I
just
want
to
make
sure
if
I'm
on
the
same
page
with
you
and
just
want
to,
you
know,
discuss
the
things
that
we
have
done
till
now,
and
you
just
you
just
correct
me
if
I'm
wrong
so
there's
the
main
repository
which
has
all
the
plugins
related
content
hosted
there
plugins
wiki
docs
and
what
we
are
aiming
to
do
is
selecting
a
plugin
from
this
repository
and
then
make
changes
specifically
for
that
plugin,
and
for
that
we
are
accessing
that
plugins
specific
repo,
its
own
repo
and
then
what
you
want
to
do.
A
D
Awesome
and
then
what
so,
currently
what
you
just
did
is
you
forked,
the
repository
or
and
then
you
are
manipulating
the
contents?
Yes,
as
we
can
see
just
for
the
repository
of
the
plugin
called
schedule
build
and
now
you
are
aiming
to
edit
its
readme
file
and
pull
put
in
right
content
into
it,
and
I
think
there
was
a
question
regarding
that.
How
are
we,
where
are
we
getting
the
content
from
specific
to
that?
D
A
That's
correct,
yeah,
you've
described
it
very
well,
excellent!
Awesome,
that's
great!
So
now
I
think
we
can
move
forward.
Thank
you
thanks
good
insight.
So
so
the
exactly
as
diraj
said,
we
are
starting
from
a
a
central
location
where
the
docks
have
been
captured
from
the
wiki
page
and
we
are
then
converting
those
to
so
that
they
can
be
used
by
the
plug-in
maintainer.
A
In
the
plug-in
specific
repository,
I
don't
as
a
plug-in.
Maintainer
want
to
have
to
go,
write
documentation
in
some
other
location.
It
needs
to
be
in
my
repository
that
helps
me
because
then
I
also
can
write
documentation
when
I
write
new
features,
I'm
much
more
likely
to
do
that,
because
I
can
actually
include
the
documentation
right
away
as
I'm
creating
a
new
capability
thanks,
dhiraj
thanks
very
much
yeah.
So
so
here
we
have
it.
I've
got
I've,
got
this
ready
and
I'm
going
to
say,
move
documentation.
A
And
now
this
tells
me
what
the
url
is
that
I
should
visit
to
open
this
pull
request
and
let's
go
ahead
and
visit
that
that
location
and
open
that
pull
request
so
that
we
can
we're
ready
for
it
now
you'll
see
here
on
github.
It
already
hinted:
oh,
hey,
look!
This
green
button
would
let
me
compare
and
create
a
pull
request.
A
It
also
lets
me
see.
How
does
my,
how
does
my
file
look
and
okay?
This
is
pretty
good,
it
doesn't
look
bad,
the
pictures
are
there
and
they
they
sh.
They
appear
they're
visible.
I
haven't
submitted
the
pull
request
yet,
but
I've
had
a
chance
to
see.
How
does
my
work
look
before
I
submit
that
pull
request?
A
A
Copy
and
move
docs
from
wiki
to
github
and
the
reason
I
say
wiki
there
is
that's
where
they
existed
originally.
Admittedly,
I
didn't
have
to
deal
with
the
wiki
describe
what
I
did
yep
I
did.
I
don't
need
to
link
to
any
relevant
issues
in
github
or
jira,
so
I'm
going
to
delete
that
one,
no
pull
requests
and
really
for
documentation.
I
don't
have
a
way
to
put
any
in
any
tests.
A
A
Okay,
you
may
say:
well
how
do
I
choose?
There
are
a
thousand
plugins
that
need
documentation.
Conversion
like
this.
How
do
I
choose
which
one
to
do
well?
Vodka
and
I
asked
a
bunch
of
jenkins
maintainers
if
they
would
be
willing
to
commit
to
review
a
documentation,
pull
request
and
these
top
30
or
so
are
all
plugins,
where
the
the
maintainer
has
agreed
to
review
a
pull
request.
A
If
you
submit
one,
so
I
recommend
you
choose
one
of
these,
so
you
get
fast
feedback
now,
if
you,
if
you
would,
rather
you
could
choose
something
something
else
further
down
the
list
or
something
that's
interesting
to
you.
That's
fine
as
well.
I
just
happen
to
know
that
these
top
30
here
we
have
reviewers
who
are
committed
and
ready
to
review
your
change
when
you
submit
it
any
any
other
questions
that
have
arisen,
any
things
that
we
should
discuss.
A
All
right
so
and-
and
it
looks
like
oh
go
ahead:
okay,
then
I'm
going
to
go
ahead
and
switch
back.
I
think
it's
time
for
our
next
topic,
thanks
to
everyone
who
who
assists
with
documentation.
Now,
let's
go
to
the
next
topic
and
vadak.
C
Perfect
put
that
screen.
That
should
be
good.
C
Perfect
so
just
in
case,
I'm
not
seeing
the
discussion
and
things
like
this,
so
if
you
have
any
oh,
no,
actually
I
can
open
it
anywhere
else.
So
that's
good!
Okay,
perfect!
Thank
you
for
the
the
time
to
discuss
about
my
topic
there,
but
content
security
policy,
so
why
we
are
doing
that.
What
is
it
how
to
implement
the
fix
and
all
this
kind
of
thing
that
will
be,
I
will
say,
the
part
of
the
the
slider.
C
I
will
not
put
the
slide
in
a
full
screen
mode
because
you
will
see
for
the
demo.
I
will
need
to
switch
tabs
and
things
like
this.
It
will
be
easier
like
this.
So
what
is
content
security
policy?
If
you
want,
we
have
seen
a
lot
of
vulnerability
because
I'm
working
in
the
jkins
security
team
in
the
recent
years
we
have
seen
a
lot
of
xss.
C
An
xss
is
a
type
of
vulnerability
that
is
pretty
annoying
in
jenkins.
It's
based
on
some
javascript
that
you
can
inject
in
a
page
as
an
attacker
and
using
the
javascript
to
exploit
some
things
in
jenkins.
You
have
to
think
that
an
attacker
with
an
excesses
capability
can
do
whatever
they
want
at
the
place
of
the
victim
instead
of
the
victim
innocence,
so
using
victim
authentication
to
do
something
and,
as
you
know,
for
administrator,
you
have
a
lot
of
permission
on
jenkins,
for
example,
the
script
console
and
so
with
an
xss.
C
You
can
use
this
kind
of
feature
to
execute
any
code
you
want
on
the
server,
so
that's
pretty
annoying
in
jenkins.
That's
why
the
score
in
term
of
severity
is
between
seven
and
eight
and
ten
meaning
for
ten.
It's
the
most
critical
vulnerability
and
a
zero
is
just
a
regular
bug
without
security
impact.
C
Now
what
is
the
the
plan
with
the
content
security
policy?
What
is
the
the
goal
with
that?
To
prevent
excesses?
There
is,
I
will
say,
two
or
three
ways.
The
first
one
is
to
correct
everything,
to
correct
every
vulnerability,
but
that's
a
reactive
approach.
When
we
discover
vulnerability,
we
have
to
correct
it.
It's
easy
most
of
the
time,
but
we
have
to
find
the
vulnerability
first.
C
The
second-
and
I
will
say
that,
will
the
most
important
one
when
we
are
discussing
content
security
policy
is
to
be
more
proactive,
meaning
to
forbid
the
use
of
unexpected
untrusted
script,
so
javascript
in
this
case
to
be
executed,
and
how
do
we
achieve
this
kind
of
thing?
That's
where
content
security
policy
is
coming.
C
If
you
want
it's
a
new
type
of
protection
that
is
global
to
your
application,
that
global
protection
will
restrict,
which
kind
of
script
could
be
executed
on
your
page,
I
can
show
you
a
demonstration
about
that.
There
is
a
bit
understanding
about
what
is
csp
just
before
that
you
have
some
explanation
on
the
webpage,
the
the
official
oktoberfest
event
web
page
about
the
topic
in
general.
C
You
have
a
document
that
is
this
one
with
a
lot
of
information.
So
it's
mainly
what
I'm
discussing
right
now,
but
with
more
detail,
and
you
have
some
official
documentation
from
firefox
directly
from
mozilla,
actually
not
firefox,
so
from
mozilla.
What
what
is
csp?
What
is
the
current
support?
What
you
have
to
do
to
apply
this
correctly?
All
this
kind
of
thing.
I
don't
want
to
go
too
deep
into
the
detail
there.
A
demo
will
be
easier
to
explain
what
we
are
trying
to
achieve.
