Jenkins User Experience Special Interest Group, 2 Oct 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: 2021 10 02 Jenkins Contributor Summit / Hacktoberfest in Jenkins

Description

Hacktoberfest launch as part I of the Jenkins Contributor Summit October 2, 2021. Includes guidance and examples for new contributors to assist with

* User experience improvements
* Plugin documentation migration to GitHub
* Content Security Policy improvements for core and plugins
* Plugin modernization

00:00 Introduction
05:29 Welcome to Hacktoberfest
15:06 User experience improvements
38:50 Migrating plugin documentation to GitHub
56:09 Implementing Content Security Policy
1:50:33 Modernizing plugins
2:28:30 End of the session

Meetup page: https://www.meetup.com/Jenkins-online-meetup/events/281083403/

A

Welcome everyone. This is uh jenkins online meetup and the jenkins contributor summit, it's october, 2nd 2021, and it's depending on what part of the world you're in it's midday saturday in india. It's early morning, saturday in europe or it's the middle of the night saturday in the united states, where I am thanks, everybody for being here, I'm going to go ahead and share my screen and let's, let's get started.

A

Let's see this one there we go all right, so everyone, what you should see is slides, perfect welcome to hacktoberfest 2021. uh These slides are archived at this location. Bitly jenkins dash hacktoberfest 2021, so you can go find them later. If you need to you know what I should probably paste the link to those slides into the chat. Let's do that.

A

No, I can't in presenter mode sorry I'll have to have somebody else to help me with that. Welcome everyone. Let's get going so we've got three presenters today: uh uli hoffner, uh vadik fallonier and me I'm mark waite uli comes to us from the technical universe, technical university of munich ule. Could you clarify for me technical? I I never get the title quite right, go ahead and introduce yourself for it.

A

B

It's a university of applied sciences, it's called of in germany in munich here in bavaria, and I'm teaching about software engineering, where I'm always using jenkins to show continuous integration and yeah. I'm also a long-time jenkins committer. I think it's now 15 years that I'm committing to jenkins. I started with the findbox plugin and now I'm author of the warnings plug in the git forensics plugin and the plugin I'm talking about today is the code coverage api plugin, which I am now a co-maintainer.

A

Thanks very much julie, that's wonderful, we're so grateful for your contributions and so glad for what you do with your students at the university vadik fallonia is here with us. Vanick um comes to us from the jenkins security team. Could you give us a brief introduction? Vadak.

C

Yeah sure I'm located in switzerland, I'm working especially in the jenkins security area, meaning correcting finding vulnerabilities and coordinating all the release of the security correction. That's a bit the tough part with the community. We have to care about all the things to be uh done at the same time to prevent any disclosure- and things like this and during my regular vulnerability finding research, I'm discovering some bugs that I'm correcting at the same time, that's a bit advised.

A

There thank you and I'm mark waite, I'm the jenkins documentation officer and I maintain the jenkins git plugin and try to help the community as well. We've also got one or two additional helpers with us today. um We've got dhiraj singh jodha, who is is has joined us and he'll be assisting as a moderator.

A

Looking for your questions, so if you have questions and one and the presenter happens to miss those questions, we'll rely on dhiraj to help us with that dhiraj. Thanks very much for being here. We sure appreciate your help and we we hope to have one other, but that that moderator may arrive a little bit later. So thanks everyone for being here.

A

So today we're going to talk about jenkins and hacktoberfest. A contributor summit for jenkins is a chance for people to get together to work together. We usually start the contributor summit with a presentation segment, and today's presentation segment will focus on three or four different ways that you can contribute to hacktoberfest in jenkins.

A

Then, after that we will switch from this zoom webinar format to a zoom meeting format. You'll need to join a new zoom meeting and we're going to do breakout rooms there and we'll allow vodick to have his breakout room I'll, have my breakout room and if ooly's willing, he'll have his, and each of us will try to answer questions for you and I believe, dhiraj has agreed, he's willing to run a breakout room as well.

A

We'll use those breakout rooms thanks dhiraj we'll use those breakout rooms as a way to let you interact and ask questions about your specific challenges or things that may be getting in your um in your in your way as you try to contribute.

A

D

A

D

Exciting thanks all right.

A

So for today's introductions or today's agenda I'll do the welcome and then uli is going to talk about improving the user experience I'll, do a segment on migrating plug-in documentation to github vodick, we'll talk about implementing content security policy, I'll talk about modernizing plug-ins, and then we will switch at that point.

A

We're happy to answer questions during the session. Please feel free to use the q a facility to do it. You're also welcome to comment in chat. If that will help you, we would love to have your interaction, we're interested in helping you be successful, contributing to jenkins during hacktoberfest.

A

So welcome to hacktoberfest 2021 we're very grateful to digitalocean for their sponsorship and to intel app right and deep source for the funding and sponsorship that they've provided to make it successful.

A

We've done hacktoberfest for many many years in the jenkins project and have thoroughly enjoyed our interactions with community members and the way we learn together how to contribute to open source looking forward to it again this year. So as a reminder, everyone can contribute to oktoberfest. You don't have to be a programmer. You don't have to be some guru expert. You just need willingness and interest and we'll help you through it. There are online events highlighted at the digital ocean site and sometimes even in covet 19. There are people who run local events now.

A

Their recommendation right now is please, let's stay mostly virtual, like this session, so contributing to jenkins in general, looks like this. You could open the jenkins.io website for the hacktoberfest page, it's under the events menu and there you can see some of the featured projects that are available and there truly are hundreds of open issues that have been identified, specifically as good. First time, issues or issues that are well suited to a new contributor, so jenkins, dot, io, slash event.

A

Slash hacktoberfest will give you insights into ways that you can help and just for clarity, any pull request, counts towards hacktoberfest and counts towards well, can count towards hack hacktoberfest and helps the project. So if you want to do code great, if you want to do documentation great as well, we manage our blog posts and our artwork through pull requests. So if you are a graphic designer and would like to do a new jenkins logo, we've got the place for you to do it and you can do it as part of hacktoberfest.

A

Now, on this slide, there's a link here contributing to jenkins. It is all about you that takes you to a separate slide deck that goes more into detail on this.

A

So where should you contribute well, user experience and uli is going to take us through a detailed tour and show a demonstration of things that he's prepared and places you could help very immediately with your javascript skills or with java and javascript skills in combination I'll show how you can contribute to user documentation and learn something about asciidoc vatek is going to show us how to contribute to content security policy. I believe that's predominantly java, as is plug-in modernization where it's maven and java, it's even easier for content security.

C

Doing my advertisement there, you just need to know a bit of javascript, really the bare minimum and the rest will be more easy. I will say.

A

Excellent, thank you. Okay, so vitex vitex point is well taken. I am not skilled in javascript. I actually find uli's work in javascript somewhat intimidating. It's such an amazing thing is that people can create user interfaces on a web page continues to amaze me thanks vladik.

A

We also have opportunities to improve terminology in jenkins. We've been using terminology that is uncomfortable and indelicate, and so, for instance, several years ago we switched from using the term master to describe the jenkins central central system to call it a controller and we've switched from using the term slave to using the term agent. But there are lots of places that need those translations I'll need that that change.

A

We can also contribute to translations, maybe you'd like to maybe you're a native speaker in french or or in japanese or chinese, and would be willing to help with translations. That would be great.

A

So where can you contribute? Each of these locations here gives us a link to issues that you might consider working on for hacktoberfest.

A

So if I click this hyperlink, it will take me to a table that is oh, let's go with this one table that is.

A

I've got to go off screen for just a minute. Hang on. I want to be sure I show you the exact right place. I thought I had that hyperlink correct. It is the following. I want friendly issues, because this is the thing that you need to see what it is. It's a nice little table that shows issues by component.

A

So what we've got here is these are friendly issues identified by the developers for various components: you'll notice core. That's the jenkins core, the the kernel of jenkins 70 issues, identified warnings, ng an analysis model, the git plugin.

A

If you're interested in subversion, here's the subversion plug-in you can help with if you're interested in user experience, improvements, warnings, ng analysis model. If you want to learn more about git, there's the get plug-in ready to go that that list of friendly issues is there to help you decide where you might like to contribute, and these are places where we can really use the help. So we look forward to your help there. Likewise, if you'd prefer to do see issues possibly on github, maybe you want to do something with documentation.

A

This one will take you to github issues that have been listed as good first issues, and there are plenty there for your help.

A

That's that's the caliber of things that we're looking for. We would love to have your help now. How do you get started sign into oktoberfest on their event website and join our getter channel? So our getter channel looks like this join up and have conversations with us we'll be delighted to have you there and then just start creating pull requests.

A

Now, when you create a pull request, you'll help. All of us if you'll put the word hacktoberfest in the pull request title and if you're a jenkins maintainer help us by labeling the pull request as hacktoberfest that way it qualifies for and marks it correctly, so that the hacktoberfest counting system will correctly detect it. So again, please be sure you put hacktoberfest in the title, if you didn't get it into the title, put it into the text of the of the poll request that you're submitting.

A

And now you may say hey, but what, if I want to find other ways to contribute? Well, the jenkins participate page jenkins, dot io slash participate, gives you lots of other ideas of waiters to participate.

A

Each of those read more buttons takes you to an entire page of places where you can help and inevitably you'll need to help by submitting pull requests that you can mark for hacktoberfest.

A

So we look forward to your contributions. We think they'll be great.

A

Now, if you need some more advanced places to contribute, there is the the jenkins zh. So the jenkins china repository for the localization to chinese there's the jenkins-infra repository where we do infra maintenance, so things like hosting our web servers and maintaining the plug-in site and all sorts of things like that are in jenkins. Infra. We're also happy if you contribute to upstream projects like apache, apache, maven or others like it.

A

We'd love to have all of them. Get your help as you feel interested so remember. The links are participate, hacktoberfest, the faq and contributing to jenkins.

A

Now uli we're going to switch to yours and I'm going to stop sharing my screen and let you share yours is that all right.

A

C

Just a quick comment, uh the question and answer panel is more for question. If you are just a discussion that you want to have with us with older people, just use the chat, it will be easier because otherwise, for the q, a we have to reply to the different questions separately. It's not the best tool for that. I will say thank you.

B

I think one moment: no, I can't move the window anymore. Let's start again.

B

B

So what I would like to show is the work that I've done in the last.

B

Couple of weeks with the code coverage api plugin- it already has had a nice view, but there were some details missing from these fuse, and so I tried to refactor this fuse so that these views look a little bit more prominent.

B

um What I'm sorry? What I'm missing from my introduction, I think I prepared two slides which are in your slide deck mark.

B

So I I'm wondering if we can start with these slides and then I make the presentation absolutely so. Would.

A

You like me to is it okay? If I share my screen, then.

B

Yes, just like this is just two slides uh just when I talked I noticed uh there is something missing. How.

