Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add December report for the Jenkins CSP project #452

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Add December report for the Jenkins CSP project #452

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ec2c190
feat(doc): First december draft.
gounthar Jan 6, 2025
8fe8b08
fix(doc): Introduction and conclusion.
gounthar Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
173 changes: 173 additions & 0 deletions alpha/engagements/2024/Jenkins/update-2024-12.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
Report Date: Dec 31, 2024
## Current Status
As the Jenkins CSP project enters its final phase of this three-month initiative, the team has made commendable progress despite encountering unique challenges.
The shift to targeting plugins with 10k installations brought new hurdles, such as unresponsive or slower maintainers, which impacted the pace of pull request (PR) reviews and merges.
Additionally, many of these plugins were outdated, requiring significant modernization efforts before addressing CSP-specific issues.

Despite these obstacles, we are proud of the strides made in securing the Jenkins ecosystem, thanks to the persistence and collaborative efforts of our team.

## Progress Summary
## December 2024 - Jenkins CSP Project Update

## Summary
- Total PRs: 50
- Total Repositories: 39
- Total Users: 2
- Open PRs: 39 (78%)
- Closed PRs: 2 (4%)
- Merged PRs: 9 (18%)

### Completed Tasks
#### jenkinsci/atlassian-jira-software-cloud-plugin
- Yaroslav has worked on [[JENKINS-74895] Extract inline JavaScript from `JiraCloudPluginConfig/config.groovy`](https://github.com/jenkinsci/atlassian-jira-software-cloud-plugin/pull/131) (2024-12-06T16:14:38Z)

### jenkinsci/claim-plugin
- Yaroslav has worked on [[JENKINS-74110][JENKINS-74109] Extract inline JavaScript](https://github.com/jenkinsci/claim-plugin/pull/335) (2024-12-02T15:15:50Z)

### jenkinsci/copy-project-link-plugin
- Shlomo has worked on [[JENKINS-74240] Remove legacy checkUrl handler in copyaction/index.jelly](https://github.com/jenkinsci/copy-project-link-plugin/pull/117) (2024-12-11T17:54:55Z)

### jenkinsci/dingtalk-plugin
#### User: Shlomo
- Shlomo has worked on [[JENKINS-74087] Extract inline onClick handler in `DingTalkRobotConfig/config.jelly`](https://github.com/jenkinsci/dingtalk-plugin/pull/306) (2024-12-18T18:58:50Z)

#### jenkinsci/email-ext-plugin
- Yaroslav has worked on [[JENKINS-74891] Extract inline JavaScript from `EmailExtTemplateAction/index.groovy`](https://github.com/jenkinsci/email-ext-plugin/pull/569) (2024-12-04T13:34:25Z)

#### jenkinsci/maven-repo-cleaner-plugin
- Shlomo has worked on [Refresh plugin](https://github.com/jenkinsci/maven-repo-cleaner-plugin/pull/77) (2024-12-23T16:47:03Z)

#### jenkinsci/nant-plugin
- Shlomo has worked on [[JENKINS-74201] Remove legacy `checkUrl` handler in `nant/NantBuilder/global.jelly`](https://github.com/jenkinsci/nant-plugin/pull/6) (2024-12-11T15:45:49Z)

#### jenkinsci/pipeline-aggregator-view-plugin
- Yaroslav has worked on [[JENKINS-74122] Extract inline JavaScript from `PipelineAggregator/index.jelly`](https://github.com/jenkinsci/pipeline-aggregator-view-plugin/pull/30) (2024-12-05T10:39:42Z)

#### jenkinsci/pollscm-plugin
- Shlomo has worked on [[JENKINS-74199] Extract inline script block and event handler in `PollNowAction/action.jelly`](https://github.com/jenkinsci/pollscm-plugin/pull/47) (2024-12-27T16:07:03Z)

#### jenkinsci/port-allocator-plugin
- Shlomo has worked on [[JENKINS-74143] Remove legacy checkUrl handlers in `port_allocator/PortAllocator/global.jelly`](https://github.com/jenkinsci/port-allocator-plugin/pull/50) (2024-12-10T15:19:58Z)