C
C
Yeah
perfect,
so
teaspoon
request
in
jenkins
core
is
a
proof
of
concept
to
show
you
to
demo
you
what
is
the
effect
of
content
security
policy?
You
will
see
with
that
yeah.
It
seems
to
be
pretty
interesting
compared
to
just
the
theory
innocence,
so
you
have
a
lot
of
instruction
how
to
use
it.
I
will
just
do
it
myself
to
show
you
the
thing,
because
that
will
be
easier
like
this
and
you
will
see-
and
I
hope
you
will
be
convinced
why
we
want
to
achieve
csp
globally
in
jenkins,
so
regular
jenkins
instance
running.
C
C
There
is
one
page
that
is
linked
here
with
csp
proof
of
concept,
and
it's
mentioned
here
in
that
page.
You
can
configure
your
current
current
playground
to
demonstrate
the
different
impact
there.
So
here
it's
very
simple.
I
will
explain
you
more
of
the
detail
and,
if
I'm
getting
to
the
test
page,
so
you
can
go
with
that
page,
that
link
and
back
with
that
link
it
just
you
have
a
page
with
an
injection
of
a
variable
in
java.
I
will
show
you
the
thing
in
terms
of
pure
java
code.
C
C
What
it
means
in
practice
is
that
the
desired
payload
that
is
coming
from
this
page,
the
desired
payload,
if
I'm
adding
something
like
this
italic
with
the
correct
tags,
when
I'm
rendering
this
page,
that
part
will
be
in
italic,
because
in
the
code
it
will
be
directly
with
the
I
tag.
So
the
italic
tag-
and
you
can
think
yeah
it's
interesting,
but
what
I
can
do
with
this
kind
of
thing.
Actually,
you
can
just
include
a
script
and
inside
the
script,
put
an
alert.
C
That's
the
basic
xss
payload
that
we
are
doing
when
we
are
looking
for
vulnerabilities,
and
in
this
case,
if
I'm
refreshing
the
page,
you
will
see
that
javascript
being
executed,
that's
something
that
is
pretty
annoying,
especially
on
some
webpage,
not
in
jenkins,
but
in
some
web
page.
You
can
just
do
something
like
this
to
display
the
current
document
cookie
in
for
my
case.
It's
not
important
because
the
session
id
is
protected.
I
can
show
you
the
the
thing
there
just
in
case,
I'm
not
showing
something
that
is
confidential,
because
my
localhost
is
protected.
C
You
cannot
access
my
locals
from
outside
of
my
local
network,
so
there
is
no
secret
there.
You
can
see
the
gssession
id
that
has
a
value
there.
That
is
very
important
if
you
want
to
attack
my
server,
but
my
server
is
not
online,
so
you
will
not
be
able
to
do
it.
You
need
to
enter
my
hours
to
have
access
to
it.
So
it's
already
broken.
It's
almost
security.
C
At
that
point,
I
would
say
why
we
are
not
seeing
that
cookie
is
just
because
it's
using
the
http
only
flag,
meaning
that
the
javascript
code
will
not
have
access
to
the
value.
Neither
the
cookie
name
and
things
like
this.
So
that's
why
you
are
seeing
the
jhid
screen
resolution
when
I'm
refreshing
this
page
so
screen
resolution
jd.
So
that's
all
the
things
that
are
publicly
available
in
a
sense
inside
the
javascript.
C
Now
the
problem
is
that,
if
you
are
able
to
do
the
alert,
I
will
just
go
back
to
the
one
two
three
you
can
do
something
else.
You
can,
for
example,
trigger
the
administrator
to
run
some
groovy
script
and
so
having
access
to
the
server,
create
a
reverse
shell,
so
that
the
attacker
can
have
a
permanent
access
to
the
server
all
this
kind
of
thing,
or
just
like
most
of
the
time
in
jenkins,
creating
some
code
that
is
mining
some
moneros
and
things
like
this
to
gain
so
getting
some
money
there.
C
So
here
the
problem
is
that
we
want
to
prevent
that
code
to
be
executed,
because
in
a
sense,
this
kind
of
thing
is
something
we
want
to
avoid.
It's
not
what
we
would
like
to
have
in
term
of
god.
If
someone
is
doing
that
most
of
the
time
it's
just
because
there
is
a
variable
inside
java
that
contains
some
html
tags,
for
example,
to
render
a
description
of
a
job
with
some
payload
that
is
trusted
in
a
sense
meaning.
C
Oh
the
name
of
the
job
need
to
be
in
bold,
the
rest,
regular
text,
so
they
are
just
proposing
that.
But
no,
if
the
display
name
of
the
job
is
something
that
the
user
can
enter
like
in
jenkins,
they
can
inject
potentially
some
things
like
this,
like
a
payload,
that's
where
the
csp
is
interesting
to
work
with,
so
you
can
see
here
reporter
only
mod.
It
means
that
we
are
seeing
a
lot
of
report
only
stuff
there,
all
the
rules
we
are
putting
in
the
page.
You
can
see
default
source
self,
and
things
like
this.
C
I
will
not
go
into
detail.
You
will
understand
the
thing
directly
with
the
demo
means
that
we
do
not
allow
anyone
to
do
something.
For
example,
unsafe
inline
means
that
we
don't
expect
a
style
in
this
case
to
be
directly
put
inside
html.
It
means
that
if
someone
is
doing
something
like
this
font
or
font
size
up,
20
pixel
23
pixel,
that
part
will
be
refused
because
it's
inlined
and
that
the
same
kind
of
thing
we
can
do
also
for
script
in
general.
C
C
That's
the
inline
script,
and
here
I'm
just
unchecking
the
reporter
only
mode,
and
you
will
see
the
difference-
I'm
just
not
refreshing
the
page
just
to
mention
there
is
the
four
with
the
the
red
background
there.
If
I'm
refreshing
first
point,
you
will
not
see
the
alert
and
you
will
not
see
the
the
four
with
the
red
background
there.
Why?
Yeah,
it's
easy
to
explain
with
the
new
csp
approach
we
fold
the
reporter
mode.
Only
we
are
refusing
to
execute
the
code,
so
we
are
refusing
to
execute
the
alert
123.
C
That's
why
it
was
not
popping
at
the
beginning
and
at
the
same
time
we
are
refusing
to
execute
any
code
that
is
inlined
and
for
that
code
inside
the
top
right
part.
It's
coming
from
an
inline
javascript
part
that
is
refused
and
that's
why
you
can
see
that
part
here
before
it's
moved
to
the
top,
because
there
is
a
script
doing
that.
I
think
it's
inside
the
page
footer,
I
think
yeah,
it's
that
one
am
means
admin
monitor
just
in
case,
so
you
can
see
that
code
if
we
are
executing
that
code.
C
C
C
I
can
put
a
hash
on
it,
meaning
I
check
what
is
the
checksum
of
the
script
and
I
will
put
that
inside
the
approve
list
of
script.
That's
why
I'm
proposing
a
list
of
things
here
and
you
can
see
some
of
the
things
refresh
refresh.
I
don't
remember
exactly
oh
yeah,
that
one
so
that
hash
is
the
equivalent
signature
of
the
script
that
I
was
just
showing
you
and
if
we
are
allowing
that
hash
to
be
executed,
we
are
letting
the
server
do
the
regular
thing.
C
So
I
will
just
show
you
the
thing:
it's
just
the
copy
paste
of
the
the
value
in
this
situation.
You
will
see
the
alert
is
not
displayed,
but
that
code
is
executed
and
inside
the
console
you
will
see.
Only
one
script
was
refused.
Is
the
one
coming
from
my
payload.
If
I'm
changing
the
payload
just
to
remove
that
part.
C
C
And
here
you
can
see
the
refuse
to
execute
inline
script,
because
it's
your
lay
the
different
rules
and
things
like
this.
There
is
an
alternative,
because
potentially
my
script
is
something
that
is
safe.
So
that's
what
I
did
with
all
the
script
from
that
page
before
I
can
copy
paste
the
sharp
so
the
checksum
of
that
script,
putting
it
at
the
end
of
that
list.
Approving
and
in
this
situation
my
script
will
be
executed
because
it
was
trusted
by
using
the
ash.
C
So
that's
a
bit
all
for
the
demonstration
of
why
it's
useful.
Now.
The
main
issue
we
have
is
that
we
cannot
put
such
things
with
a
hash
for
every
script
we
have
in
a
page
in
jenkins.