A

B

This one yeah this and the next slide yeah. So what I wanted to start with is um jenkins uh is yes, I think it's almost 15 years now old and the user interface is quite old as well, because jenkins uses mostly static html. So this is very helpful. If we have plugins that want to extend the user interface, you can provide your own views.

B

That is quite easy, but the disadvantage is, of course the layout looks a little bit boring, let's say, or it's some kind of old school and the other modern javascript elements are not available there.

B

So we have in chance notice that we need to put some work on this and therefore we created a jenkins user experience group to improve the user interface, and what we want to do is some kind of step-by-step uh improvement. That means uh we want to make small things uh in every release of tanks and a big bang integration as blue ocean try to do so.

B

um The idea is that we start by improving uh the plugins it's step by step and then take one part that works well to the other plugins, so that everybody can have a nice user interface, and in this group we have some jenkins developers. But- and if someone of you is a ui engineer or a javascript uh professional, it would be really helpful because uh we have a lot of java developers, but not so many javascript developers.

B

So the meetings in our group are every four weeks you find it in the event calendar so welcome to join here. If you want to help, can you switch to the test and now about the background of my talk today, um the the code coverage plugin, as I already had mentioned, is some kind of old user interface, which I wanted to improve, and what I've done is um I'm not sure if anybody knows my warnings plugin, but in the warnings plugin.

B

I started to use a lot of modern javascripting frameworks to improve the user interface and the same frame box. I applied now for the code coverage api plugin so that we have now two different kind of plugins, which is basically the same kind of user interface.

B

So if you look at the warnings plugin and then you look at the code coverage plugin, it looks everything quite familiar. Of course there are different elements on it, but the user in experience is almost the same. I think so. I'm using bootstrap.

A

Sorry, oh sorry, julie, forgive the interruption, there's a question that I think this might be a good place to answer it. um Schlock mohanty asks is code coverage covered by using sonar cube. Maybe you could describe how code coverage operates at the user experience level and and how people- or I guess, maybe you'll- be demonstrating that so one way or the other I think you'll get there.

B

Yeah the code coverage, or, let's say the analysis, elements in jenkins are quite different from jenkins.

B

Sonar is kind of an additional server that takes your source code and processes. The files and creates code coverage creates static analysis and then renders, in the sonar, cube application.

B

What we try to do in jenkins is we we just hook into the build. You have a maven, build, for instance, where you produce your code coverage files or you produce your static analysis files, or you have a node built for javascript, where you produce as well code coverage, or you produce some warnings from aslint or something like that, and now the jenkins plug-ins take the results of the build and render it within jenkins. So you do not need another tool, so everything is included in your build for every build.

B

You get the same information that the build has. So this is the thing which is kind of different from tools like code cuff, which work afterwards or sonar cube, etc, and what I've done now is to introduce some different libraries. I already mentioned bootstrap, I'm also using fontaison awesome to provide some modern icons.

B

E charts to render the trend, charts and yes, data tables to show data tables like in excel you, you can see them in a web user interface as well, and I implemented the basic features now and there are still a lot of things that could be improved there and therefore I would like to show now in my demonstration, which kind of things are already there and where you can participate.

B

Okay, so now we are ready for my demo.

B

Let's go back here to my screen, so um the first thing when you start with the code coverage um the code coverage, let's switch to this tab when you create a build in jenkins, every build has some typical artifacts that are generated for each build. Now we have here the build number 38, and here we have some checkout from the git repository. You see. The latest commits from the repository and what I also included here is now a coverage report.

B

Where you see what is your line coverage and what is your branch coverage of this build? You also see in this information um the the references built. What we also now try to compute is for every build. We would not only want to compute the the total coverage for this build. We also want to see the increment. So did you change the coverage? Is it better? Is it worse? So here we have yeah, it's a little bit worse the coverage here, but yeah you see it's not really a big difference.

B

So this is the idea we have information for bills and information for deltas. That means from one build to the next build, and this is a screen which is a quite a basic screen where we see the build results and yeah.

B

I think it's more interesting to see uh how the code coverage looks for the single build and therefore you can click on this link, and then you will navigate to a detailed view and the detail view um looks uh or is split into.

B

I need to make it a little bit bigger.

B

So now we have, um the screen is already prepared for different screen resolutions. That means we have a different components on the screen that rendered differently on your ipad or on your big screen and now you've. Seen. If I make the screen a little bit smaller, then some suddenly the screen is too small. Then yeah.

B

You can show different ui elements, and this is one thing I started, but this is not really finished, so I think, if you're on the ipad or even if you're on your phone, um you you need some different screen because uh on your phone, you are maybe not interest on the overview or you may not be interested on the details here and in the bottom level.

B

So yeah here is a lot of possibilities where you can help take your phone and make a screen just for your phone or take your a tablet and make a screen for your template.

B

um So this is one thing where you can help to improve the the detail. View consists of four parts, so we have the trend chart. We have the overview.

B

We have a kind of package overview where you see for all your files, the code coverage, and you have some, let's say a table where you see the the details for your table for your files. That means you see the package where your code is placed the file names, and then you have some elements that show the line coverage and one thing which works. But it's not perfect is now you have a horizontal scrolling, for instance, that means what one can do is to improve the number of columns.

B

According to your screen resolution, this is possible with the libraries I'm using, but I did not find the time yet to do it. So this is would be one part to improve the table, so I make it a little bit bigger. So if you make the table bigger, then everything is visible, but if you make it smaller, it would be helpful if maybe some columns will pop off and will not be shown at all.

B

So this is the detail view which I'm would be or which I'm using as an architect. I would like to see these are my files, and I want to see I y is here in this file the code coverage good or bad. Then I can click on the link, and now I see the overview for this file here I see the branch coverage for the file.

B

I the the line and instruction coverage for the file, the number of methods and the number of classes in this file, and if I want to see a detailed view of the source code, this is possible as well, and then I can here. I have a look at the source code and you see, according to the coloring green lines are covered, red lines are not covered and yellow lines are partially covered.

B

So this is a good uh help for an architect or for you as a developer and yeah here it would be helpful if we yeah, I'm not sure if this part of a hackathon or a oktoberfest issue, because uh currently the the text is kind of um yeah just plain text, it would be helpful if there was some syntax highlighting, etc.

B

So this would be a one possibility to change the visualization to a concept, what I'm, using in the warnings plugin, where we can see the source code with a java, syntax, highlighting, etc.

B

Okay, so here we let's jump back here, we see the details for one build and uh what's also provided by my plugin. Is this kind of trend chart? That means you have the opportunity to see the results for build to build. That means a trend. Are you decreasing your coverage or are you increasing the coverage and this same information is shown on the main view of jenkins? That means, if you start on the main view, you see this coverage branch and line coverage, a trend and there you can see uh yeah. How behaves your coverage?

B

How many percentage do you need to get closer to the 100 percent?

B

So this was uh the introduction to the user interface, which is now almost ready, and for this interface a lot of things can be improved, for instance, the trend chart. Here we have only a single trend chart.

B

Maybe it would be helpful to show a different trend, john, that does not show the absolute values but the delta values, and we already have this configuration button here and you can extend this view, which is now showing where you can change the width and the height.

B

So you can put these things, you can say: okay, I only want to see uh five builds and if you save it, then the trend chart changes and what we also can help. What would be helpful if we show a kind of delta view that you see not the total coverage, but you see how did you increase by each build or decrease by each build uh the code coverage?

B

So this is one thing that you can improve the chance. uh One thing that one can improve is the coloring of the charts, for instance. Currently, the coloring is a hard-coded in my java files, and maybe it would be helpful if we can provide, for instance, in this dialog that we say okay, I want to show it in different colors and add here a customization of the colors for instance.

B

So this is one thing we can add um and there are a lot of other things we can add. We can add a columns for the jenkins view.

B

Let's say I go to the jenkins dashboard back, um so here we have our the chops here on my instance on and here you see, for instance, the the name of the project and the last success, and you see the number of uh static analysis warnings and it would be helpful if you also see the branch coverage or the line coverage in this table view, though this would be also one enhancement that you can provide at a column that shows the branch coverage and some other elements you can show or help to show, for instance, here this table, I just provided two columns.

B

For instance, one column shows the percentage as a number and the other column shows the percentage as a chart or as a background. So maybe it would be helpful if someone can create a single column that shows both in one cell then we have not. The width is better used and yeah. I think it's even easier to read if we just have one column that shows it.

B

um What can also be helpful if we currently, I only show the branch and the line coverage in the detail fuse. Maybe someone is in interest in the instruction coverage or in the method coverage. I'm not really interested as an architect, because for me only the lines count, but maybe other uses of changes require some different views.

B

So it would be helpful if you can extend the plugin by making some things more configurable, which are now hard coded or, for instance, in this chart here, where you see the the package overview here, you see the the code coverage elements of my classes and these uh so, for instance, if it's red you have a poor coverage. If it's green, you have a good coverage, so you can click and see. uh This is the eclipse eclipse.

B

Xml browser seems that I'm missing a test case for this class and what you see in this chart is the a tree view of your whole project before the line coverage.

B

But you don't see the branch coverage yet so an additional idea would be to either make this view configurable that you can switch or toggle between line and branch coverage or create another tab where you see the same, not for the line coverage but for the branch coverage.

B

So you see, if you get a little bit familiar with this plug-in, you will find a lot of ideas where you can improve. What I try to make is I created uh several issues here in github, which I marked with hakatoberfest.

B

Some are features some are enhancements and yeah. I think you can have a look in this table. If there is something would you like to add? Not everything is ui related. I have some views some issues. For instance, the remote api needs to be added for the new model, which is plain java.

B

So if you don't need ui skills to provide that, but some others are create java and javascript and some others are only javascript, so feel free to look here and see what, where you can help- and here I have just looked for the hakitoba fest label here in this repository.

B

So this was my walkthrough of the code coverage plugin. Are there any questions.

A

There was one from from one of the participants about branch coverage. Is branch coverage limited to java? So is the the ui that you're presenting tightly connected to java as a language, or can it present results from other coverage systems or from other language systems?.

B

It can present results from every system that is supported. The code coverage plug-in works a little bit like the warnings plug-in. We have the tools separated from the jenkins plugin. That means you need to run the tool in your build. The build produces some kind of json file, xml file whatever, and then the code coverage plugin comes reads: the results and presents the results.

B

We currently have support for chacoco copatura in java, but we also have support for different other tools.

B

Actually, I don't know the names of the other tools, because I don't use them, but we already have for c, plus, plus and c support.

B

That means- um and if we do not have support yet one can write a simple, adapter or parser who and this person needs to read the xml file and to create the java model, and this would be an enhancement as well. So if someone wants to not participate in the user interface- and he wants to show let's say, coverage data of javascript and we do not have a parser yet then just write the parser and the plugin will work out of the box.

B

For these elements, so it's there is nothing in java which, which is basically uh in the plugin. The only thing is maybe that we have source files that may contain classes uh which is not given in every other language. So, but normally we in in every language, you have some kind of files. You have some kind of methods. You have some kind of lines and branch coverage, so yeah everything should work. What you, what you have.

