ec2-plugin icon indicating copy to clipboard operation
ec2-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Demonstrate adding findsecbugs to spotbugs.

Open jeffret-b opened this issue 4 years ago • 0 comments

Demonstrate adding findsecbugs to spotbugs. This commit is a demonstration and is not intended to be merged as-is.

Findsecbugs reports several findings for this plugin, but all of them can be safely suppressed. There are a few that could be a concern, but examination shows that as currently used they do not introduce a vulnerability. While the MD5 usage here is used for tracking and not security, this serves a reminder that it would be better to migrate to a better algorithm. See JENKINS-60563.

This also uses the exclude file for a couple of finding types that are fairly common in Jenkins but not considered a concern.

My plan is to add findsecbugs at the plugin pom after sufficient testing and communication. At that point, it would make sense to add the suppressions, but not the pom file changes from this PR.

jeffret-b avatar Feb 25 '20 21:02 jeffret-b