We
can
have
between
10
and
20
script
that
need
to
be
approved
inside
a
single
page.
So
imagine
if
you
are
adding
this
kind
of
thing
to
every
request
response,
you
are
sending
they're
just
a
network
in
term
of
a
load
for
the
request
size.
C
C
C
So
it's
just
an
inline
script
from
the
the
code
directly
that
should
be
safe,
but
in
the
situation
we
have
something
like
a
variable,
my
variable,
because
I'm
lacking
a
creativity
at
this
point
and
I'm
adding
something
like
this
in
javascript
and
that's
something
we
are
seeing,
often
in
jenkins,
inline
script
in
general.
So
that's
something
that
is
a
bit
dangerous.
I
will
say
that
part
will
be
injected
inside
the
script
and
then
the
code
will
be
executed.
C
That
one
and
you
can
see
inside
the
script
you
have
my
variable
with
the
payload.
That
payload
could
be
something
like
the
name
of
the
job.
It
could
be
the
name
of
the
user
or
something
that
is
fixed
if
it's
fixed.
That's
perfectly
fine,
that's
safe,
but
if
it's
not
fixed,
it's
potentially
user
entered.
C
It
means
that
if
the
user
is
providing
a
single
quote
inside
their
stuff,
because
you
have
seen
the
alert
123
was
not
executed,
but
in
the
situation
I'm
just
disabling
csp
to
ease
the
the
stuff,
I'm
putting
alert
one
two
three,
I'm
executing
that
page.
There
is
nothing
that
will
happen
in
term
of
script
because
it
will
be
contained
inside
the
single
script
inside
the
single
quote.
C
So
that's
why
we
cannot
really
rely
on
ash,
because
if
we
are
generating
the
hash
directly
during
the
generation
of
the
page,
that
full
script
will
be
approved
and
that's
something
we
don't
want
to
trust,
because
there
was
a
variable
inclusion.
That
variable
could
contain
some
issue,
and
so
we
don't
want
to
inject
such
things.
C
I'm
just
checking
the
chat
to
see
the
the
point
yeah.
Thank
you
for
the
question
mr
week.
There
is
something
important
to
understand.
The
regular
exercise
protection
you
can
see
in
the
different
browser
are
most
of
the
time
not
working.
It's
sometimes
just
against
the
reflected
excesses
that
you
can
have
in
the
page.
For
example,
if
I'm
putting
a
payload
here,
payload,
payload,
equal
alert
or
stuff
like
this,
that
part
sometimes
is
not
reflected
on
the
webpage
directly
thanks
to
the
browser
technology.
But
honestly,
it's
not
something
you
can
trust.
C
C
This
is
pretty
good.
It
will
work.
It
will
reduce
the
size
of
the
request
because
you
are
putting
the
notes
only
once
in
the
in
the
response
and
once
per
script,
not
a
big
deal.
The
main
issue
is
as
for
the
hash
in
this
situation,
if
I'm
putting
the
hash,
I
don't
remember
exactly
the
attribute
name
but
the
attribute
for
the
nouns
and
I'm
putting
one
two
three
or
the
random
thing
that
is
generated.
So
something
like
this
data
formation
will
just
ensure
that
the
browser
again
will
trust
everything
that
is
inside
the
script.
C
If
there
is
a
variable
injected,
it
will
be
trusted
and
so
breaking
the
usage.
The
protection
that
csp
is
providing,
so
are
we
blocked?
There
is
no
other
possibility.
Of
course
there
is
one.
Otherwise
it
will
not
be
a
topic
we
are
discussing
about.
In
a
sense
it's
about
the
origins
so
the
id
there.
Instead
of
checking
the
script
content,
we
are
just
checking
where
the
script
is
coming
from.
C
In
this
situation,
it's
coming
from
the
page
so
inline
we
want
to
untrust
all
the
inline
script.
What
we
want
to
see
is
only
things
that
are
coming
from
outside
of
the
page,
but
inside
the
web,
application,
meaning
that
is
downloaded
from
localhost
8080,
slash,
assay,
javascript
offing
status,
so
that
we
know
it's
a
fixed
file.
We
fought
a
way
to
inject
javascript.
C
At
this
point,
or
at
least
I
will
say
to
be
transparent
with
you
with
that
kind
of
approach,
we
will
reduce
by
94
95
percent
the
number
of
excesses
we
will
see
in
the
future.
It's
not
an
under
person
protection,
because
if
you
are
trusting
something
that
should
not
be
trusted,
it's
still
possible
to
bypass
the
csp
in
essence,
but
that's
pretty
r,
I
will
say
in
four
years
working
in
the
jenkins
security
area.
I
have
seen
only
two
excesses
like
this
and
they
were
very
particular
so
with
the
origin.
C
What
we
can
restrict
is
to
say
we
want
to
a
separate
file
coming
from
localhost
or
jenkins.io
things
like
this,
or
if
you
have
some
issue
like
with
a
google
script,
that
you
are
retrieving
from
google,
you
can
just
add
the
google
inside
the
arrow
list
so
that
you
accept
this
kind
of
script
inside
your
page.
That
should
be
the
idea.
So
how
do
we
achieve
that?
Because
that's
where
the
topic
is
starting
in
a
sense?
C
What
I
did
until
now
is
just
the
context
to
show
you
what
we
expect
to
do
and
now
is
to
put
that
in
place.
If
I'm
saying
to
jenkins
that
all
the
all
the
javascript
should
come
only
from
the
localhost,
it
will
break
everything
in
jenkins
or
not
everything.
But
most
of
the
thing
you
can
see.
I
can
just
check
quickly
if
my
intelligence
is
responding,
just
the
number
of
script
we
have
in
line
in
jenkins
core
and
that
will
apply
the
same
to
the
rest
of
the
ecosystem.
C
You
can
see
that
one,
and
that
will
be
a
very
good
example.
You
will
see
why,
in
two
minutes
that
script
is
just
something
that
will
be
forbidden
with
the
new
approach,
so
we
have
to
do
something
to
prevent
this
to
be
forbidden,
because
it's
a
trusted
script.
It
needs
to
be
trusted.
So
that's
where
the
the
topic
is
is
for
in
a
sense
you
can
see
inside
the
document.
C
I
showed
multiple
examples
of
previous
tasks
I
did
in
the
topic
is
mainly,
we
are
taking
one
script
and
we
are
uninlining
it
meaning
we
are
removing
the
script
tag,
but
we
are
putting
it
in
a
separate
file.
With
that
approach,
we
are
preventing
the
variable
to
be
injected
and
indirectly,
all
the
excesses
to
be
exported
in
jackets.
That's
a
bit
of
id!
You
can
see
some
with
the
level
of
difficulty.
C
C
Yeah
initialization
just
that
one
that
is
put
inside
the
script
that
is
used
to
prevent
all
the
inline
script
to
be
needed
required
in
the
page.
I
will
give
you
a
live
example
of
what
we
can
do
for
this
october
topic.
It
will
be
very
easy.
You
will
see
five
minutes
to
provide
a
pull
request,
of
course,
five
minutes,
because
I
know
which
one
I
want
to
do
what
I
need
to
do.
C
C
That's
running
so
leaving
that
one
aside
and
moving
to
another
one
so
from
that
list
of
a
newbie
friendly
issue
that
you
can
find
using.
Where
is
the
I
think,
it's
that
query?
You
can
find
that
query
as
well
here
the
jira
newcomer
friendly
issue.
It's
this
request,
it's
what
is
inside
a
particular
topic,
so
the
csp
smooth
sense
reduction
smooth
because
we
will
not
put
the
enforcement
at
the
beginning.
We
prepare.
We
prefer
to
have
all
the
migration
being
done
before.
Otherwise
we
will
break
the
instance
not
ideal.
C
I
will
say
that
could
work
in
terms
of
security.
If
nothing
is
working,
there
is
no
vulnerability.
So
in
the
list
there
I'm
just
picking
one
randomly,
because
I
know
that
one
is
pretty
easy
to
do.
You
have
the
script,
so
you
can
know
exactly
what
you
have
to
do
and
you
have
the
difficulty
the
skill
requirement.
So
in
this
case
very
basic
knowledge
that
is
required,
and
you
will
see
it's
pretty
zero
knowledge.
You
have
just
a
quick
tips
that
I
put
in
the
ticket.