A

Thanks julie, very much answered the question. I I think it did thanks very much okay, so you give hope that those who write c programs like me sometimes can use coverage reporting to see the results of our automated tests of rc programs. Yes, I think it's already possible.

A

Thank you anything else that you'd like to share ule before we switch to our next next presentation.

B

I think I, uh when you switch to the presentation, I have one link where, in the slides, where you see the the issues that are open, okay,.

A

Let's go here and can everyone see my my screen.

B

Yes, it's a camera, so um the issues I've talked about. uh This is the first link here. You will be right redirected to github, where you see the github, I you know oktoberfest elements.

B

The second link is, if you want to have some beginner topics in the warnings plugin there. This is not only ui, it's also plain java. So have a look here. There are a lot of small things where I don't find the time it would be helpful if someone can help- and I think the last link is the same- you already presented it's just uh for the user interface. I think.

A

Excellent, thank you. So those links, those links are ready to use and a new contributor can pick one of those and either contribute to core to the warnings plug-in or to code coverage thanks. Okay, fine, all right.

B

A

B

A

Great, so so the next the next stop then on our our journey here is: maybe you feel more comfortable contributing to something that's a little different than code. Well, here's a way you can contribute to help with documentation, so jenkins, plug-in jenkins. Documentation for plugins is let's: let's do it this way, I'm going to pause here and we're going to look at this site. Plugins.Jenkins.Io.

A

Which is the jenkins plugin site? And yes, as it says here, there are 1, 800 or more jenkins plugins, and when I look for a jenkins plug-in, it will show me different matches for my search. I asked for the get and it showed me git and the git client. So when I click this one, it shows me the documentation for that plugin.

A

This documentation is maintained, preferably in the the repository of the plugin itself, so we want to do documentation as code, and so this documentation you see on screen and it's quite a lot- is part of the get plug-in source code. Someone had to create that, and someone had to put it there and that creation process is part of this exercise.

A

So what we want to encourage people to do is help us migrating plug-in documentation to github.

A

So the idea here is that there are plugins that need to be migrated, and if we click here on the this sheet, for instance, it's going to take us to one view of plugins that need to be migrated. This is this is my view that I did a sorting on, and this view you would could say hey. I want to improve the documentation for one of these plugins and, if you'll, right click on a cell and comment, let's see and I'm gonna, I'm gonna put a very specific one, because I want to do my demo.

A

I think it's called. Let's see it's called schedule build plug-in here. It is so I'm intentionally choosing one that's a little further down so that I won't get in other people's way. But I'm going to put a comment here that says: mark waite wants to work on this one.

A

This is an easy way for you to say I'm going to work on this and still see which what the priorities are. If you don't do, this no harm will detect it pretty quickly that you're working on a particular plugin, but so that's first step here find a plug-in to migrate, and I use the sheet because it was easier for me if you prefer.

A

There is also the official progress report and this progress report takes a little bit of time to generate because oh and it looks like it's been interrupted, so you'll have to use my sheet for now.

A

It's it appears to be offline, I'll work with gavin later to figure out why it's offline, so so, once you've said which plugin you want to want to migrate.

A

Like I said schedule build now we're going to go, find the exported readme file that came from the original documentation source on the jenkins wiki, and I'm going to look for schedule, build.

A

And oh, it didn't find for me that way. I've got to look this way and scroll down, so we're going to do here and instead of appetize we're going to say, schedule build, and here is the documentation as copied from the jenkins wiki. This is the thing that I want to convert to migrate it into the jenkins the jenkins plug-in repository so back to our steps, find the exported readme.

A

You go to this plugin wiki docs fi repository and find your plugin that you're migrating now next step is: let's fork the repository and create a new, a new readme file for it. So I'm going to actually borrow this hyperlink open the page, the github link that you saw. Let's go back there. You see right over here in the links. There's the github link, I'm going to click the github link, okay, here's the repository!

A

My first task, then, is to fork it. So I'm going to click the fork button in the top right open up. It'll put it into my repository notice that it's creating marquee weight schedule build plug-in. So here's my fork now. I need a local copy of this, so I can work on it. So I use the code button copy here and now in my favorite terminal system, I'm going to say git clone there and you could do this on windows. You could do this on linux. You could do this on mac os.

A

This will give me a copy of that plugin.

A

And now it's time to get ready to do the transformation, so I'm going to check out a branch and the branch I want, let's see so docs to docs to github. So now I've got a branch to work on and back to the instructions.

A

I want to create a readme file there or edit the one that's already there and include the extra information in it from this file from this page. So let's do that.

A

And use your favorite text editor. I think the one true editor is emacs, but don't don't let anyone be too distracted by that? Okay, so it has a readme file already and I'm going to go. Grab yes, vi editor would work as well. I I actually use that one as well good good point, and yes, as most people learning how to exit vi is one of the earliest things we have to develop as a skill very good.

A

So let's go there to the to this file and I'm going to look at the text in raw format, so I need to find. Let's see. Where is the raw view? I want this there we go click raw here and here is the markdown.

A

For this plugin's documentation in the original wiki that was there, so I'm going to paste this in here.

A

There we go, and now it's just time to do some editing, okay, so it's got. The first thing it shows is: oh, there are some references here to docs images, so I need to go get those files and those files are in this repository as well whoops in this repository here.

A

So as we look here, we'll see docs images and there's the file and I'm gonna go grab each of them, so I'm gonna copy these and I need this link so.

A

And it needs to go into docslash images directory, so I'll put it in docslash images.

A

I did it not maker, oh right, it didn't, because I need to use the minus p argument. Okay, there we go so I'll. Do that with the other images as well, because I think I'm going to need them all.

A

So get that link and what this is doing is preparing me to create this documentation.

A

So it's that simple, that process of bringing down the images from the original reference material put them there, and then they will be usable and we won't take terribly long with this. It'll be just another moment.

A

And if you're on windows wget is available, you just need to use powershell. If you're on linux and mac os, it's already very commonly available, you can get it immediately.

A

I think we've got two more is all and then we'll be done with the capturing all the pictures. It's this simple. We just go ahead and do this and you've now transferred.

A

Files, so that you can continue this development work and the last one here.

A

Okay, so I've got got my readme file. It's now got references to those those pictures and.

A

Now I prefer sometimes to fix formatting like that and but there it is it's ready, I'm going to get add. Although oh go ahead, was there a question.

D

A

For interrupting.

D

So I just want to make sure uh if I'm on the same page with you and just want to, you know, discuss the things that we have done till now, and you just you just correct me if I'm wrong so there's the main repository which has all the plugins related uh content hosted there plugins wiki docs and uh what we are aiming to do is selecting a plugin from this repository and then make changes specifically for that plugin, and for that we are accessing that plugins uh specific repo, its own repo and then what you want to do.

D

Is you want to update that plugins readme with the right documentation related to it right and that's exactly.

A

D

Awesome and then what uh so, currently what you just did is you forked, the repository or and then you are uh manipulating the contents? Yes, as we can see just uh for the repository of the plugin called schedule build and now you are aiming to edit its readme file and pull put in right content into it, and I think there was a question regarding that. How are we, where are we getting the content from specific to that?

D

So it's coming from this main repository as we can see- and this is from here- we are extracting the code and then putting it to the specific plugins readme file. So that's we are doing right.

A

That's correct, yeah, you've described it very well, excellent! Awesome, that's great! So now I think we can move forward. Thank you thanks good insight. So so the exactly as diraj said, we are starting from a a central location where the docks have been captured from the wiki page and we are then converting those to so that they can be used by the plug-in maintainer.

A

In the plug-in specific repository, I don't as a plug-in. Maintainer want to have to go, write documentation in some other location. It needs to be in my repository that helps me because then I also can write documentation when I write new features, I'm much more likely to do that, because I can actually include the documentation right away as I'm creating a new capability thanks, dhiraj thanks very much yeah. So so here we have it. I've got I've, got this ready and I'm going to say, move documentation.

A

A

And now I'm going to push that to my origin repository and I'm going to do a set up stream so that it remembers where I'm pushing.

A

And now this tells me what the url is that I should visit to open this pull request and let's go ahead and visit that that location and open that pull request so that we can we're ready for it now you'll see here on github. It already hinted: oh, hey, look! This green button would let me compare and create a pull request.

A

It also lets me see. How does my, how does my file look and okay? This is pretty good, it doesn't look bad, the pictures are there and they they sh. They appear they're visible. I haven't submitted the pull request yet, but I've had a chance to see. How does my work look before I submit that pull request?

A

So that's that's and now I could either push this green button or I could paste in the url that github gave me either will do the same thing and it says: okay, I'm moving documentation to github, and now it's got a checklist.

A

The first item is, please be sure, you're using a branch- that's not named master, you give your branch a better name so yeah. I gave it a good name and be sure that it describes the poll reque. What you want to do so this is move documentation, docs to github.

A

Copy and move docs from wiki to github and the reason I say wiki there is that's where they existed originally. Admittedly, I didn't have to deal with the wiki describe what I did yep I did. I don't need to link to any relevant issues in github or jira, so I'm going to delete that one, no pull requests and really for documentation. I don't have a way to put any in any tests.

A

So now, when I create this pull request there, it is ready for the maintainer to review now. One of the reasons why I started this sheet.

A

Okay, you may say: well how do I choose? There are a thousand plugins that need documentation. Conversion like this. How do I choose which one to do well? Vodka and I asked a bunch of jenkins maintainers if they would be willing to commit to review a documentation, pull request and these top 30 or so are all plugins, where the the maintainer has agreed to review a pull request.

A

If you submit one, so I recommend you choose one of these, so you get fast feedback now, if you, if you would, rather you could choose something something else further down the list or something that's interesting to you. That's fine as well. I just happen to know that these top 30 here we have reviewers who are committed and ready to review your change when you submit it any any other questions that have arisen, any things that we should discuss.

A

All right so and- and it looks like oh go ahead: okay, then I'm going to go ahead and switch back. I think it's time for our next topic, um thanks to everyone who who assists with documentation. Now, let's go to the next topic and vadak.

A

Let's see you wanted to share your screen right buttock, so I'm going to go ahead and stop my sharing.

C

Perfect uh put that screen. That should be good.

C

So, are you seeing my screen.

A

Yes, we can see it just great. Thank you.

C

Perfect so just in case, I'm not seeing the discussion and things like this, so if you have any oh, no, actually I can open it anywhere else. So that's good! Okay, perfect! Thank you for the the time to discuss about my topic there, but content security policy, so why we are doing that. What is it how to implement the fix and all this kind of thing that will be, I will say, the part of the the slider.

C

I will not put the slide in a full screen mode because you will see for the demo. I will need to switch tabs and things like this. It will be easier like this. So what is content security policy? If you want, we have seen a lot of vulnerability because I'm working in the jkins security team in the recent years we have seen a lot of xss.

