The core maintainer of popular DevOps tool Jenkins has said GitHub’s new code-scanning tool helped identify seven previously unknown vulnerabilities in plugins on the platform.
GitHub code scanning was introduced five weeks ago, based on technology called CodeQL which arrived thanks to the acquisition of security company Semmle in September 2019.
Using QL, developers can query to find such things as functions with unused parameters. In the third stage, the tool interprets the query results, highlighting suspect code and explaining the significance of the issue detected.
GitHub blasts code-scanning tool into all open-source projects
Fortunately, developers do not need to write all their own CodeQL queries as GitHub provides thousands of pre-written queries. These are integrated with CI/CD tools (such as GitHub actions or indeed Jenkins) so that code is scanned as it is committed.
Daniel Beck, Jenkins core maintainer and leader of the Jenkins security team, said: “Many of the security vulnerabilities discovered in Jenkins plugins are fairly similar to each other, and unfortunately they’re usually specific to Jenkins, which means existing generic tools would not be able to discover them. So I decided to write CodeQL queries for Jenkins-specific issues and invited maintainers to sign their plugins up for a ‘private beta’ of code scanning for these issues.”
The experiment was alarmingly successful. Issues were found in plugins for AWS configuration, Kubernetes, Mercurial, Azure Key Vault, and Active Directory. “All these issues were discovered with assistance by this tooling,” said Beck. “I’m very happy with the results.”
It is also a call to Jenkins users to get patching.
The security flaws are issues like “allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins” for Azure Key Vault plugin, and “missing permission check in AWS Global Configuration Plugin allows replacing plugin configuration.”
Tools to find vulnerabilities are useful for developers securing their code – one downside being that if the code is open source, there is nothing to prevent bad guys from using the same tools with less pure intentions. ®