Hi everyone, Some feedback the Jenkins security team received for code scanning was that it is inconvenient to mark findings as false positives through the GitHub UI.
Thanks to work by https://github.com/yaroslavafenkin the Jenkins Security Scan now supports two different ways to suppress findings in code: using comments or using a @SuppressWarnings annotation. The detailed finding descriptions on the GitHub UI explain how to use these to suppress specific findings (re-run the scan if needed to get an updated description). Regards Daniel On Tue, Feb 22, 2022 at 6:29 PM Daniel Beck <db...@cloudbees.com> wrote: > Hi everyone, > > I've published the previously private[1] Jenkins code scanning rules for > CodeQL. These are static analysis rules covering mostly Jenkins-specific > issues, like unprotected Stapler web methods and use of APIs that are > generally not a good idea in the context of Jenkins plugins. > > While this uses the CodeQL CLI and Java language support, the queries are > entirely custom, so this is set up so it can run side-by-side with the > normal GitHub CodeQL security scanner (or any other such tool), which would > identify more generic issues. > > You can now enable them for your plugins by setting up a GitHub Workflow. > For details about setting this up inside and outside the jenkinsci GitHub > org, see the documentation on jenkins.io[2]. > > The existing mechanisms to run this scan on plugin repos -- signing up > through INFRA tickets and labeling repos with > jenkins-security-scan-enabled[3] -- will be retired, so I recommend you set > this up even if you already get scan results. > > Regards > Daniel > > 1: https://www.jenkins.io/blog/2020/11/04/codeql/ > 2: https://www.jenkins.io/redirect/jenkins-security-scan > 3: https://groups.google.com/g/jenkinsci-dev/c/xpsIgJJy44U/m/w-O0JbpTBgAJ > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7Pt%2BYdgepXxQfqZ2rzgjAq4L_b5bAucp6%2Ba6bVsHsFkd%3DnQ%40mail.gmail.com.