C

An xss is a type of vulnerability that is pretty annoying in jenkins. It's based on some javascript that you can inject in a page as an attacker and using the javascript to exploit some things in jenkins. You have to think that an attacker with an excesses capability can do whatever they want at the place of the victim instead of the victim innocence, so using victim authentication to do something and, as you know, for administrator, you have a lot of permission on jenkins, for example, the script console and so with an xss.

C

You can use this kind of feature to execute any code you want on the server, so that's pretty annoying in jenkins. That's why the score in term of severity is between seven and eight and ten meaning for ten. It's the most critical vulnerability and a zero is just a regular bug without security impact.

C

Now what is the the plan with the content security policy? What is the the goal with that? To prevent excesses? There is, I will say, two or three ways. The first one is to correct everything, to correct every vulnerability, but that's a reactive approach. When we discover vulnerability, we have to correct it. It's easy most of the time, but we have to find the vulnerability first.

C

The second- and I will say that, will the most important one when we are discussing content security policy is to be more proactive, meaning to forbid the use of unexpected untrusted script, so javascript in this case to be executed, and how do we achieve this kind of thing? That's where content security policy is coming.

C

If you want it's a new type of protection that is global to your application, that global protection will restrict, which kind of script could be executed on your page, I can show you a demonstration about that. There is a bit understanding about what is csp just before that you have some explanation on the webpage, the the official oktoberfest event web page about the topic in general.

C

You have a document that is this one with a lot of information. So it's mainly what I'm discussing right now, but with more detail, and you have some official documentation from firefox directly from mozilla, actually not firefox, so from mozilla. What what is csp? What is the current support? What you have to do to apply this correctly? All this kind of thing. I don't want to go too deep into the detail there. A demo will be easier to explain what we are trying to achieve.

C

Are you seeing my screen with all the things moving or not just to be sure.

A

We are seeing it just great yeah, so you're currently.

C

A

Content security policy, github page.

C

Yeah perfect, so teaspoon request in jenkins core is a proof of concept to show you to demo you what is the effect of content security policy? You will see with that yeah. It seems to be pretty interesting compared to just the theory innocence, so you have a lot of instruction how to use it. I will just do it myself to show you the thing, because that will be easier like this and you will see- and I hope you will be convinced why we want to achieve csp globally in jenkins, so regular jenkins instance running.

C

We have from that poor deadpool request, actually just a snapshot very old. I will say because that pull request is also pretty old, so I'm connected as an admin, you can see the forewarning we have on the top right. You will see why it's important to mention this part.

C

There is one page that is linked here with csp proof of concept, and it's mentioned here in that page. You can configure your current current playground to demonstrate the different impact there. So here it's very simple. I will explain you more of the detail and, if I'm getting to the test page, so you can go with that page, that link and back with that link it just you have a page with an injection of a variable in java. I will show you the thing in terms of pure java code.

C

You can see the before injection here and after injection at this point. In the meantime, you have a payload that is injected from java into javascript in this case, into html directly. The grout means that we are not escaping the content at all.

C

What it means in practice is that the desired payload that is coming from this page, the desired payload, if I'm adding something like this italic with the correct tags, when I'm rendering this page, that part will be in italic, because in the code it will be directly with the I tag. So the italic tag- and you can think yeah it's interesting, but what I can do with this kind of thing. Actually, you can just include a script and inside the script, put an alert.

C

That's the basic xss payload that we are doing when we are looking for vulnerabilities, and in this case, if I'm refreshing the page, you will see that javascript being executed, that's something that is pretty annoying, especially on some webpage, not in jenkins, but in some web page. You can just do something like this to display the current document cookie in for my case. It's not important because the session id is protected. I can show you the the thing there just in case, I'm not showing something that is confidential, because my localhost is protected.

C

You cannot access my locals from outside of my local network, so there is no secret there. You can see the gssession id that has a value there. That is very important if you want to attack my server, but my server is not online, so you will not be able to do it. You need to enter my hours to have access to it. So it's already broken. It's almost security.

C

At that point, I would say why we are not seeing that cookie is just because it's using the http only flag, meaning that the javascript code will not have access to the value. Neither the cookie name and things like this. So that's why you are seeing the jhid screen resolution when I'm refreshing this page so screen resolution jd. So that's all the things that are publicly available in a sense inside the javascript.

C

Now the problem is that, if you are able to do the alert, I will just go back to the one two three you can do something else. You can, for example, trigger the administrator to run some groovy script and so having access to the server, create a reverse shell, so that the attacker can have a permanent access to the server all this kind of thing, or just like most of the time in jenkins, creating some code that is mining some moneros and things like this to gain so getting some money there.

C

So here the problem is that we want to prevent that code to be executed, because in a sense, this kind of thing is something we want to avoid. It's not what we would like to have in term of god. If someone is doing that most of the time it's just because there is a variable inside java that contains some html tags, for example, to render a description of a job with some payload that is trusted in a sense meaning.

C

Oh the name of the job need to be in bold, the rest, regular text, so they are just proposing that. But no, if the display name of the job is something that the user can enter like in jenkins, they can inject potentially some things like this, like a payload, that's where the csp is interesting to work with, so you can see here reporter only mod. It means that we are seeing a lot of report only stuff there, all the rules we are putting in the page. You can see default source self, and things like this.

C

I will not go into detail. You will understand the thing directly with the demo means that we do not allow anyone to do something. For example, unsafe inline means that we don't expect a style in this case to be directly put inside html. It means that if someone is doing something like this font or font size up, 20 pixel 23 pixel, that part will be refused because it's inlined and that the same kind of thing we can do also for script in general.

C

So in this case we are saying for the default source self. It means that we are not allowing a javascript to be executed in line. Inline means what I just show with the um the style. If you have some on click, do something like uh alert like this. That's something that we want to prevent.

C

That's the inline script, and here I'm just unchecking the reporter only mode, and you will see the difference- I'm just not refreshing the page just to mention there is the four with the the red background there. If I'm refreshing first point, you will not see the alert and you will not see the the four with the red background there. Why? Yeah, it's easy to explain with the new csp approach we fold the reporter mode. Only we are refusing to execute the code, so we are refusing to execute the alert 123.

C

That's why it was not popping at the beginning and at the same time we are refusing to execute any code that is inlined and for that code inside the top right part. It's coming from an inline javascript part that is refused and that's why you can see that part here before it's moved to the top, because there is a script doing that. I think it's inside the page footer, I think yeah, it's that one am means admin monitor just in case, so you can see that code if we are executing that code.

C

So I can do it manually here.

C

You will see that part being moved to the top and the just that part of the code that is inlined inside the page, because it's inside a script tag inside the page, it's forbidden to be executed. It's part of the different things we refused and hence it was not put at the top.

C

Now I can do something differently. I can approve some of the script in this case. That part is known to be safe.

C

I can put a hash on it, meaning I check what is the checksum of the script and I will put that inside the approve list of script. That's why I'm proposing a list of things here and you can see some of the things refresh refresh. I don't remember exactly oh yeah, that one so that hash is the equivalent signature of the script that I was just showing you and if we are allowing that hash to be executed, we are letting the server do the regular thing.

C

So I will just show you the thing: it's just the copy paste of the the value in this situation. You will see the alert is not displayed, but that code is executed and inside the console you will see. Only one script was refused. Is the one coming from my payload. If I'm changing the payload just to remove that part.

C

You will see normally no error except the error of the syntax. Here.

C

You will see no error, it just a report only thing for another stuff that we do not care. There is no longer a script, so there is no forbidden script inside the page. I can just repot it to show you again the stuff.

C

And here you can see the refuse to execute inline script, because it's your lay the different rules and things like this. There is an alternative, because potentially my script is something that is safe. So that's what I did with all the script from that page before I can copy paste the sharp so the checksum of that script, putting it at the end of that list. Approving and in this situation my script will be executed because it was trusted by using the ash.

C

So that's a bit all for the demonstration of why it's useful. Now. The main issue we have is that we cannot put such things with a hash for every script we have in a page in jenkins. We can have between 10 and 20 script that need to be approved inside a single page. So imagine if you are adding this kind of thing to every request response, you are sending they're just a network in term of a load for the request size.

C

In addition, what is problematic there in, in addition to that, is that if you are injecting a variable inside a javascript part, so I will say you have a regular script like this. We can say there is some script like this.

C

I will just remove that part and refreshing the page, so normally it's not executed, because it's the new one that I refused so just adding that to the page before so. In this case, it's just an inline script that is coming what I missed.

C

No, it's that one sorry.

C

So it's just an inline script from the the code directly that should be safe, but in the situation we have something like a variable, my variable, because I'm lacking a creativity at this point and I'm adding something like this in javascript and that's something we are seeing, often in jenkins, inline script in general. So that's something that is a bit dangerous. I will say that part will be injected inside the script and then the code will be executed.

C

So in this case I will just execute it once so that we can see what is the hash.

C

I will show you the result of this part.

C

Executing again so we have the alert at the bottom. I can just look for the alert.

C

That one and you can see inside the script you have my variable with the payload. That payload could be something like the name of the job. It could be the name of the user or something that is fixed if it's fixed. That's perfectly fine, that's safe, but if it's not fixed, it's potentially user entered.

C

It means that if the user is providing a single quote inside their stuff, because you have seen the alert 123 was not executed, but in the situation I'm just disabling uh csp to ease the the stuff, I'm putting alert one two three, I'm executing that page. There is nothing that will happen in term of script because it will be contained inside the single script inside the single quote.

C

But if I'm doing something like this to escape my current context, you will see two alerts, the first one and then the second one, because in the code data alert is executed as javascript and it's not expected at all from the developer because they just expect to receive a string that is contained in chinese own context.

C

So that's why we cannot really rely on ash, because if we are generating the hash directly during the generation of the page, that full script will be approved and that's something we don't want to trust, because there was a variable inclusion. That variable could contain some issue, and so we don't want to inject such things.

C

I'm just checking the chat to see the the point yeah. Thank you for the question mr week. uh There is something important to understand. The regular exercise protection you can see in the different browser are most of the time not working. It's sometimes just against the reflected excesses that you can have in the page. For example, if I'm putting a payload here, payload, payload, equal alert or stuff like this, that part sometimes is not reflected on the webpage directly thanks to the browser technology. But honestly, it's not something you can trust.

C

There were some usage of this kind of protection to inject xss. In addition, where it was not possible without the protection. So it's a bit controversial at the moment and I think chrome is removing the support for this kind of feature just for your information.

C

So that's a bit the idea there when we are using the ash.

C

There are other possibilities to restrict the script and that's where I'm going with the second slide there we have seen the hash so the different ashes we can generate from the different script, but we have also a nonce is just a number that is generated and that we are using only once so nones in a sense, and that part is pretty interesting.

C

If you have a static web page in the static web page, you will put the nodes in your in your response that is generated at the server level and all the script will receive the nonce as part of their tag.