C
That
will
be
enough
most
of
the
time,
so
the
code
we
want
to
change
is
this
one,
and
you
have
seen,
is
exactly
the
one
I
showed
you
before,
because
that
was
the
first
one
when
I
was
looking
for
script
inlined
so
for
this
one
we
have
here
and
then
a
different
project
in
intelligence
configure
entries
from
list.
So
that
was
what
I
show
you
and
we
have
the
script
we
want
to
uninline.
C
So
the
first
step
is
for
the
developer
to
be
sure
to
understand
where
that
script
is
used,
because
if
you
are
not
sure
you
will
not
know
if
what
you
are
doing
is
correct
or
not.
So
in
this
case,
so
I
think
I
need
to
log
the
nothing.
So
it
is.
No
everything
is
working
perfectly
fine.
So
it's
a
list
view
configure
entries.
C
C
Here
we
have
that
part
of
the
code,
so
I
can
just
add
a
breakpoint
at
this
point
and
a
second
one.
There,
I'm
refreshing
the
page
to
be
sure
it's
executed,
because
if
I'm
not
able
to
reproduce
it,
I
will
not
know
if
it's
working
or
not
with
my
correction.
So
you
can
see
we
are
there,
so
I'm
letting
the
thing
moving
and
there
is
an
unclick
doing
something.
The
unclick
is
on
that
recursion
in
subfolder,
I'm
clicking
there.
You
can
see,
I'm
there
re-clicking,
I'm
there.
C
C
C
That
means
that
we
can
create
a
file
inside
delete
view.
So,
where
that
configure
entries
is
located,
that's
just
the
simplest
way.
There
are
a
lot
of
other
possibilities,
I
can
add
a
javascript
file
or
the
css
or
both.
If
you
want
now
the
very
interesting
skill
that
is
required,
copy
paste
and
you're
done,
that's
the
main
requirement
in
terms
of
javascript.
You
have
to
do
of
course.
Now
you
can
really
remove
completely
the
script
there
and
you
ensure
the
list.
Reconfig
configure
entries,
configure
entries,
resource.js,
that's
fine!
C
C
I
just
research
for
the
records
and
you
will
see
it's
coming
from
the
configure
entries
resource.js
that
one
contains
only
that
part
just
adding
breakpoint
there
breaking
there
refreshing
the
page,
oh
macbook
phone
is
it
so
it
means
that
my
javascript
is
included
and
it's
working
or
it
seems
to
work
so
just
to
ensure
clicking
here.
It's
still
working,
okay,
perfect.
So
what
I
did
is.
C
Finally,
it's
finished
in
term
of
code,
so
next
step
is
easy:
creating
a
new
branch
with
the
number
of
the
tickets
pushing
the
commit
to
your
fork,
and
then
you
have
the
pull
request
ready
so
that
one
was
perhaps
the
easiest
one
you
have
to
to
do.
There
are
some
other
examples.
What
I
show
you
before
with
this
example?
What
are
you
doing
if
there
is
a
variable?
C
That's
where
there
is
a
bit
of
magic?
You
have
to
use,
because
there
is
a
lot
of
variable
inside
jenkins
if
there
was
a
variable,
for
example,
that
one
was
a
variable
so
variable
coming
from
java,
for
example.
Actually
I
don't
think
it
was
a
good
idea
to
put
it
there,
just
adding
variable
here
so
variable
like
before
adding
some
code
that
one
is
potentially
dangerous
and
that
one
something
that
was
injected
in
the
page
before
we
are
in
a
static
file
in
the
static
file
there
is
no
injection
of
java
variable
possible.
C
So
what
we
have
to
do
is
to
change
that
variable
injection
to
put
it
inside
somewhere.
Here,
for
example,
we
are
looking
for
a
recurse
id,
so
we
can
look
for
recurse
id.
It's
that
one.
We
can
add
some
attribute
there,
so
that
what
is
the
name
of
the
fingering
variable
so
just
variable
from
java
or
anything
you
want,
and
you
are
adding
the
variable
here.
C
Perhaps
it's
not
exactly
that
wording
and
we
are
able
to
replace
the
code
with
that
simple
approach
for
these
things
and,
of
course,
removing
that
one,
because
even
with
the
command,
it
could
be
possible
to
inject
the
stuff.
With
this
approach,
the
variable
will
receive
the
value
that
is
put
inside
the
value
of
the
attribute.
C
Just
for
your
information
that
tip
type
of
injection
is
explained
as
well
inside
auto
pass
value
to
javascript.
That's
inside
the
xss
prevention
in
jelly
views.
You
can
see
here
the
stuff,
for
example,
that
one
was
exactly
the
example.
I
showed
you
before.
That
page
is
linked
from
the
google
doc.
Just
in
case
we
are
explaining
all
the
double.
The
double
quote
is
working
to
escape
the
context
and
the
good
way
to
solve.
C
The
issue
is
mainly
to
create
the
data
attribute,
putting
the
value
inside
and
then
retrieving
the
value
from
the
page
from
the
html
tags.
That
should
be
the
id
there
to
resolve
the
problem
and
to
be
able
to
have
that
script
being
uninlined
and
so
allowing
us
in
the
future
when
the
situation
is
good
enough
to
enable
csp
and
to
enforce
it
for
all
the
page
engine
kits,
that's
a
bit
all
for
my
topic.
If
you
have
any
question,
feel
free.
A
C
Yeah,
that's
a
very
good
point,
so
there
is
no
scope
in
the
sense
that
if
the
div
is
present
in
your
page,
it
will
be
reachable
by
your
javascript
code
in
the
sense
that
if
you
have
something
like
this,
you
retrieve
the
element
from
the
page,
so
the
target
div
and
then
you
get
the
attribute
that
called
that
code
could
be
outside.
So
in
a
separate
file,
it
could
be
completely
far
from
the
div
in
a
completely
different
event.
All
this
kind
of
thing,
no
in
terms
of
conflict,
you
can
use
something
more
specific.
C
C
I
will
say
it's
just
the
cell
that
contain
the
id
of
the
job,
for
example,
and
you
have
that
multiple
times
in
your
in
your
page,
and
you
want
here
class,
delete
button
click
here
to
delete
the
job.
What
you
will
do
is
that
you
will
put
a
behavior
specification
on
the
delete
button,
so
inside
behavior
specify
here,
you
will
put
just
delete
button
and
the
e
at
that
point
will
be
that
td.
C
C
C
So
just
another
question:
I
got
from
the
chat,
or
do
you
protect
again
other
type
of
xss?
So
if
you
have
a
reflected
xss,
so
the
payload
is
coming
from
the
url
directly.
You
will
not
be
able
to
inject
that
part
in
the
code
because
it
will
be
forbidden
by
the
csp.
That's
a
bit
the
beauty
of
the
thing
there
again
store
xss.
It
will
be
the
same
instead
of
coming
from
the
request.
C
It
will
still
come
from
java
because
the
request
value
is
coming
from
java
as
well,
and
that
will
be
prevented
by
the
same
thing
there
that
this
part
cannot
be
used
as
an
xss
injector
part
in
an
injector
location
and
concerning
the
last
part
of
the
exercise
about
the
domic
success.
It's
not
something
that
is
very
useful
to
protect
against,
because,
most
of
the
time,
it's
just
some
false
positive
from
scanners.
We
are
more
concerned
about
stored
and
reflected
xss
in
general
and
concerning
the
checksum
you
can
use
all
the
sha
checksum.
C
I
think
it's
a
shot
26256
and
I
can
just
give
you
the
full
duck
there
in
term
of
sure
it's
only
the
recent
chatu.
C
But
no
shower
no
md5.
I
don't
remember
exactly
where
it
is,
but
there
is
a
link
here
explaining
the
stuff
in
particular
what
about
other
type
of
vulnerability?
Of
course,
there
is
no
silver
bullet
for
security.
You
have
to
be
very
careful
about
the
rest,
meaning
csrf
x6c.
We
are
providing
some
kind
of
protection,
but
it's
only
for
excesses
that
we
can
use
csp,
it's
the
one
that
is
the
most
global,
proactive
protection
we
can
put
in
place
for
csp
for
csrf,
for
example.
A
Well,
so
so,
could
you
give
me
a
summary
again?
It
sounds
like
what
I
need
to
do
to
improve.
Is
I
uninline
the
javascript
and
using
that
uninline
javascript,
then
that
already
is
enough
or
is
there
some
additional
change?
I
need
to
make
to
the
source
file.
It
seemed
like
all
you
did
was
uninline
the
javascript.
