GitHub's new security scanner definitely works, says Jenkins: It found 7 flaws in our plugins

DevOps tool's maintainer says he's 'very happy with the results'

The core maintainer of popular DevOps tool Jenkins has said GitHub's new code-scanning tool helped identify seven previously unknown vulnerabilities in plugins on the platform.

GitHub code scanning was introduced five weeks ago, based on technology called CodeQL which arrived thanks to the acquisition of security company Semmle in September 2019.

CodeQL works in three steps. Supported programming languages (C/C++, C#, Go, Java, JavaScript, Python, TypeScript) have a CodeQL extractor which developers run against their code to create a database representing it. The second step is to write queries in the CodeQL language, called QL.

Using QL, developers can query to find such things as functions with unused parameters. In the third stage, the tool interprets the query results, highlighting suspect code and explaining the significance of the issue detected.

An eye superimposed over code

GitHub blasts code-scanning tool into all open-source projects


Fortunately, developers do not need to write all their own CodeQL queries as GitHub provides thousands of pre-written queries. These are integrated with CI/CD tools (such as GitHub actions or indeed Jenkins) so that code is scanned as it is committed.

Daniel Beck, Jenkins core maintainer and leader of the Jenkins security team, said: "Many of the security vulnerabilities discovered in Jenkins plugins are fairly similar to each other, and unfortunately they're usually specific to Jenkins, which means existing generic tools would not be able to discover them. So I decided to write CodeQL queries for Jenkins-specific issues and invited maintainers to sign their plugins up for a 'private beta' of code scanning for these issues."

The experiment was alarmingly successful. Issues were found in plugins for AWS configuration, Kubernetes, Mercurial, Azure Key Vault, and Active Directory. "All these issues were discovered with assistance by this tooling," said Beck. "I'm very happy with the results."

It is also a call to Jenkins users to get patching.

The security flaws are issues like "allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins" for Azure Key Vault plugin, and "missing permission check in AWS Global Configuration Plugin allows replacing plugin configuration."

Tools to find vulnerabilities are useful for developers securing their code – one downside being that if the code is open source, there is nothing to prevent bad guys from using the same tools with less pure intentions. ®

Biting the hand that feeds IT © 1998–2020