#### jenkinsci/sauce-ondemand-plugin
- Shlomo has worked on [[JENKINS-74147] Extract inline JS script in `SauceOnDemandBuildWrapper/config.jelly`](https://github.com/jenkinsci/sauce-ondemand-plugin/pull/213) (2024-12-10T14:18:41Z)

### In Progress Tasks
#### jenkinsci/atlassian-jira-software-cloud-plugin
- Yaroslav is working on [[JENKINS-74895] Extract inline JavaScript from `JiraCloudPluginConfig/config.groovy`](https://github.com/jenkinsci/atlassian-jira-software-cloud-plugin/pull/132) (2024-12-06T16:21:59Z)
- Yaroslav is working on [[JENKINS-74125] Extract inline event handlers from `configuration/config.jelly`](https://github.com/jenkinsci/atlassian-jira-software-cloud-plugin/pull/133) (2024-12-06T18:36:11Z)

#### jenkinsci/browserstack-integration-plugin
- Yaroslav is working on [[JENKINS-74133] Extract inline JavaScript from `AutomateTestAction/summary.jelly`](https://github.com/jenkinsci/browserstack-integration-plugin/pull/85) (2024-12-23T14:06:38Z)

#### jenkinsci/buildgraph-view-plugin
- Yaroslav is working on [Refresh plugin](https://github.com/jenkinsci/buildgraph-view-plugin/pull/47) (2024-12-11T13:18:08Z)
- Yaroslav is working on [Fix SECURITY-1591](https://github.com/jenkinsci/buildgraph-view-plugin/pull/48) (2024-12-11T13:22:34Z)
- Yaroslav is working on [[JENKINS-74212] Extract inine JavaScript from `BuildGraph/index.jelly`](https://github.com/jenkinsci/buildgraph-view-plugin/pull/49) (2024-12-11T14:29:59Z)

#### jenkinsci/calendar-view-plugin
- Yaroslav is working on [[JENKINS-74179] Use `configure-entries-resources.js` from Jenkins core](https://github.com/jenkinsci/calendar-view-plugin/pull/46) (2024-12-09T16:05:26Z)

#### jenkinsci/create-fingerprint-plugin
- Shlomo is working on [[JENKINS-74162] Migrate legacy checkUrl attribute in `CreateFingerprint/config.jelly`](https://github.com/jenkinsci/create-fingerprint-plugin/pull/4) (2024-12-23T16:18:56Z)

#### jenkinsci/delivery-pipeline-plugin
- Yaroslav is working on [[JENKINS-74082][JENKINS-74084] Fix CSP violations](https://github.com/jenkinsci/delivery-pipeline-plugin/pull/41) (2024-12-19T16:23:08Z)

#### jenkinsci/depgraph-view-plugin
- Shlomo is working on [[JENKINS-74135] extract inline JS script in `AbstractDependencyGraphAction/jsplumb.jelly`](https://github.com/jenkinsci/depgraph-view-plugin/pull/38) (2024-12-05T18:44:57Z)

#### jenkinsci/downstream-ext-plugin
- Shlomo is working on [[JENKINS-74200] Migrate legacy checkUrl attribute](https://github.com/jenkinsci/downstream-ext-plugin/pull/9) (2024-12-27T16:25:51Z)

#### jenkinsci/folder-auth-plugin
- Yaroslav is working on [[JENKINS-74131] Extract inline JavaScript in `FolderAuthorizationStrategyManagementLink/index.jelly`](https://github.com/jenkinsci/folder-auth-plugin/pull/105) (2024-12-20T13:06:13Z)

#### jenkinsci/fortify-plugin
- Yaroslav is working on [Make plugin CSP compliant](https://github.com/jenkinsci/fortify-plugin/pull/78) (2024-12-26T13:15:02Z)