C

This is pretty good. It will work. It will reduce the size of the request because you are putting the notes only once in the in the response and once per script, not a big deal. The main issue is as for the hash in this situation, if I'm putting the hash, I don't remember exactly the attribute name but the attribute for the nouns and I'm putting one two three or the random thing that is generated. So something like this data formation will just ensure that the browser again will trust everything that is inside the script.

C

If there is a variable injected, it will be trusted and so breaking the usage. The protection that csp is providing, so are we blocked? There is no other possibility. Of course there is one. Otherwise it will not be a topic we are discussing about. In a sense it's about the origins so the id there. Instead of checking the script content, we are just checking where the script is coming from.

C

In this situation, it's coming from the page so inline we want to untrust all the inline script. What we want to see is only things that are coming from outside of the page, but inside the web, application, meaning that is downloaded from localhost 8080, slash, assay, javascript offing status, so that we know it's a fixed file. We fought a way to inject javascript.

C

At this point, or at least I will say to be transparent with you with that kind of approach, we will reduce by 94 95 percent the number of excesses we will see in the future. It's not an under person protection, because if you are trusting something that should not be trusted, it's still possible to bypass the csp in essence, but that's pretty r, I will say in four years working in the jenkins security area. I have seen only two excesses like this and they were very particular so with the origin.

C

What we can restrict is to say we want to a separate file coming from localhost or jenkins.io things like this, or if you have some issue like with a google script, that you are retrieving from google, you can just add the google inside the arrow list so that you accept this kind of script inside your page. That should be the idea. So how do we achieve that? Because that's where the topic is starting in a sense?

C

What I did until now is just the context to show you what we expect to do and now is to put that in place. If I'm saying to jenkins that all the all the javascript should come only from the localhost, it will break everything in jenkins or not everything. But most of the thing you can see. uh I can just check quickly if my intelligence is responding, just the number of script we have in line in jenkins core and that will apply the same to the rest of the ecosystem.

C

You can see that one, and that will be a very good example. You will see why, in two minutes that script is just something that will be forbidden with the new approach, so we have to do something to prevent this to be forbidden, because it's a trusted script. It needs to be trusted. So that's where the the topic is is for in a sense you can see inside the document.

C

I showed multiple examples of previous tasks I did in the topic is mainly, we are taking one script and we are uninlining it meaning we are removing the script tag, but we are putting it in a separate file. With that approach, we are preventing the variable to be injected and indirectly, all the excesses to be exported in jackets. That's a bit of id! You can see some with the level of difficulty.

C

Some are very easy to understand, for example, that one in term of script, you can see, for example, that one was a script that was inlined. It was just replaced by where it is.

C

Now I'm a bit lost with that one, so it's mainly just.

C

Yeah initialization just that one that is put inside the script that is used to prevent all the inline script to be needed required in the page. I will give you a live example of what we can do for this october topic. It will be very easy. You will see five minutes to provide a pull request, of course, five minutes, because I know which one I want to do what I need to do.

C

But if you need to find yourself your way, it will be between half an hour and four hour depending of the case and depending on the complexity, you will see so for this. I'm preparing just another jenkins instance.

C

That's running so leaving that one aside and moving to another one so from that list of a newbie friendly issue that you can find using. Where is the I think, it's that query? You can find that query as well here the jira newcomer friendly issue. It's this request, it's what is inside a particular topic, so the csp smooth sense reduction smooth because we will not put the enforcement at the beginning. We prepare. We prefer to have all the migration being done before. Otherwise we will break the instance not ideal.

C

I will say that could work in terms of security. If nothing is working, there is no vulnerability. So in the list there I'm just picking one randomly, because I know that one is pretty easy to do. You have the script, so you can know exactly what you have to do and you have the difficulty the skill requirement. So in this case very basic knowledge that is required, and you will see it's pretty zero knowledge. You have just a quick tips that I put in the ticket.

C

That will be enough most of the time, so the code we want to change is this one, and you have seen, is exactly the one I showed you before, because that was the first one when I was looking for script inlined so for this one we have here and then a different project in intelligence configure entries from list. So that was what I show you and we have the script we want to uninline.

C

So the first step is for the developer to be sure to understand where that script is used, because if you are not sure you will not know if what you are doing is correct or not. So in this case, so I think I need to log the nothing. So it is. No everything is working perfectly fine. So it's a list view configure entries.

C

So it's inside the list view I'm editing the view, I'm just skipping, some of the things to prepare the stuff and inside the web page I'm looking for recurse. I think it was something like this.

C

Here we have that part of the code, so I can just add a breakpoint at this point and a second one. There, I'm refreshing the page to be sure it's executed, because if I'm not able to reproduce it, I will not know if it's working or not with my correction. So you can see we are there, so I'm letting the thing moving and there is an unclick doing something. The unclick is on that recursion in subfolder, I'm clicking there. You can see, I'm there re-clicking, I'm there.

C

So it's working, we know exactly where that code is now the fun begins. What is the code change? I need to provide so back to this thing. What I will use is just a new thing at the bottom of the page. I will just add something like this: that's an adjunct. It's a feature from stapler.

C

We are calling. We are asking stapler to introduce some resources inside my page. So in this case I need to rename it to its own model list view configure entries resources.

C

That means that we can create a file inside delete view. So, where that configure entries is located, that's just the simplest way. There are a lot of other possibilities, I can add a javascript file or the css or both. If you want now the very interesting skill that is required, copy paste and you're done, that's the main requirement in terms of javascript. You have to do of course. Now you can really remove completely the script there and you ensure the list. Reconfig configure entries, configure entries, resource.js, that's fine!

C

Everything seems to be good, so I'm saving we for changing the method I use to run the stuff. I will just update the page so refresh the page. Sorry- and you will see my breakpoint- is no longer at a good good location.

C

I just research for the records and you will see it's coming from the configure entries resource.js that one contains only that part just adding breakpoint there breaking there refreshing the page, oh macbook phone is it so it means that my javascript is included and it's working or it seems to work so just to ensure clicking here. It's still working, okay, perfect. So what I did is.

C

Finally, it's finished in term of code, so next step is easy: creating a new branch with the number of the tickets pushing the commit to your fork, and then you have the pull request ready so that one was perhaps the easiest one you have to to do. There are some other examples. What I show you before with this example? What are you doing if there is a variable?

C

That's where there is a bit of magic? You have to use, because there is a lot of variable inside jenkins if there was a variable, for example, that one was a variable so variable coming from java, for example. Actually I don't think it was a good idea to put it there, just adding variable here so variable like before adding some code that one is potentially dangerous and that one something that was injected in the page before we are in a static file in the static file there is no injection of java variable possible.

C

So what we have to do is to change that variable injection to put it inside somewhere. Here, for example, we are looking for a recurse id, so we can look for recurse id. It's that one. We can add some attribute there, so that what is the name of the fingering variable so just variable from java or anything you want, and you are adding the variable here.

C

The advantage of this approach is that when we are putting a value inside an attribute value in jelly, jelly will ensure that that variable cannot escape his own context, meaning if there is a double quote inside the variable coming from java, it will be just escaped by a jd and at the end, the value that there will contain the double quote without a possibility to escape that context, and now you have that thing and you can simply simply being perhaps a bit uh too easy, but it's e I get attribute.

C

Perhaps it's not exactly that wording and we are able to replace the code with that simple approach for these things and, of course, removing that one, because even with the command, it could be possible to inject the stuff. With this approach, the variable will receive the value that is put inside the value of the attribute.

C

Just for your information that tip type of injection is explained as well inside auto pass value to javascript. That's inside the xss prevention in jelly views. You can see here the stuff, for example, that one was exactly the example. I showed you before. That page is linked from the google doc. Just in case we are explaining all the double. The double quote is working to escape the context and the good way to solve.

C

The issue is mainly to create the data attribute, putting the value inside and then retrieving the value from the page from the html tags. That should be the id there to resolve the problem and to be able to have that script being uninlined and so allowing us in the future when the situation is good enough to enable csp and to enforce it for all the page engine kits, that's a bit all for my topic. If you have any question, feel free.

A

For me, I was trying to be sure I understand so data inserted from java there in that div. Is that a variable that only scopes to inside that specific div or is that scoped globally in that file? How how how do I, how do I that's a.

C

Very good question collisions.

A

Of variable names, etc,.

C

Yeah, that's a very good point, so there is no scope in the sense that if the div is present in your page, it will be reachable by your javascript code in the sense that if you have something like this, you retrieve the element from the page, so the target div and then you get the attribute that called that code could be outside. So in a separate file, it could be completely far from the div in a completely different event. All this kind of thing, no in terms of conflict, you can use something more specific.

C

For example, coming back to the code, if you have, I will say a tab, a table. Sorry inside you have some tier. Of course. It's not exactly the thing we expect so td, tdt, dtd and multiple tr, and what you want to do is to add a capability for something in particular, you have the cell id.

C

I will say it's just the cell that contain the id of the job, for example, and you have that multiple times in your in your page, and you want here class, delete button click here to delete the job. What you will do is that you will put a behavior specification on the delete button, so inside behavior specify here, you will put just delete button and the e at that point will be that td.

C

The td could go back to his parent, the tr. Looking for a cell id and retrieving the attribute there. Job id.

C

Job dot id something like this, and with that approach you can do that for every line and every job id will be linked only to the delete button from the same line in a sense. Is that answering your question.

A

It does thank you thanks very much, so any other.

C

C

So just another question: I got from the chat, or do you protect again other type of xss? So if you have a reflected xss, so the payload is coming from the url directly. You will not be able to inject that part in the code because it will be forbidden by the csp. That's a bit the beauty of the thing there again store xss. It will be the same instead of coming from the request.

C

It will still come from java because the request value is coming from java as well, and that will be prevented by the same thing there that this part cannot be used as an xss injector part in an injector location and concerning the last part of the exercise about the domic success. It's not something that is very useful to protect against, because, most of the time, it's just some false positive from scanners. We are more concerned about stored and reflected xss in general and concerning the checksum you can use uh all the sha checksum.

C

I think it's a shot 26256 uh and I can just give you the full duck there in term of sure it's only the recent chatu.

C

But no shower no md5. I don't remember exactly where it is, but there is a link here explaining the stuff in particular what about other type of vulnerability? Of course, there is no silver bullet for security. You have to be very careful about the rest, meaning csrf x6c. We are providing some kind of protection, but it's only for excesses that we can use csp, it's the one that is the most global, proactive protection we can put in place for csp for csrf, for example.

C

We have put some arduino in place from jenkins core to prevent this kind of thing to happen somewhere, but we cannot prevent it everywhere, meaning if you have some method doing, I can just give you the ins there.

C

For example, all the do check thing if they are doing something now, it's mainly forced to be using post instead of get and that's already a good point to protect against csrf for x6c, we have providing some safe, xml or parcel, but if the plugin maintainer is using something else, we cannot forbid that usage in a sense because anyone can write their own xml parser.

C

So that's the kind of thing we cannot prevent globally, we'll say- and there are a lot of other vulnerability that are too specific to the code- that we cannot prevent that globally as well any other question or we can move to the next topic.