C
Exactly
for
this
topic
for
oktoberfest,
that's
the
main
goal,
because
there
is
a
lot
of
things
like
this
to
do
before
being
able
to
end
for
csp
at
the
global
level,
we
could
enforce
csp
for
some
specific
part,
for
example
inside
if
I'm
going
to
the
correct
one
inside
the
user
content.
So
it's
something
that
is
proposed
or,
of
course
not
like
this
user
content
to
browse
this
kind
of
thing
inside,
for
example,
the
readme.
C
C
Perhaps
not
that
one?
I
need
to
enable
it-
or
I
don't
remember
exactly,
but
there
are
some
bars
that
are
already
protected,
because
we
know
there
is
no
plugin
that
could
interact
with
the
content.
It's
a
fixed
content
or
coming
from
the
user
only
and
we
are
restricting
completely
all
the
script,
but
it's
fairly
specific
to
part
of
the
code.
So
it's
not
everywhere.
C
B
Yeah
there
was
another
question
in
the
chat,
and
this
is
also
a
question
for
me.
One
thing
is
to
move
the
old
code
and
replace
these
texts,
but
it
would
be
helpful
if
the
developers
would
be
aware
of
the
problem.
So
I
I
never
didn't
know
it
that
we
should
not
use
an
inline
script,
and
you
showed
a
little
bit
on
the
week
on.
The
jenkins.
Homepage
is
your.
The
document
you
have
shown
in
word
is
this
available
on
the
developer
handbook
as
well.
C
It's
not
in
the
unbooked
directly,
it's
oh
actually.
Yes,
I'm
not
sure
exactly
the
structure.
There
are
some
things
that
need
to
be
improved
during
oktoberfest
or
on
the
developer
documentation,
but
you
can
see
it
it's
inside
security
and
if
you're
clicking
on
security,
you
see
multiple
things
and
I'm
not
sure
exactly
where
yeah
you
have
the
auto
guide
at
the
end.
C
So
it's
not
the
easiest
page
to
look
for
in
a
sense,
but
the
the
important
point
is
that
we
are
using
this
kind
of
documentation
to
show
to
the
people
when
there
was
a
vulnerability
in
a
plugin
or
to
solve
it.
No,
if
it's
something
that
is
discovered
more
easily
by
people
before
putting
the
vulnerability,
it
could
be
a
lot
easier
for
us
to
manage
at
scale.
So
that's
a
very
important
point.
Thank
you
for
the
reaching
out
to
highlighting
that
there
is
some
improvement
we
have
to
do
on
the
documentation.
C
For
example,
all
the
contributors
should
have
read
all
the
security
part
before
writing
a
plugin,
because
we
are
seeing
on
the
hosting
request
some
plugins
that
are
broken
by
default
by
architecture
and
as
a
vulnerability
researcher.
When
we
are
finding
something
like
this,
we
are
just
like
okay,
that
plugin
will
be
just
blacklisted,
because
we
cannot
do
anything
with
it.
So
that's
the
kind
of
thing
we
would
like
to
prevent.
That's
why
we
are
writing
some
documentation.
B
C
We
are
putting
our
own
custom
rules
inside
to
detect
like
csp
xxxc,
and
things
like
this
and
honestly
xss
is
the
most
painful
one
to
detect,
but
just
detecting
inline
script
could
be
a
nice
way
to
improve
also
the
potential
issue
for
the
developer.
So
that's
a
very
good
point.
I
will
just
note
that
and
inform
the
other
people,
but
the
point.
C
A
Any
other
question,
so
there
was
a
question
from
from
mr
wick
on.
How
do
you
do
security
while
developing
the
code-
and
you
mentioned
codeql,
so
I
wanna.
I
would
like
to
spend
just
a
minute
talking
about
codeql
if
you'd
be
willing,
because
I'm
a
benefit
I've
benefitted
by
codeql.
C
So
I
will
not
disclose
all
the
things
that
will
be
in
yeah
published
in
the
future.
I
will
just
give
you
insight
about
perhaps
jenkins
scio
code
ql.
C
C
C
The
idea
with
cotqel
is
to
catch
some
of
the
behavior
some
of
the
patterns.
It
will
not
provide
you
under
person,
protection
or
hundred
percent
detection
of
anxieties.
It's
really
what
we
have
written
all
self
in
term
of
rules
and
all
the
rules
are
not
perfect.
There
are
a
lot
of
false
positive
because
we
cannot
do
everything,
for
example,
with
the
method
I
showed
you
before
do
check
hold,
do
check
your
choice,
it's
a
method
that
is
an
endpoint
because
of
the
do
so
it's
something
that
anyone
can
call
on
your
webpage.
C
With
that
information.
We
know
that
it's
a
potential
dangerous
thing
and
what
we
are
checking
is,
for
example,
is
there
a
post
required
post
annotation?
If
there
is
none,
we
are
checking
the
content.
Is
the
method
doing
something
that
is
potentially
dangerous
in
this
case
error
or
okay,
with
a
check
here,
we
are
checking
internally
here.
What
is
the
thing?
There
is
nothing
dangerous,
because
it's
just
about
looking
at
the
string
and
things
like
that
there
is
no
call
to
url.
C
C
We
are
sending
to
the
administrator
meaning
in
this
case
the
maintenance
of
the
plugin.
Some
warnings,
I
will
not
show
you
the
different
warnings,
because
that
could
be
painful
to
share
with
everyone
some
potential
real
vulnerability,
but
if
you're
a
maintainer
of
a
plug-in,
you
will
see
such
warning
with
the
possibility
to
say
it's
a
false
positive
or
no,
it's
a
real
vulnerability.
C
In
such
case,
you
are
contacting
the
security
team
opening
a
security
ticket
all
this
kind
of
thing.
The
idea
is
that
we
are
doing
that
in
a
better
phase
mode
at
the
moment.
So
you
need
to
register
to
your
the
program,
but
in
the
future
it
will
be
something
by
default
for
all
the
plugins
and
we
are
putting
that
in
the
self-service
mode
for
the
maintainer
so
that
they
can
manage
their
own
security.
C
But
the
goal
is
still
to
have
us
inside
secure
the
jenkins
security
team
to
coordinate
the
release,
because,
if
you're
correcting
something
in
your
plugin
and
delivering
it
right
now,
it
will
not
be
announced
in
a
security
advisory.
It
will
not
receive
any
warnings
about
security,
and
so
the
user
will
not
know
they
have
to
update.
So
that
could
be
painful
for
everywhere
everyone.
So
the
goal
is
really
to
inform
the
people.
C
So
it's
mainly
all
this
kind
of
static
analyzer
will
provide
us
or
you
are
using
a
bad
algorithm
for
crypto
and
that's
all.
For
example,
if
you're
using
md5
shower
one
or
three
cities,
they
will
just
put
your
warning
and
that's
all.
There
is
not
a
lot
of
other
intelligence
that
we
can
use
from
them.
That's
why
we
have
to
write
our
own
goals.
C
That's
a
bit
ready!
Of
course,
if
you
want
to
improve
your
security
skills,
you
can
use
some
other
tool.
For
example,
what
was
the
name
of
this
thing
spot
bugs
as
a
specific
security
plugin
to
help
you
also
with
some
of
the
things,
but
it's
still
not
perfect.
C
Codeql
will
not
improve
the
perfection
in
order
to
secure
your
code
as
an
engineer
as
a
developer,
you
have
to
learn
a
lot
of
different
vulnerabilities
and
all
to
prevent
them.
There
is
no
silver
bullet
for
this
at
the
moment,
and
I
will
say
hopefully,
fortunately
for
us
security
engineer
to
keep
a
job
in
a
sense.
C
There
is
still
a
manual
part
there
and
we
are
working
very
hard
to
provide
such
static
analysis
more
and
more
accurate,
because
there
is
a
lot
of
noise
most
of
the
time
or
there
is
an
injection
of
variable
yeah,
but
if
the
variable
is
fixed
or
not
coming
from
the
user,
it's
not
an
excess.
So
there
is
a
lot
of
false
positive
and
there
is
a
lot
of
effort
to
reduce
this
kind
of
noise
for
the
developer.
At
the
end,
I
think
I'm
talking
too
much
taking
too
much
time
from.
A
My
topic
actually
so
so
one
of
the
things
now
our
code
ql
and
if,
if
codeql
is
enabled
for
a
plugin,
for
instance,
for
my
plugin,
I
maintain
the
git
plugin.
It
is
main
it
is.
It
is
enabled
when
they
submit
a
pull
request,
will
they
see
if
they
have
injected
something
that
codeql
would
complain
about,
or
is
that
something
that
only
I,
as
the
maintainer
get
to
see?