#### jenkinsci/global-variable-string-parameter-plugin
- Yaroslav is working on [Refresh plugin for December 2024](https://github.com/jenkinsci/global-variable-string-parameter-plugin/pull/2) (2024-12-09T12:03:05Z)
- Yaroslav is working on [[JENKINS-74153] Remove legacy `checkUrl` in `GlobalVariableStringParameterDefinition/index.jelly`](https://github.com/jenkinsci/global-variable-string-parameter-plugin/pull/3) (2024-12-09T12:51:54Z)

#### jenkinsci/last-changes-plugin
- Yaroslav is working on [[JENKINS-74144][JENKINS-74146] Extract inline JavaScript to `.js` files](https://github.com/jenkinsci/last-changes-plugin/pull/116) (2024-12-27T14:27:53Z)

#### jenkinsci/m2release-plugin
- Yaroslav is working on [[JENKINS-74073] Migrate legacy `checkUrl` in `M2ReleaseBuildWrapper/global.jelly`](https://github.com/jenkinsci/m2release-plugin/pull/123) (2024-12-20T16:15:46Z)

#### jenkinsci/managed-scripts-plugin
- Shlomo is working on [[JENKINS-74121] Remove inline onClick handlers in WinBatchBuildStep/config.jelly](https://github.com/jenkinsci/managed-scripts-plugin/pull/30) (2024-12-05T23:05:49Z)
- Shlomo is working on [[JENKINS-74119] Remove inline onClick handlers in `PowerShellBuildScript/config.jelly`](https://github.com/jenkinsci/managed-scripts-plugin/pull/31) (2024-12-05T23:37:26Z)
- Shlomo is working on [[JENKINS-74118] Remove inline onClick handlers in `ScriptBuildStep/config.jelly`](https://github.com/jenkinsci/managed-scripts-plugin/pull/32) (2024-12-06T00:57:24Z)
- Shlomo is working on [[JENKINS-74120] Remove inline js script in `ScriptConfig/edit-config.jelly`](https://github.com/jenkinsci/managed-scripts-plugin/pull/33) (2024-12-06T01:25:43Z)

#### jenkinsci/matrix-combinations-plugin
- Yaroslav is working on [[JENKINS-74161] Extract inline JavaScript from `taglib/matrix.jelly`](https://github.com/jenkinsci/matrix-combinations-plugin/pull/54) (2024-12-09T14:15:24Z)

#### jenkinsci/maven-info-plugin
- Yaroslav is working on [[JENKINS-74124][JENKINS-74123] Use CSP compliant `st:bind`](https://github.com/jenkinsci/maven-info-plugin/pull/103) (2024-12-05T14:46:30Z)

#### jenkinsci/miniorange-saml-sp-plugin
- Shlomo is working on [[JENKINS-74169] Remove onClick handlers in `MoPluginConfigView/freeTrialModal.jelly`](https://github.com/jenkinsci/miniorange-saml-sp-plugin/pull/8) (2024-12-06T16:22:19Z)

#### jenkinsci/persistent-parameter-plugin
- Yaroslav is working on [Refresh plugin for December 2024](https://github.com/jenkinsci/persistent-parameter-plugin/pull/16) (2024-12-03T15:59:09Z)
- Yaroslav is working on [[JENKINS-74115] Remove legacy `checkUrl` from PersistentChoiceParameterDefinition/config.jelly](https://github.com/jenkinsci/persistent-parameter-plugin/pull/17) (2024-12-03T17:21:54Z)

#### jenkinsci/pipeline-timeline-plugin
- Yaroslav is working on [[JENKINS-74150] Do not embed runtime script into `index.html`](https://github.com/jenkinsci/pipeline-timeline-plugin/pull/6) (2024-12-30T16:12:28Z)

#### jenkinsci/release-plugin
- Shlomo is working on [[JENKINS-74151] Extract inline onBlur and JS script in `ReleaseStep/config.jelly`](https://github.com/jenkinsci/release-plugin/pull/48) (2024-12-19T18:57:06Z)

#### jenkinsci/repo-plugin
- Shlomo is working on [[JENKINS-74132] Migrate legacy checkUrl attribute in RepoScm/global.jelly](https://github.com/jenkinsci/repo-plugin/pull/89) (2024-12-19T17:44:38Z)