A

Well, so so, could you give me a summary again? It sounds like what I need to do to improve. Is I uninline the javascript and using that uninline javascript, then that already is enough or is there some additional change? I need to make to the source file. It seemed like all you did was uninline the javascript.

C

Exactly for this topic for oktoberfest, that's the main goal, because there is a lot of things like this to do before being able to end for csp at the global level, we could enforce csp for some specific part, for example inside uh if I'm going to the correct one inside the user content. So it's something that is proposed or, of course not like this user content to browse this kind of thing inside, for example, the readme.

C

So if you're opening readme that page normally, you will see some csp being already set so just putting that one. I think that one will be good. Normally there is some csp already set here response editor. Where is the csp?

C

Perhaps not that one? I need to enable it- or I don't remember exactly, but there are some bars that are already protected, because we know there is no plugin that could interact with the content. It's a fixed content or coming from the user only and we are restricting completely all the script, but it's fairly specific to part of the code. So it's not everywhere.

C

And so the the idea is once it's done in terms of migration, or we have applied that to 90 percent of the plugin. We can enforce it, but that will be not as a topic. It will be more as a new initiative. In addition, as a second step, I will say: question.

B

Yeah there was another question in the chat, and this is also a question for me. uh One thing is to move the old code and replace these texts, but it would be helpful if the developers would be aware of the problem. So I I never didn't know it that we should not use an inline script, and you showed a little bit on the week on. The jenkins. Homepage is your. The document you have shown in word is this available on the developer handbook as well.

C

uh It's not in the unbooked directly, it's oh actually. Yes, I'm not sure exactly the structure. There are some things that need to be improved during oktoberfest or on the developer documentation, but you can see it it's inside security and if you're clicking on security, you see multiple things and I'm not sure exactly where yeah you have the auto guide at the end.

C

So it's not the easiest page to look for in a sense, but the the important point is that we are using this kind of documentation to show to the people when there was a vulnerability in a plugin or to solve it. No, if it's something that is discovered more easily by people before putting the vulnerability, it could be a lot easier for us to manage at scale. So that's a very important point. Thank you for the reaching out to highlighting that there is some improvement we have to do on the documentation.

C

For example, all the contributors should have read all the security part before writing a plugin, because we are seeing on the hosting request some plugins that are broken by default by architecture and as a vulnerability researcher. When we are finding something like this, we are just like okay, that plugin will be just blacklisted, because we cannot do anything with it. So that's the kind of thing we would like to prevent. That's why we are writing some documentation.

C

They are just not easily discoverable and that's a bit painful.

B

Maybe we can even write some static analysis tools that check all of our jelly pages. If there are script tags in there.

C

I will say: stay tuned: there will be something coming in the next or next next weeks about that we are doing a lot of stuff in terms of static rules for jenkins, with cutquel.

C

We are putting our own custom rules inside to detect like csp xxxc, and things like this and honestly xss is the most painful one to detect, but just detecting inline script could be a nice way to improve also the potential issue for the developer. So that's a very good point. I will just note that and inform the other people, but the point.

C

But that's totally possible. Just in case we've got qreal. We have access to the abstract syntax tree. We have access to all the things and detecting just inline script inside the page could be useful to inform people hey. You have not done your unenlightening part and things like this.

A

Any other question, so there was a question from from mr wick on. um How do you do security while developing the code- and you mentioned codeql, so I wanna. I would like to spend just a minute talking about codeql if you'd be willing, because I'm a benefit I've benefitted by codeql.

A

So would you be willing to share briefly vadik how how code, what codeql is and how it, how it helps people who are submitting pull requests and how it helps developers who are maintaining plugins.

C

So I will not disclose all the things that will be in yeah published in the future. I will just give you insight about uh perhaps uh jenkins scio code ql.

C

There was a blog post at some point that one that explained a bit what is called ql. I will give you the link inside the chat, and that was an explanation about what we did ourselves so internally, using our own custom roles to detect vulnerabilities.

C

In this case, you can see it was mainly seven vulnerability detected by the tool and confirmed manually at the end. In the meantime we have detected, I will say, 20 other vulnerabilities.

C

The idea with cotqel is to catch some of the behavior some of the patterns. It will not provide you under person, protection or hundred percent detection of anxieties. It's really what we have written all self in term of rules and all the rules are not perfect. There are a lot of false positive because we cannot do everything, for example, with the method I showed you before do check hold, do check your choice, it's a method that is an endpoint because of the do so it's something that anyone can call on your webpage.

C

With that information. We know that it's a potential dangerous thing and what we are checking is, for example, is there a post required post annotation? If there is none, we are checking the content. Is the method doing something that is potentially dangerous in this case error or okay, with a check here, we are checking internally here. What is the thing? There is nothing dangerous, because it's just about looking at the string and things like that there is no call to url.

C

There is no execution of code or things like this arbitrary code because fixed code, we don't care. So this kind of thing we are looking for and we are putting if there is something dangerous or that we think potentially is dangerous, because we have no older information.

C

We are sending to the administrator meaning in this case the maintenance of the plugin. Some warnings, I will not show you the different warnings, because that could be painful to share with everyone some potential real vulnerability, but if you're a maintainer of a plug-in, you will see such warning with the possibility to say it's a false positive or no, it's a real vulnerability.

C

In such case, you are contacting the security team opening a security ticket all this kind of thing. The idea is that we are doing that in a better phase mode at the moment. So you need to register to your the program, but in the future it will be something by default for all the plugins and we are putting that in the self-service mode for the maintainer so that they can manage their own security.

C

But the goal is still to have us inside secure the jenkins security team to coordinate the release, because, if you're correcting something in your plugin and delivering it right now, it will not be announced in a security advisory. It will not receive any warnings about security, and so the user will not know they have to update. So that could be painful for everywhere everyone. So the goal is really to inform the people.

C

There is something please look at it, detect if it's false positive or real vulnerability, and then you are creating a security ticket and doing the rest of the thing.

C

What we are covering right now in terms of holes, it's mainly csrf part of them part of x60, part of a missing permission check, and things like this, so very simple stuff that no other engine could detect, because it's specific to jenkins all the enzymes most of the time are just taking input from the web, the web request and looking at the flow until sql database in jenkins, there is no sql database, so we cannot use any of this kind of flow.

C

So it's mainly all this kind of static analyzer will provide us or you are using a bad algorithm for crypto and that's all. For example, if you're using md5 shower one or three cities, they will just put your warning and that's all. There is not a lot of other intelligence that we can use from them. That's why we have to write our own goals.

C

That's a bit ready! Of course, if you want to improve your security skills, you can use some other tool. For example, uh what was the name of this thing uh spot bugs as a specific security plugin to help you also with some of the things, but it's still not perfect.

C

Codeql will not improve the perfection in order to secure your code as an engineer as a developer, you have to learn a lot of different vulnerabilities and all to prevent them. There is no silver bullet for this at the moment, and I will say hopefully, fortunately for us security engineer to keep a job in a sense.

C

There is still a manual part there and we are working very hard to provide such uh static analysis more and more accurate, because there is a lot of noise most of the time or there is an injection of variable yeah, but if the variable is fixed or not coming from the user, it's not an excess. So there is a lot of false positive and there is a lot of effort to reduce this kind of noise for the developer. At the end, I think I'm talking too much taking too much time from.

A

My topic actually so so one of the things now our code ql and if, if codeql is enabled for a plugin, for instance, for my plugin, I maintain the git plugin. It is main it is. It is enabled when they submit a pull request, will they see if they have injected something that codeql would complain about, or is that something that only I, as the maintainer get to see? I.

C

Don't want to promise you that right now, because I'm not sure it was done already at the pull request level. It was done more in a global status for all the repositories, and I will say we already already got uh hundreds of false positive. So if we are including pull requests at the moment, that could be just too painful for us, but totally right. We will looking for the pull request and ideally, in the long run, because shifting left to the pull request is not enough.

C

We would like to have that also in the intellige eclipse netbeans integration directly when you are writing your code, for example, all the inject the inspector directly from intelligent like this thing, or there is a deprecated constructor used. Ideally, we would like to have. Oh, there is a csrf vulnerability, there be careful or this kind of thing, but I will not promise you any estimate time of availability for this. If I need to guess it will be like minimum two years.

B

Great, so that's.

C

A big idea: we want to improve the situation, there is no infinite amount of time resource capacity, so that should be do it.

A

Thank you thanks very much vadek. uh So um I think mr wick's comment fits with what you were saying he was asking. Could we consider a linter that could focus on security and provide opinions, while writing code and your description of an ide integration? It seems like exactly that. Right, it's hey and, and I know, find sec bugs- has been helpful for some users in the spot bugs static analysis world. So there are, there are definitely tools available that can help us.

A

Oh yes, you're, going to show a live example of doing something you shouldn't and being told you shouldn't.

C

Yeah, that's a bit dirty there, for example, if you are using something like this and then do the rest with the djs and so on. So here, for example, you are using md5. That is something that is forbidden if you are doing some security thing, because it was broken multiple times in the past.

C

So there is some linter that will just say: hey you are using md5, it's not secure use something else, for example sha 2, 6 256 or this kind of thing, but there is no more intelligence there at what I said before they are not looking at the script you are doing. There is not looking at all the variable flow and this kind of thing.

C

So it's interesting, but it's not the only thing you have to use as an engineer with security in mind, but there is a lot of training online about how to do secure coding. That's part of a lot of compliance also that the enterprise need to fulfill.

C

There is a lot of material on the internet, so just look for secure coding and you will perhaps just invest or three months of your time and you will have a lot of training there.

A

Thank you verdict. Thank you very much. I don't see any other questions. Are you? Okay? If we switch yep perfect all right? So let's go to the next topic. Then the next topic is modernizing plug-ins. So we've talked so far about how to do ui improvements. We've talked about how to do security improvements.

A

We've talked about documentation improvements. Let's now talk about specific code and I'm going to share my screen. Let's take a look at it. So again, I'm going to follow virex pattern and just share my my screen and not presenting mode. So there is an element of effort that we need to do in code to modernize jenkins plugins.

A

There are over 1500 jenkins, plugins, and many of them are very popular and very widely used, but could benefit from efforts. Small simple pull requests that will help people help the maintainers make the plugins more modern, easier to maintain easier to care for easier to handle.

A

So one one way to do this. Modernization is to take a series of small steps, we're going that we can do and begin proposing little pull requests that will help with this modernization.

A

So first step is find a plug-in you'd like to modernize and the ones that I would recommend choosing is from the adopt the plug-in list now what's adopt a plug-in. Well, the jenkins project, as a long-lived open source project, has plug-ins. Where the original author has said, I can't I don't have time or capacity any longer to maintain it. I want to offer that this plugin could be adopted by others, and they will mark it with a special tag. This adopt this plugin and then it will appear in this list.