I.
C
Don't
want
to
promise
you
that
right
now,
because
I'm
not
sure
it
was
done
already
at
the
pull
request
level.
It
was
done
more
in
a
global
status
for
all
the
repositories,
and
I
will
say
we
already
already
got
hundreds
of
false
positive.
So
if
we
are
including
pull
requests
at
the
moment,
that
could
be
just
too
painful
for
us,
but
totally
right.
We
will
looking
for
the
pull
request
and
ideally,
in
the
long
run,
because
shifting
left
to
the
pull
request
is
not
enough.
C
We
would
like
to
have
that
also
in
the
intellige
eclipse
netbeans
integration
directly
when
you
are
writing
your
code,
for
example,
all
the
inject
the
inspector
directly
from
intelligent
like
this
thing,
or
there
is
a
deprecated
constructor
used.
Ideally,
we
would
like
to
have.
Oh,
there
is
a
csrf
vulnerability,
there
be
careful
or
this
kind
of
thing,
but
I
will
not
promise
you
any
estimate
time
of
availability
for
this.
If
I
need
to
guess
it
will
be
like
minimum
two
years.
A
Thank
you
thanks
very
much
vadek.
So
I
think
mr
wick's
comment
fits
with
what
you
were
saying
he
was
asking.
Could
we
consider
a
linter
that
could
focus
on
security
and
provide
opinions,
while
writing
code
and
your
description
of
an
ide
integration?
It
seems
like
exactly
that.
Right,
it's
hey
and,
and
I
know,
find
sec
bugs-
has
been
helpful
for
some
users
in
the
spot
bugs
static
analysis
world.
So
there
are,
there
are
definitely
tools
available
that
can
help
us.
C
C
So
there
is
some
linter
that
will
just
say:
hey
you
are
using
md5,
it's
not
secure
use
something
else,
for
example
sha
2,
6
256
or
this
kind
of
thing,
but
there
is
no
more
intelligence
there
at
what
I
said
before
they
are
not
looking
at
the
script
you
are
doing.
There
is
not
looking
at
all
the
variable
flow
and
this
kind
of
thing.
C
A
Thank
you
verdict.
Thank
you
very
much.
I
don't
see
any
other
questions.
Are
you?
Okay?
If
we
switch
yep
perfect
all
right?
So
let's
go
to
the
next
topic.
Then
the
next
topic
is
modernizing
plug-ins.
So
we've
talked
so
far
about
how
to
do
ui
improvements.
We've
talked
about
how
to
do
security
improvements.
A
We've
talked
about
documentation
improvements.
Let's
now
talk
about
specific
code
and
I'm
going
to
share
my
screen.
Let's
take
a
look
at
it.
So
again,
I'm
going
to
follow
virex
pattern
and
just
share
my
my
screen
and
not
presenting
mode.
So
there
is
an
element
of
effort
that
we
need
to
do
in
code
to
modernize
jenkins
plugins.
A
A
A
So
first
step
is
find
a
plug-in
you'd
like
to
modernize
and
the
ones
that
I
would
recommend
choosing
is
from
the
adopt
the
plug-in
list
now
what's
adopt
a
plug-in.
Well,
the
jenkins
project,
as
a
long-lived
open
source
project,
has
plug-ins.
Where
the
original
author
has
said,
I
can't
I
don't
have
time
or
capacity
any
longer
to
maintain
it.
I
want
to
offer
that
this
plugin
could
be
adopted
by
others,
and
they
will
mark
it
with
a
special
tag.
This
adopt
this
plugin
and
then
it
will
appear
in
this
list.
A
A
Most
plugins
that
are
up
for
adoption
have
not
been
modernized
because
their
developer
got
busy
was
unable
to
do
modernization
on
it.
So
choosing
one
of
these
is
a
good
choice.
It
also
gives
you
a
chance
to
find
something.
That's
interesting
to
you.
Maybe,
for
instance,
you're
interested
in
how
do
you
work
with
config
files,
so
config
file
provider?
A
A
And
then
we
start
the
series
of
of
modernization
steps
and
there
are-
are
many
many
modernization
steps
you
can
take
update
the
parent
palm.
That's
one
update
the
base
jenkins
version.
That's
another
update
the
scm
url,
that's
another
one,
automate
dependency
checks,
yet
another
one
enable
incremental
builds,
and
there
are
many
more
just
like
this.
Those
three
dots
are
really
they
mean
it.
There's
a
there
are
a
lot
of
different
steps
and
you
could
do
any
one
or
two
or
three
of
these
and
have
added
a
real
value
to
a
jenkins
plugin.
A
There's
a
document
that
I
started
thanks
to
devops
world.
That
has
the
list
that
I
intend
to
put
into
a
tutorial
on
jenkins.io
of
these
different
kinds
of
improvements.
So
here
in
this
improve
the
plugin
section,
you
can
see
update
the
parent
part.
Oh,
let's
see,
let's
make
this
readable.
Sorry
there
we
go
there,
that's
better!
My
eyes
can
see.
It
now
update
the
parent
palm
review.
A
How
jenkins
build
status
worked?
There's
one
missing
here
actually,
which
is
some
of
them,
even
need
you
to
add
a
jenkins
file
so
that
we
can
build
them
on
our
ci
server
update
the
base
jenkins
version
enable
additional
spot
bugs
checks,
update
the
scm
url
automate
dependency
updates,
enable
incrementals
and
more
this
these
things
and
you
you're
welcome
to
use
this
document
it's
available.
A
Oh
absolutely,
so
here
is
the
link
so
stock
asked
about
this
link.
Let's
paste
that
into
the
into
the
chat.
There's
the
link
to
that
document-
and
this
is
a
workbook
that
I
created
and
others
are
welcome-
to
offer
suggestions
additional
things.
What
this
does
is
tries
to
describe
all
the
ways
that
you
can
do
these
changes,
and
it
gives
a
little
bit
of
introduction.
A
It
provides
some
text,
hey
do
this,
do
this
and
and
then
I
intend
to
put
this
as
a
tutorial
on
cida
or
on
www.jenkins.io,
so
that
people
can
see
and
adopt
this
plugin
tutorial
this
all
right,
improving
the
plug-in
is
a
good
thing
to
do,
even
if
you
ultimately
don't
decide
to
adopt
the
plug-in,
it's
really
good
to
improve
it.
No
matter
what.
A
So
now
I
am
happy
to
show
how
to
do
this
live
if
that,
if
that
helps,
people,
vadik
and
uli
would
okay,
dhiraj
is
shaking
his
head
up
and
down,
which
I
think
means
it's.
Okay,
if
we,
if
I
show
the
demonstration
and
okay
great,
so
let's
do
it,
it's
it's
it's
for
me.
It's
a
useful
thing
to
realize:
hey!
This
is
something
we
can
do
so
I've
done
the
initial
steps
already
I've
I've.
Let's
go
pick
my
a
plug-in
I
was
using
before
so.
You
remember
schedule
build
plug-in
right.
A
A
We
can
create
a
git
branch,
then
we're
going
to
run
one
maven
command.
Maven
minus
ntp
versions
called
an
update,
dash
parent.
That's
a
pretty
simple
command.
If
I
do
this.
That
already
with
this
particular
plugin
gives
me
the
capability
to
develop
with
java
11,
whereas
without
doing
this,
I'm
stuck
on
java
8
for
this
plugin.
So
I've
already
with
one
single
step,
one
single
step:
I
have
improved
things
for
the
developer:
they're,
not
locked
into
java
8
anymore.
They
could
use
java
11
to
do
development,
so
let's
go
do
it?
A
Oops
oops,
I
forgot.
I
based
my
branch
on
the
wrong
thing.
So
let's
base
it
on
upstream
on
origin,
slash
master!
Okay,
so
here
we
go,
I've
got
it!
And
now,
if
I
look
at
the
palm.xml
file,
you
can
see
here,
the
parent
palm
version
number
is
3.50
okay,
so
I'm
going
to
compile
okay-
and
I
confess
I
like
my
emac-
so
I'm
going
to
compile
an
emacs
all
right.
So
I'm
going
to
do
this
step
here.
Maven
minus
ntp
versions,
update
parent.
A
A
Notice
that
it
was
3.50
before
and
now
is
4.27
it
was
that
easy,
okay.
Now
now
I
owe
it
to
myself
to
compile
that
code
to
be
sure
that
it
still
works
right,
because
that
would
be
really
bad.
