First results from using GitHub CodeQL to discover security vulnerabilities in Jenkins plugins

    A little over a month ago, GitHub announced the general availability of its code scanning solution. It’s based on CodeQL, which makes it pretty easy to write queries for it and run them using the CodeQL GitHub action, CodeQL command line tools, or on lgtm.com.

    Many of the security vulnerabilities discovered in Jenkins plugins are fairly similar to each other, and unfortunately they’re usually specific to Jenkins, which means existing generic tools would not be able to discover them. So I decided to write CodeQL queries for Jenkins-specific issues and invited maintainers to sign their plugins up for a "private beta" of code scanning for these issues.

    Today’s security advisory is the first one that includes findings discovered through that initiative. All these issues were discovered with assistance by this tooling:

    While there were of course also false positives we had to review and mark as ignored, the integration with the GitHub UI made this pretty straightforward. Overall I’m very happy with the results so far, especially considering how new this initiative is.

    Interested in making the plugin you are maintaining more secure? Sign up now by filing an INFRA issue in the github component and list the plugin repositories you’d like to have scanned.

    About the Author
    Daniel Beck
    Daniel Beck

    Daniel is a Jenkins core maintainer and member of the Jenkins security team. He was the inaugural Jenkins security officer from 2015 to 2021. He sometimes contributes to developer documentation and project infrastructure in his spare time.