A

You see that there are 112 plugins available in this list that are ready to be adopted, and so first challenge. Okay, a plugin, that's up for adoption, you can predict probably needs modernization.

A

Most plugins that are up for adoption have not been modernized because their developer got busy was unable to do modernization on it. So choosing one of these is a good choice. It also gives you a chance to find something. That's interesting to you. Maybe, for instance, you're interested in how do you work with config files, so config file provider?

A

Maybe you want to do something with mercurial. The source control system you could adopt it so choosing that is a good first step. Then what we're going to do is fork clone and build it.

A

And then we start the series of of modernization steps and there are- are many many modernization steps you can take update the parent palm. That's one update the base jenkins version. That's another update the scm url, that's another one, automate dependency checks, yet another one enable incremental builds, and there are many more just like this. Those three dots are really they mean it. There's a there are a lot of different steps and you could do any one or two or three of these and have added a real value to a jenkins plugin.

A

There's a document that I started thanks to devops world. That has um the list that I intend to put into a tutorial on jenkins.io of these different kinds of improvements. So here in this improve the plugin section, you can see update the parent part. Oh, let's see, let's make this readable. Sorry there we go there, that's better! My eyes can see. It now update the parent palm um review.

A

How jenkins build status worked? There's one missing here actually, which is some of them, even need you to add a jenkins file so that we can build them on our ci server update the base jenkins version enable additional spot bugs checks, update the scm url automate dependency updates, enable incrementals and more this these things and you you're welcome to use this document it's available.

A

Oh absolutely, so here is the link so stock asked about this link. Let's paste that into the into the chat. There's the link to that document- and this is a workbook that I created and others are welcome- to offer suggestions additional things. What this does is tries to describe all the ways that you can do these changes, and it gives a little bit of introduction.

A

It provides some text, hey do this, do this and and then I intend to put this as a tutorial on cida or on www.jenkins.io, so that people can see and adopt this plugin tutorial this all right, improving the plug-in is a good thing to do, even if you ultimately don't decide to adopt the plug-in, it's really good to improve it. No matter what.

A

So now I am happy to show how to do this live if that, if that helps, people, um vadik and uli would okay, dhiraj is shaking his head up and down, which I think means it's. Okay, if we, if I show the demonstration and okay great, so let's do it, it's it's it's for me. It's a useful thing to realize: hey! This is something we can do so I've done the initial steps already I've I've. Let's go pick my a plug-in I was using before so. You remember schedule build plug-in right.

A

Here's schedule build plug-in and I had forked it into my repository. So let's go to the fork and this thing needs modernization. The last release. If we look at the releases, the last release was in 2019 three years ago, so you can predict, it probably needs modernization.

A

So let's do that and as our first step, we're going to update the parent palm- and now I admit is this- is- is pretty easy, one we're going to click this follow here and it's going to tell us what we do.

A

We can create a git branch, then we're going to run one maven command. Maven minus ntp versions called an update, dash parent. That's a pretty simple command. If I do this. That already with this particular plugin gives me the capability to develop with java 11, whereas without doing this, I'm stuck on java 8 for this plugin. So I've already with one single step, one single step: I have improved things for the developer: they're, not locked into java 8 anymore. They could use java 11 to do development, so let's go do it?

A

Okay, so git checkout, minus b and we're going to say, update parent palm.

A

Oops oops, I forgot. I based my branch on the wrong thing. So let's base it on upstream on origin, slash master! Okay, so here we go, I've got it! And now, if I look at the palm.xml file, you can see here, the parent palm version number is 3.50 okay, so I'm going to compile okay- and I confess I like my emac- so I'm going to compile an emacs all right. So I'm going to do this step here. Maven minus ntp versions, update parent.

A

Okay, so here's the compilation step going.

A

And oh it's finished, it says: updating parent from 3.50 to 4.27. So if we look at the changes here is pom.xml, it says it's been edited, okay and in case I needed it. Maven said: okay, here's a backup copy if you want to keep the old copy.

A

So if I look here, let's look at the differences and see what it changed.

A

Notice that it was 3.50 before and now is 4.27 it was that easy, okay. Now now I owe it to myself to compile that code to be sure that it still works right, because that would be really bad. If I proposed a change that I hadn't checked so clean verify, and so what this is going to do is this is going to compile the plug-in run all of its tests and tell me the result now, while it's while it's doing that, compile and run all of its tests, we can go.

A

Look at the next steps that we're going to take. Okay, so remember, our first step was update, the parent palm when I submit the pull request I'll want to check to see that ci.jenkins.io processed it.

A

So let's go back to that session. Okay, it says: hey, it ran all the tests. They were all successful.

A

So let's commit that.

A

All right so um update parent palm from 3.50.

A

To 4.27 now now that's a that's an okay git commit message, but the maintainer will be much benefited if I say why, but the hawaii doesn't fit in that short summary. So the. Why is allow development with java 11 allow more recent.

A

Development capabilities.

A

Provided by by the more the recent pawn, the recent parent palm.

A

Now I I admit it I'm trying to communicate to the developer that this is why I did this change uh now. I'm also going to tell them do not merge. This is a demo all right, because I don't want them to jump in and say. Oh yes, it's time to merge this all right, so I've committed that now, that's only locally on my system. So now I need to push it.

A

So, let's push it.

A

And the place will push it is to the remote like that.

A

And here it's got my place to go to submit the pull request and I'm just going to go ahead and do that. So if we looked at my at this schedule, build plugin we'll see here we go.

A

Update the parent, pom and again, I've got to fill out the checklist. Yes, I'm using the correct branch. Yes, the poll request title is right. Yes, it describes what I did. No, I don't have to do any of those and there's the pull request.

A

Okay, I just helped that developer with that little bit of work to be able to build with java 11, in addition to building with java 8, because I updated their parent palm and offered that update to them. This is a pretty easy change for them to decide if they want to accept it and it's a reasonable way for them to see that I'm interested in maintaining the plug-in. Now we're going to do more we're going to follow on to this, because there's more that we can do so before we go too far.

A

Let's check out what ci jenkins salio says about it. So the the help here is that we want to know that that plugin.

A

Built correctly, and so I can search for schedule, dash build and there it is. Did you see that that drop down schedule build? So I click that oops bug bug, schedule build, and I have to choose the second one and that's just a bug all right. So here's the pull request tab shows my pull request being evaluated and there it is running now.

A

If, if you're like me- and you prefer the visual view rather than the console output view, I tend to click either the pipeline graph like this or I tend to look at blue ocean like this, so that I can see what's happening. The linux checkout is complete. It's building on linux, now, ci.jenkins that I was also building on windows, and I didn't do any windows work as part of this change. So that's a nice check. I don't have to run the tests myself on windows.

A

It'll do them for me, so by all means check that ci.jenkins.io is okay. Now the next step is that the jenkins base version in many plugins is a is a long, older jenkins-based version, and that makes development a little more challenging for the the maintainer, because when they run certain commands they get an old jenkins version. It also may mislead users into thinking that oh, I could run this on ancient jenkins versions, and everything is just wonderful. Well, while that may be true, it can be much better if we just follow the documentation.

A

That recommends what jenkins version we should choose, as our base version- and this page tells us gives us all sorts of reasons why we should choose one version or another, as our base jenkins version and the recommended versions are 2.289.1.

A

And 2.303.1, so I'm going to pick 2.289.1.

A

And back to the the guidelines here, all I'm going to do is add an entry in the properties section of the palm. That says, that's my jenkins version. Some plugins already have that you'd have to update the value. Others like this one do not so, let's look at the palm and now, if we look for properties, there's the line, and I need to insert that there now this one I am basing on the earlier change, because I don't know that the original, the old 3.50 parent even understands this.

A

So this is a subsequent change for the same pull request. So, let's again compile this.

A

We want to be sure it compiles while it's compiling. Let's look at the next at the next, stop on our step, set of improvements that we can make. So we said, update the jenkins version. Well, there's another piece is update. The software configuration management url in the palm what's relevant there is github, has announced that they are deprecating unauthenticated, unsecured protocols to get repositories.

A

So so because of that, if they're deprecating it, we need to not be using that style of of of link or of protocol. So, let's, let's test past, let's see our change.

A

Here's the change.

A

Require jenkins 2.289.1 as minimum version and again in the spirit of trying to share with the maintainer. Why we're doing it uh jenkins 2.289.1, is a recent lts and is more actively tested and supported by users?

A

Don't rely, don't mislead users to think that we are actively testing.

A

Much older versions, because truthfully, at least on the plugins I maintain, I tend to test the current versions, not the really ancient ones. So now I want to push that.

A

And this will update the pull request, so my update parent palm is now two changes and that pattern continues. So let's do it again now. The next next of these minor ones was the scm url, and let's, let's put that one in here.

A

So what we have here is this get colon slash, slash is, is a problem. That's that unauthenticated protocol thing. So I'm going to change that as well. These types of changes help the maintainer and they're low risk for you and low risk for the maintainer to accept now this one. I know I don't even have to. I have to compile with it, because it's purely used for other tools that want to find the source code of this system, so I'm just going to make commit it and use https instead of.

A

And say why github is deprecating get protocol in favor of https.

A

So that here we've made three changes. Oh, I need to push it.

A

And now, if we go check our jenkins, our jenkins build okay, the first one worked. This was the first build of that pull request when I click that arrow it takes me to the second one. The second one is running now, so it's running checks on my changes- and this is my most recent jenkins 2.289.1- is a minimum version. If we watch we'll see ah here's the third one it's running as well, and I think we'll even see the changes there yep so ci.jenkins.io lets me watch the progress of my my changes.

A

Okay, we've done, we've done some relatively easy ones. Now, let's, let's move it up a bit oops.

A

This one enable more spot bugs checks. Okay, spot bugs is a static analysis system. Spot bugs can help maintainers identify problems without requiring that they know all the details. Spotbugs static analysis helps me a bunch because it warns me about mistakes that I make that it knows, are dangerous things and spot bugs is already being executed. Naturally, however, its settings are not this high of a level, so this max and fail on error and setting a low threshold.

A

Those say spot bugs give me the best you've got. I want to know if you find a problem.

A

Oh there's a good question: okay, roon sha has a question.

A

So roonesh's question is she agrees that having old versions mentioned as minimum version is misleading, but isn't having only the newer vision, also leading users to think they have to upgrade? Yes, it is leading users to think they have to upgrade, and I actually like that behavior. That is precisely a behavior. I want because it's a terrible experience for me as a plug-in maintainer to get a bug report from a user that says on this year-old long-term support release. I have this bug and I try it. I can't duplicate it.

A

I can't duplicate it because I work on the current release and the jenkins community doesn't support that year, old version, so they are, they are doing themselves a disservice by not upgrading so so there really is a notion, and it's an intentional notion of I am trying to motivate and inspire them that if they want my new features, they need to get a new version of jenkins. That's current, so I think it's it's actually healthy roonshot to have them.