If
I
proposed
a
change
that
I
hadn't
checked
so
clean
verify,
and
so
what
this
is
going
to
do
is
this
is
going
to
compile
the
plug-in
run
all
of
its
tests
and
tell
me
the
result
now,
while
it's
while
it's
doing
that,
compile
and
run
all
of
its
tests,
we
can
go.
A
A
A
All
right
so
update
parent
palm
from
3.50.
A
A
Now
I
I
admit
it
I'm
trying
to
communicate
to
the
developer
that
this
is
why
I
did
this
change
now.
I'm
also
going
to
tell
them
do
not
merge.
This
is
a
demo
all
right,
because
I
don't
want
them
to
jump
in
and
say.
Oh
yes,
it's
time
to
merge
this
all
right,
so
I've
committed
that
now,
that's
only
locally
on
my
system.
So
now
I
need
to
push
it.
A
A
A
Okay,
I
just
helped
that
developer
with
that
little
bit
of
work
to
be
able
to
build
with
java
11,
in
addition
to
building
with
java
8,
because
I
updated
their
parent
palm
and
offered
that
update
to
them.
This
is
a
pretty
easy
change
for
them
to
decide
if
they
want
to
accept
it
and
it's
a
reasonable
way
for
them
to
see
that
I'm
interested
in
maintaining
the
plug-in.
Now
we're
going
to
do
more
we're
going
to
follow
on
to
this,
because
there's
more
that
we
can
do
so
before
we
go
too
far.
A
A
Built
correctly,
and
so
I
can
search
for
schedule,
dash
build
and
there
it
is.
Did
you
see
that
that
drop
down
schedule
build?
So
I
click
that
oops
bug
bug,
schedule
build,
and
I
have
to
choose
the
second
one
and
that's
just
a
bug
all
right.
So
here's
the
pull
request
tab
shows
my
pull
request
being
evaluated
and
there
it
is
running
now.
A
If,
if
you're
like
me-
and
you
prefer
the
visual
view
rather
than
the
console
output
view,
I
tend
to
click
either
the
pipeline
graph
like
this
or
I
tend
to
look
at
blue
ocean
like
this,
so
that
I
can
see
what's
happening.
The
linux
checkout
is
complete.
It's
building
on
linux,
now,
ci.jenkins
that
I
was
also
building
on
windows,
and
I
didn't
do
any
windows
work
as
part
of
this
change.
So
that's
a
nice
check.
I
don't
have
to
run
the
tests
myself
on
windows.
A
It'll
do
them
for
me,
so
by
all
means
check
that
ci.jenkins.io
is
okay.
Now
the
next
step
is
that
the
jenkins
base
version
in
many
plugins
is
a
is
a
long,
older
jenkins-based
version,
and
that
makes
development
a
little
more
challenging
for
the
the
maintainer,
because
when
they
run
certain
commands
they
get
an
old
jenkins
version.
It
also
may
mislead
users
into
thinking
that
oh,
I
could
run
this
on
ancient
jenkins
versions,
and
everything
is
just
wonderful.
Well,
while
that
may
be
true,
it
can
be
much
better
if
we
just
follow
the
documentation.
A
And
back
to
the
the
guidelines
here,
all
I'm
going
to
do
is
add
an
entry
in
the
properties
section
of
the
palm.
That
says,
that's
my
jenkins
version.
Some
plugins
already
have
that
you'd
have
to
update
the
value.
Others
like
this
one
do
not
so,
let's
look
at
the
palm
and
now,
if
we
look
for
properties,
there's
the
line,
and
I
need
to
insert
that
there
now
this
one
I
am
basing
on
the
earlier
change,
because
I
don't
know
that
the
original,
the
old
3.50
parent
even
understands
this.
A
We
want
to
be
sure
it
compiles
while
it's
compiling.
Let's
look
at
the
next
at
the
next,
stop
on
our
step,
set
of
improvements
that
we
can
make.
So
we
said,
update
the
jenkins
version.
Well,
there's
another
piece
is
update.
The
software
configuration
management
url
in
the
palm
what's
relevant
there
is
github,
has
announced
that
they
are
deprecating
unauthenticated,
unsecured
protocols
to
get
repositories.
A
A
Require
jenkins
2.289.1
as
minimum
version
and
again
in
the
spirit
of
trying
to
share
with
the
maintainer.
Why
we're
doing
it
jenkins
2.289.1,
is
a
recent
lts
and
is
more
actively
tested
and
supported
by
users?
A
A
A
So
what
we
have
here
is
this
get
colon
slash,
slash
is,
is
a
problem.
That's
that
unauthenticated
protocol
thing.
So
I'm
going
to
change
that
as
well.
These
types
of
changes
help
the
maintainer
and
they're
low
risk
for
you
and
low
risk
for
the
maintainer
to
accept
now
this
one.
I
know
I
don't
even
have
to.
I
have
to
compile
with
it,
because
it's
purely
used
for
other
tools
that
want
to
find
the
source
code
of
this
system,
so
I'm
just
going
to
make
commit
it
and
use
https
instead
of.
A
And
now,
if
we
go
check
our
jenkins,
our
jenkins
build
okay,
the
first
one
worked.
This
was
the
first
build
of
that
pull
request
when
I
click
that
arrow
it
takes
me
to
the
second
one.
The
second
one
is
running
now,
so
it's
running
checks
on
my
changes-
and
this
is
my
most
recent
jenkins
2.289.1-
is
a
minimum
version.
If
we
watch
we'll
see
here's
the
third
one
it's
running
as
well,
and
I
think
we'll
even
see
the
changes
there
yep
so
ci.jenkins.io
lets
me
watch
the
progress
of
my
my
changes.
A
This
one
enable
more
spot
bugs
checks.
Okay,
spot
bugs
is
a
static
analysis
system.
Spot
bugs
can
help
maintainers
identify
problems
without
requiring
that
they
know
all
the
details.
Spotbugs
static
analysis
helps
me
a
bunch
because
it
warns
me
about
mistakes
that
I
make
that
it
knows,
are
dangerous
things
and
spot
bugs
is
already
being
executed.
Naturally,
however,
its
settings
are
not
this
high
of
a
level,
so
this
max
and
fail
on
error
and
setting
a
low
threshold.
A
So
roonesh's
question
is
she
agrees
that
having
old
versions
mentioned
as
minimum
version
is
misleading,
but
isn't
having
only
the
newer
vision,
also
leading
users
to
think
they
have
to
upgrade?
Yes,
it
is
leading
users
to
think
they
have
to
upgrade,
and
I
actually
like
that
behavior.
That
is
precisely
a
behavior.
I
want
because
it's
a
terrible
experience
for
me
as
a
plug-in
maintainer
to
get
a
bug
report
from
a
user
that
says
on
this
year-old
long-term
support
release.
I
have
this
bug
and
I
try
it.
I
can't
duplicate
it.
A
I
can't
duplicate
it
because
I
work
on
the
current
release
and
the
jenkins
community
doesn't
support
that
year,
old
version,
so
they
are,
they
are
doing
themselves
a
disservice
by
not
upgrading
so
so
there
really
is
a
notion,
and
it's
an
intentional
notion
of
I
am
trying
to
motivate
and
inspire
them
that
if
they
want
my
new
features,
they
need
to
get
a
new
version
of
jenkins.
That's
current,
so
I
think
it's
it's
actually
healthy
roonshot
to
have
them.
A
Have
us
set
the
jenkins
version
to
the
recommended
value
because
it
motivates
more
and
more
people
to
upgrade.
Ever
since
we've
been
doing,
this,
we've
seen
a
dramatic
improvement
in
the
jenkins
primary
versions
that
are
being
running
it
used
to
be
three
and
four
years
ago.
The
distribution
was
pretty
much
even
across
versions
for
two
and
three
years
back
now,
thankfully,
when
I
deploy
a
new
version
of
a
plug-in,
there
are
some
seventy
or
eighty
thousand
installations
that
get
it
immediately
and
can
use
it.
A
A
A
A
A
A
This
one
is
really
kind
of
elegant,
because
jenkins
plug-ins
depend
on
external
libraries
in
the
example
that
we
have
here
this
one's
a
pretty
simple
one.
It
doesn't
depend
on
particularly
many
libraries,
but
if
we
were
to
look
at
a
slightly
different
plugin
like
maybe
the
get
client
plug-in
or
the
git
plug-in,
its
palm.xml
file
is
filled
with
dependencies
on
various
things
like
of
genesis
like
apache
http
components
like
ssh
credentials
plug
in,
and
it
can
be
a
real
pain
to
maintain
those
dependencies.