#### jenkinsci/sauce-ondemand-plugin
- Yaroslav is working on [[JENKINS-74149][JENKINS-74148] Extract inline JavaScript](https://github.com/jenkinsci/sauce-ondemand-plugin/pull/224) (2024-12-24T16:27:29Z)

#### jenkinsci/sloccount-plugin
- Yaroslav is working on [[JENKINS-74191][JENKINS-74192][JENKINS-74193][JENKINS-74194][JENKINS-74195] Fix CSP](https://github.com/jenkinsci/sloccount-plugin/pull/107) (2024-12-12T14:47:24Z)

#### jenkinsci/tap-plugin
- Shlomo is working on [[JENKINS-74247] extract inline JS script in TapStreamResult/body.jelly](https://github.com/jenkinsci/tap-plugin/pull/41) (2024-12-23T18:10:11Z)

#### jenkinsci/test-results-aggregator-plugin
- Yaroslav is working on [[JENKINS-74895] Extract inline JavaScript from `TestResultsAggregatorTestResultBuildAction/reportDetail.groovy`](https://github.com/jenkinsci/test-results-aggregator-plugin/pull/25) (2024-12-13T13:50:58Z)

#### jenkinsci/test-results-analyzer-plugin
- Yaroslav is working on [[JENKINS-74074][JENKINS-74751] Extract inline JavaScript & remove `eval` call](https://github.com/jenkinsci/test-results-analyzer-plugin/pull/122) (2024-12-17T17:51:02Z)

#### jenkinsci/urltrigger-plugin
- Shlomo is working on [Refresh plugin](https://github.com/jenkinsci/urltrigger-plugin/pull/132) (2024-12-27T16:42:24Z)
- Shlomo is working on [[JENKINS-74160] Migrate legacy checkUrl attributes in `urltrigger/URLTrigger/config.jelly`](https://github.com/jenkinsci/urltrigger-plugin/pull/133) (2024-12-27T16:55:39Z)

#### jenkinsci/veracode-scan-plugin
- Shlomo is working on [[JENKINS-74238] Remove unused onClick handler in `VeracodePipelineRecorder/config.jelly`](https://github.com/jenkinsci/veracode-scan-plugin/pull/99) (2024-12-11T17:36:27Z)

#### jenkinsci/vsphere-cloud-plugin
- Yaroslav is working on [[JENKINS-74894] Remove workaround for JENKINS-19124](https://github.com/jenkinsci/vsphere-cloud-plugin/pull/139) (2024-12-12T16:05:39Z)

#### jenkinsci/xcode-plugin
- Yaroslav is working on [[JENKINS-74111][JENKINS-74112][JENKINS-74113][JENKINS-74114] Make plugin CSP compatible](https://github.com/jenkinsci/xcode-plugin/pull/160) (2024-12-03T12:46:57Z)

### Released plugins
1. Released the [claim plugin](https://github.com/jenkinsci/jenkinsci/claim-plugin)
2. Released the [email-ext plugin](https://github.com/jenkinsci/jenkinsci/email-ext-plugin)
3. Released the [last-changes plugin](https://github.com/jenkinsci/jenkinsci/last-changes-plugin)
4. Released the [pipeline-aggregator-view plugin](https://github.com/jenkinsci/jenkinsci/pipeline-aggregator-view-plugin)
5. Released the [pollscm plugin](https://github.com/jenkinsci/jenkinsci/pollscm-plugin)
6. Released the [port-allocator plugin](https://github.com/jenkinsci/jenkinsci/port-allocator-plugin)

## Conclusion: Progress in December
December brought both challenges and successes as we approached the conclusion of this project.
Despite slower response times from some maintainers and the modernization requirements of outdated plugins,
we successfully updated and released critical plugins while laying the groundwork for future improvements.

The persistence and ingenuity
demonstrated by Shlomo and Yaroslav in addressing these complexities have been crucial to the project’s progress.
As we wrap up this phase,
the Jenkins CSP project serves as a testament to the power of collaboration and dedication
in enhancing security across open-source ecosystems.
We look forward to the next steps in sustaining and expanding this critical work.
Loading