Skip to content

improvements and security fixes #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bhanurp merged 10 commits into from
Dec 19, 2025
Merged

improvements and security fixes #135

bhanurp merged 10 commits into from
Dec 19, 2025

Conversation

@bhanurp
Copy link

@bhanurp bhanurp commented Nov 5, 2025
edited
Loading

  • This pull request is created in the jfrog/jenkins-jfrog-plugin repository.
  • Unified frogbot flow
  • Added audit workflow
  • Migrated to JDK17
  • Fixed multiple security issues

@bhanurp bhanurp added the safe to test Approve running integration tests on a pull request label Nov 13, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 13, 2025
@bhanurp
Delete JAVA17_MIGRATION.md
e302f03 
Removed unnecessary docs
@github-actions
Copy link

github-actions bot commented Nov 13, 2025

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 1 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done Not Found
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
1 Issues Found 1 Low
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

github-actions[bot]
github-actions bot reviewed Nov 13, 2025
View reviewed changes
src/main/java/io/jenkins/plugins/jfrog/configuration/JFrogPlatformBuilder.java
public class JFrogPlatformBuilder extends GlobalConfiguration {
// frogbot:ignore insecure-protocol - Protocol constant for validation, actual usage is gated by allowHttpConnections security flag
@SuppressWarnings("HttpUrlsUsage")
private static final String[] KNOWN_PROTOCOLS = {"http://", "https://", "ssh://"};
Copy link

@github-actions github-actions bot Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
Rule ID: java-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;

public class insecure_protocol_vuln {

    public void connectToFrogService(String server) throws IOException {
        String insecureHttpProtocol = "http://"; // Insecure protocol
        String url = insecureHttpProtocol + server + "/frogEndpoint";
        URL obj = new URL(url);
        URLConnection conn = obj.openConnection(); // Vulnerable: Insecure protocol
        conn.connect();
    }
}

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;
import javax.net.ssl.HttpsURLConnection;

public class insecure_protocol_safe {

    public void connectToFrogService(String server) throws IOException {
        String secureHttpProtocol = "https://"; // Secure protocol
        String url = secureHttpProtocol + server + "/frogEndpoint";
        URL obj = new URL(url);
        HttpsURLConnection conn = (HttpsURLConnection) obj.openConnection(); // Safe: Secure protocol
        conn.connect();
    }
}

<br></details>

---
<div align='center'>

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)

</div>

@bhanurp bhanurp added the improvement Automatically generated release notes label Nov 26, 2025
agrasth
agrasth approved these changes Dec 19, 2025
View reviewed changes
Copy link

@agrasth agrasth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here I can see we are checking for safe to test before pr audit, but seems like remove label step is not added.

@bhanurp bhanurp changed the base branch from main to v2 December 19, 2025 07:04
@bhanurp bhanurp added the safe to test Approve running integration tests on a pull request label Dec 19, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 19, 2025
@bhanurp
Copy link
Author

bhanurp commented Dec 19, 2025

Here I can see we are checking for safe to test before pr audit, but seems like remove label step is not added.

github actions removeLabel workflow is available here https://github.com/jfrog/jenkins-jfrog-plugin/actions/workflows/remove-label.yml

@bhanurp bhanurp merged commit 5bb01da into v2 Dec 19, 2025
6 of 7 checks passed
@bhanurp bhanurp deleted the improvements-security-fixes branch December 19, 2025 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@agrasth agrasth agrasth approved these changes

@itsmeleela itsmeleela Awaiting requested review from itsmeleela

@fluxxBot fluxxBot Awaiting requested review from fluxxBot

@naveenku-jfrog naveenku-jfrog Awaiting requested review from naveenku-jfrog

@nitinp19 nitinp19 Awaiting requested review from nitinp19

Assignees

No one assigned

Labels

improvement Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bhanurp @agrasth