A
If
we
use
this
dependable
technique,
it
will
maintain
the
dependencies,
it
will
propose,
pull
requests
to
update
the
dependencies
automatically,
and
so
it's
it's
again.
This
is
helping
the
maintainer
by
giving
them
immediate
feedback
on
dependency
updates.
So
this
one
we
could
do
even
without
any
palm
update.
So
I'm
going
to
give
myself
a
new
branch
and
we're
going
to
do
this
again.
A
A
And
now
what
we've
got
is,
and
here
we
have
to
find
out
who
the
maintainers
are
for
right
now,
I'm
going
to
put
me,
I
don't
intend
to
be
a
maintainer
on
this
plug-in
and
I'm
going
to
switch
the
interval.
I
had
good
advice
from
daniel
beck
that
we
maybe
want
to
switch
the
interval
to
monthly
rather
than
weekly.
A
A
C
We
should
not
get
some
pull
requests
too
often.
I
have
a
test
plugin
that
I
use
to
demonstrate
some
vulnerability
and
I
think
currently
it's
about
weekly
schedule
and
I'm
receiving
pull
requests
from
the
pan
about
every
week,
because
there
are
some
plug-in
pump
updates,
but
I
don't
care
at
all
about
that
plugin,
so
I'm
hesitating
to
just
disable
the
boot
for
it,
but
for
a
real
plugin,
it's
very
useful
to
to
get
all
the
update
for
the
different
libraries
that
normally
you
do
not
care
too
much.
C
You
are
not
checking
yourself
the
maven
status
every
time,
so
it's
pretty
useful
and
I
will
say
in
terms
of
security,
if
everyone
using
the
panda
bot
in
the
ecosystem
that
could
just
improve
our
situation.
For
example,
guava
there
is
a
lot
of
cves
in
the
old
version
of
governor
and
that
it's
still
used
in
jenkins
core.
If
it
was
updated
over
time
every
time
it
was
updated
and
soonish
being
really
updated.
That
will
have
is
a
lot
the
process
there.
Now
it's
more
like
we
have
20
major
version
to
update
to
bump.
B
I'm
using
it
regularly
and
I'm
using
the
weekly
schedule
and
it's
really
helpful
so
to
get
all
the
new
versions
of
the
libraries.
I
can't
look
on
the
internet
for
every
library.
So
now
it's
automated,
that's
really
fine
and
what's
also
very
helpful,
is
that
you
get
a
pull
request
for
free,
which
you
see
if
everything
still
works.
So
some
library
upgrades
change
things
and
sometimes
tests
break,
and
you
see
it
immediately
if
a
library
update
breaks
something
and
then
you
can
fix
it,
etc.
B
It's
really
helpful
for
me
for
I'm
using
the
panopod
also
for
my
javascript
libraries,
libraries,
not
only
for
the
chapter
for
jenkins
core
libraries
and
that's
helpful
here
as
well.
For
instance,
if
bootstrap
releases
a
new
version,
I
automatically
get
the
pull
request
and
then
I
can
prepare
and
companion
jenkins
plugin
update.
B
A
I
I
like
that
and
thank
you
for
mentioning
the
javascript.
I
have
to
acknowledge
that
I
use
it
to
update
docker
image
versions
right
so
when
a
docker
base
image
up
upgrades
for
me
so
debian,
for
instance,
or
centos
or
ubi,
I
get
pull
requests
now
on
my
plugin
that
relies
on
docker
images
telling
me
that
that
plug-in
that
that
docker
bait
image
base
version
has
updated
yeah,
dependent,
dependable,
at
least
for
me,
has
been
a
great
experience.
C
A
A
All
right,
so,
let's,
let's
submit
this
poll
request,
see
where
is
it
where's?
My
no?
No,
no.
I
know
I've
got
that
repository
here.
We
go
this
one,
so
we're
gonna
submit
another
poll
request
and
again
this
one's
automate
dependency,
update,
prs
and
notice
that
github
kindly
filled
everything
in
for
me,
I
have
to
complete
the
check
boxes.
A
A
Oh,
where
are
we
here?
We
go,
enabling
incremental
builds
okay.
This
is
this
is
a
convenience
for
those
of
us
who
use
and
test
development
builds
jenkins.
Has
the
ability
to
allow
developers
to
publish
an
incremental,
build
that
others
can
use
and
consume,
and
by
doing
this
incremental
build
others
can
use
your
your
build
and
test
your
build
and
help
you
with
the
testing.
A
A
A
A
A
From
ci.jenkins.io
the
reason,
the
reason
I
like
this
so
much
is:
I
maintain
my
jenkins
configuration
as
code.
One
of
the
things
I
maintain
as
code
is
the
list
of
plugins
in
their
exact
versions,
because
I
do
that
I
can
put
one
of
these
incremental
builds
right
in
there
and
trivially.
I've
got
that
incremental,
build
in
my
test
environment.
A
And
we
get
push
and
now
we'll
see
that
it's
going
to
start
evaluating
it
yet
again,
okay,
so
here's
here's
that
same
pull
request.
Now,
if
we
go
forward
this
one
finished
skipping,
the
let's
see
and
now,
let's
I
suspect
it
hasn't
started.
Yet
there
we
go
update
parent
palm.
No,
oh,
yes!
This
is
it
so
this
one
is
now
running
and
off
we
go
it's
going
to
start
the
evaluation
process.
A
Others
who
run
natively
on
on
mac
os
or
on
linux
can
just
use
the
terminal
emulator.
That's
there.
In
my
case,
the
terminal
emulator
on
windows
is
just
not
good
enough,
but
moba
x
term
is
really
great
little
french
company
that
maintains
it.
They
do
wonderful
work.
A
I
think
what
I
propose
that
we
do
now
is:
let's
look
at
switching
into
switching
from
where
we're
at
now
to
let's
go
into
a
what
would
we
call
it
into
a
session
that
will
allow
us
to
interact
with
each
other
more
readily
and
work
together
on
questions?
We've
got
about
seven
people
in
the
session.
A
It
may
be
enough
that
we
just
gathered
together
as
the
group
of
us
in
a
in
a
zoom
meeting,
that
I'll
post
the
link
for
you
and
and
I'll
start
it
here
in
just
a
moment,
and
we
can
get
together
in
that
zoom
meeting
to
help
with
your
specific
questions,
if
you
don't
have
specific
questions,
that's
okay,
you're
welcome
to
join
and
just
listen
in.
So
let's,
let's
have
everybody,
I'm
I'm
gonna.
Have
you
join?
Let's
see,
how
do
we
do
this?
How
do
I
commute?
A
Oh,
I
know
I'm
going
to
create
the
zoom
meeting
and
I'm
going
to
communicate
it
into
the
chat.
You've
got
to
copy
that
url
from
the
chat
window,
because
when
I
start
the
zoom
meeting
it
will
end
our
webinar
so
so
be
ready.
I'm
going
to
paste
a
zoom
link
in
in
in
the
chat
just
a
moment
and
I'm
going
to
stop
sharing
my
screen
so
that
you
can
see
my
face.
A
It'll
be
just
a
minute
here:
okay,
so
now
I'm
going
to
host
a
meeting
with
video
on
okay.
Oh
no!
I
can't
do
that.
Oh
my
mistake.
Oh
I
rescued
us.
I
would
have
just
knocked
us
all
out.
Let's
try
this
again
mark
still
learning
how
to
use
zoom,
I'm
going
to
schedule
a
meeting
and
working
session
for
contributor
summit.
A
A
B
Maybe
you
can
put
the
link
in
the
hackathon
guitar
channel
as
well.
A
That's
right
as
well
yeah,
that's
there's,
there's
a
risk
that
we
may
get
spammed.
If
I
do
that,
we've
had
when
we
post
public
zoom
meeting
links,
but
at
this
hour
of
the
morning
it
may
be
okay,
I'm
not
sure.
So,
let's
shall
we
risk
it.
I
mean
if
we,
if,
if
it
goes
badly
and
somebody
joins
us
and
and
is
spamming,
us
we'll
we'll
know,
let's
see
so
actually-
and
I
know
what
I
can
do
to
reduce
the
risk
there.
A
I'm
going
to
change
this
definition
so
that
you'll,
we'll
use
the
waiting
room
and
you'll
have
to
be
granted
permission
to
come
in.