A

Have us set the jenkins version to the recommended value because it motivates more and more people to upgrade. Ever since we've been doing, this, we've seen a dramatic improvement in the jenkins primary versions that are being running it used to be three and four years ago. The distribution was pretty much even across versions for two and three years back now, thankfully, when I deploy a new version of a plug-in, there are some seventy or eighty thousand installations that get it immediately and can use it.

A

Rochet did that answer your question.

A

Thank you thanks for asking excellent question.

A

All right so, let's, let's turn up the spot, bugs effort, checking and again this is in the properties section. So I'm back to that same spot. I was before.

A

Oops I just lost my cut there.

A

And here it is.

A

Okay, now this this is different in that I'm. What I'm doing here is I'm not enabling something: that's already disabled. What I'm doing is increasing the amount of of energy or effort the depth and the breadth of the spot, bugs checks. So again, I'm going to run the compilation.

A

And let it compile now the challenge with this one is: when you turn this one on, you may immediately receive new warnings because you've increased the depth you may have to as part of this pull request, suggest additional code changes that will fix some of those spot, bugs warnings or will suppress them.

A

But again, what's that doing that's adding value to this plug-in? The maintainer then gets from it the benefit that you've thought about these potential spot bugs problems and you've made a recommendation on them as part of your proposal.

A

A

Let's see what the change looks like and there it is spot bugs effort is max fail on error, true and threshold set to low, enable spot bugs max effort, lowest possible threshold.

A

Give us the best chance of spot bugs detecting issues.

A

And time to push again.

A

So we've we've done enabled spot bugs. We've updated the scm url. There are more things we can do like automate dependency updates.

A

This one is really kind of elegant, because jenkins plug-ins depend on external libraries in the example that we have here this one's a pretty simple one. It doesn't depend on particularly many libraries, but if we were to look at a slightly different plugin like maybe the get client plug-in or the git plug-in, its palm.xml file is filled with dependencies on various things like of genesis like apache http components like ssh credentials plug in, and it can be a real pain to maintain those dependencies.

A

If we use this dependable technique, it will maintain the dependencies, it will propose, pull requests to update the dependencies automatically, and so it's it's again. This is helping the maintainer by giving them immediate feedback on dependency updates. So this one we could do even without any palm update. So I'm going to give myself a new branch and we're going to do this again.

A

And then the the technique is pretty simple. This file here goes into a directory named dot, github, slash, dependebot.yml,.

A

The pandabot.org.

A

And now what we've got is, and here we have to find out who the maintainers are for right now, I'm going to put me, I don't intend to be a maintainer on this plug-in and I'm going to switch the interval. I had good advice from daniel beck that we maybe want to switch the interval to monthly rather than weekly.

A

So now this will automate dependency checking and if the maintainer accepts this pull request once a month, the github processing will look at all dependencies and submit pull requests to update them to current versions.

A

Let's call it dependency update, checking prs.

A

Allow notify that whoops notify the maintainers when dependencies when new versions of dependencies.

A

Are released now, vadak and urek? Have you had experience using dependable? What's your what's your perception in terms of depend about experience as a developer,.

C

We should not get some pull requests too often. I have a test plugin that I use to demonstrate some vulnerability and I think currently it's about weekly uh schedule and I'm receiving pull requests from the pan about every week, because there are some plug-in pump updates, but I don't care at all about that plugin, so I'm hesitating to just disable the boot for it, but for a real plugin, it's very useful to to get all the update for the different libraries that normally you do not care too much.

C

You are not checking yourself the maven status every time, so it's pretty useful and I will say in terms of security, if everyone using the panda bot in the ecosystem that could just improve our situation. For example, guava there is a lot of cves in the old version of governor and that it's still used in jenkins core. If it was updated over time every time it was updated and soonish being really updated. That will have is a lot the process there. Now it's more like we have 20 major version to update to bump.

C

So it's a mess, that's the kind of thing that will also is the future for the main tunnel.

A

Very good uli, your observations.

B

I'm using it regularly and I'm using the weekly schedule and it's really helpful so to get all the new versions of the libraries. I can't look on the internet for every library. So now it's automated, that's really fine and what's also very helpful, is that you get a pull request for free, which you see if everything still works. So some library upgrades change things and sometimes tests break, and you see it immediately if a library update breaks something and then you can fix it, etc.

B

It's really helpful for me for I'm using the panopod also for my javascript libraries, libraries, not only for the chapter for jenkins core libraries and that's helpful here as well. For instance, if bootstrap releases a new version, I automatically get the pull request and then I can prepare and companion jenkins plugin update.

B

So I have very soon the same version as the javascript library has. So it's really helpful. I can't think how it works before.

A

I I like that and thank you for mentioning the javascript. I have to acknowledge that I use it to update docker image versions right so when a docker base image up upgrades for me so debian, for instance, or centos or ubi, I get pull requests now on my plugin that relies on docker images telling me that that plug-in that that docker bait image base version has updated yeah, dependent, dependable, at least for me, has been a great experience.

C

Just perhaps one detail, but what early was saying? I think julie you're. I would say a bad example, because in your plugin you have a good code coverage for your test.

C

There is a lot of plug-in wii for test, and in this case the panabot update is very dangerous because they don't know if they will fail or not, because there is no test, and I have seen multiple requests like this being approved in one minute, meaning it was not even read so that could be painful.

A

Without the test behind that- and that's that's a that's, certainly a valid point and that's another place actually where, where hacktoberfest contributors are welcome to and encouraged to submit automated tests to plugins or to jenkins core I've found that I, like netbeans, and its ability to create a skeleton of an automated test, and I believe intellij and others have similar capabilities, so don't be shy as a hacktoberfest contributor of offering additional automated tests, particularly if you happen to look at the code coverage report for that plugin and see that the thing is not covered right and code coverage is enabled on ci.jenkins.io.

A

You can see the reports that will tell you. Oh this plug-in has particularly poor coverage, and that is a great excuse as a you want to learn something about unit testing about automated testing in java. This is a great place to do it.

A

All right, so, let's, let's submit this poll request, see where is it where's? My ah no? No, no. I know I've got that repository ah here. We go this one, so we're gonna submit another poll request and again this one's automate dependency, update, prs and notice that github kindly filled everything in for me, I have to complete the check boxes.

A

Please do the checkbox thing, because those of us who are maintainers rely on those answers to decide. Have you done a good job of preparing your pull request.

A

All right now, there's there's more yet to be done even on other topics like, for example, let's get more ideas here of things we can do to modernize like.

A

Oh, where are we here? We go, enabling incremental builds okay. This is this is a convenience for those of us who use and test development builds jenkins. Has the ability to allow developers to publish an incremental, build that others can use and consume, and by doing this incremental build others can use your your build and test your build and help you with the testing.

A

So this is the the magic command maven incrementals incrementalify, and now for this one I have to have a modern palm. So I've got to check out back to my update parent palm.

A

And now I'm going to run that command maven incrementals incrementalify.

A

What this will do is this will extend and adapt the local definition of the plugin so that it's ready to publish a an incremental version when it runs on ci.jenkins.io.

A

So I have to do a git, add dot, mvn and get at palm.xml. Now, if we look at what's changed here, we'll see it it added two files and updated the palm in that update.

A

It did this change the version from a a fixed string to a variable reference, optimized, the re github repository name and put properties in for the revision, the change list and the github repo. So I ran one command: it simplified the life for the maintainer.

A

The other files- I'm not a maven guru, so I just trust them and think that they they're probably good. Yes, we could look at them. They are. They look like maven commands, so here we're going to say, enable incremental, builds.

A

Allow others to download and test to easily download and test pull request, builds.

A

From ci.jenkins.io the reason, the reason I like this so much is: I maintain my jenkins configuration as code. One of the things I maintain as code is the list of plugins in their exact versions, because I do that I can put one of these incremental builds right in there and trivially. I've got that incremental, build in my test environment.

A

And we get push and now we'll see that it's going to start evaluating it yet again, okay, so here's here's that same pull request. Now, if we go forward this one finished skipping, the let's see and now, let's I suspect it hasn't started. Yet there we go update parent palm. No, oh, yes! This is it so this one is now running and off we go it's going to start the evaluation process.

A

So the the question from mr wick was: what terminal am I using I'm on a windows, computer and I'm using moba x term, because it's my personal preference?

A

I don't know that you need to use that you could use whatever is comfortable for you, but I happen to I happen to love this particular program and I've used it for a very long time.

A

uh Others who run natively on on mac os or on linux can just use the terminal emulator. That's there. In my case, the terminal emulator on windows is just not good enough, but moba x term is really great little french company that maintains it. They do wonderful work.

A

So enable incrementals- and now there are more steps like this, but I'd like to stop now, because I think I think we've got a good handle and I'll put some additional items here later.

A

I think what I propose that we do now is: let's look at uh switching into switching from where we're at now to let's go into a what would we call it into a session that will allow us to interact with each other more readily and work together on questions? We've got about seven people in the session.

A

It may be enough that we just gathered together as the group of us in a in a zoom meeting, that I'll post the link for you and and I'll start it here in just a moment, and we can get together in that zoom meeting to help with your specific questions, if you don't have specific questions, that's okay, you're welcome to join and just listen in. um So let's, let's have everybody, I'm I'm gonna. Have you join? Let's see, how do we do this? How do I commute?

A

Oh, I know I'm going to create the zoom meeting and I'm going to communicate it into the chat. You've got to copy that url from the chat window, because when I start the zoom meeting it will end our webinar so so be ready. I'm going to paste a zoom link in in in the chat just a moment and I'm going to stop sharing my screen so that you can see my face.

A

All right so media zoom, okay, sign in.

A

It'll be just a minute here: okay, so now I'm going to host a meeting with video on okay. Oh no! I can't do that. Oh my mistake. Oh I rescued us. I would have just knocked us all out. Let's try this again mark still learning how to use zoom, I'm going to schedule a meeting and working session for contributor summit.

A

And we are set- and let's do this- we want posts and participants video on and there we go okay. So the.

A

The url that you are going to need to enter it is important. You must copy this url.

A

I'm going to start that meeting in just a minute and so copy that url now please reply and chat when you've got a copy of it. So I don't knock you off before we're ready to go.

B

Maybe you can put the link in the hackathon uh guitar channel as well.

A

That's right as well yeah, that's there's, there's a risk that we may get spammed. If I do that, we've had when we post public zoom meeting links, but at this hour of the morning it may be okay, I'm not sure. So, let's shall we risk it. I mean if we, if, if it goes badly and somebody joins us and and is spamming, us we'll we'll know, let's see so actually- and I know what I can do to reduce the risk there.

A

I'm going to change this definition so that you'll, we'll use the waiting room and you'll have to be uh um granted permission to come in.

C

Just a stupid question: could you stop the recording and put everyone as panelists.

A

Oh, we could. We could try that, yes, you want to try that instead, that would be simpler and with.

C

The potential shutdown because of some synchronization.

A

Yeah, how about let's do that, I'm going to go ahead and stop the recording.