diff --git a/.github/workflows/jenkins-security-scan.yml b/.github/workflows/jenkins-security-scan.yml
index 37c7f9a..36a8fda 100644
--- a/.github/workflows/jenkins-security-scan.yml
+++ b/.github/workflows/jenkins-security-scan.yml
@@ -15,8 +15,54 @@ permissions:
actions: read
jobs:
- security-scan:
- uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2
- with:
- java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate.
- # java-version: 21 # Optionally specify what version of Java to set up for the build, or remove to use a recent default.
+ scan:
+ runs-on: ubuntu-latest # Provides `jq`
+ steps:
+ - name: Setup Maven Action
+ uses: s4u/setup-maven-action@v1.14.0
+ with:
+ java-distribution: 'temurin'
+ java-version: ${{ inputs.java-version || '17' }}
+ maven-version: ${{ inputs.maven-version || '3.9.9' }}
+ cache-enabled: ${{ inputs.java-cache }}
+
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v3
+ with:
+ languages: java
+ config: |
+ disable-default-queries: true
+ packs:
+ - jenkins-infra/jenkins-codeql@0.0.2
+ - codeql/java-queries:AlertSuppression.ql
+ - codeql/java-queries:AlertSuppressionAnnotations.ql
+
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@v3
+
+ - name: Run CodeQL
+ id: generate-sarif
+ uses: github/codeql-action/analyze@v3
+ with:
+ category: Jenkins Security Scan
+ upload: failure-only
+
+ - name: Process SARIF
+ # Process the generated SARIF file:
+ # 1. Prevent conflicts with otherwise set up CodeQL scan by renaming the tool driver
+ # 2. Remove suppressed warnings because GitHub Code Scanning does not support inline suppressions
+ run: |
+ jq 'setpath(path(.runs[].tool.driver.name); "Jenkins Security Scan") | setpath(path(.runs[].tool.driver.organization); "Jenkins Project") | del(.runs[].results[] | select( .suppressions | length != 0 ))' ../results/java.sarif > jenkins-security-scan.sarif
+ mv -v ../results/java.sarif .
+
+ - name: Archive SARIF
+ uses: actions/upload-artifact@v4
+ with:
+ path: '*.sarif'
+ name: Jenkins Security Scan SARIF
+
+ - name: Upload Scan Result
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: jenkins-security-scan.sarif
+ category: Jenkins Security Scan
diff --git a/pom.xml b/pom.xml
index 3203c0e..895d4f2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -26,23 +26,27 @@
https://github.com/${gitHubRepo}
- 9.22.3
+ 10.17.3
999999-SNAPSHOT
- 2.440
- ${jenkins.baseline}.3
+ weekly
+ 2.475
jenkinsci/${project.artifactId}-plugin
false
1.20.1
+
+ 2254.vcff7a_d4969e5
+ 17
+
io.jenkins.tools.bom
- bom-${jenkins.baseline}.x
+ bom-weekly
3334.v18e2a_2f48356
pom
import
@@ -59,6 +63,11 @@
${revision}
zip
+
+ org.flywaydb
+ flyway-database-postgresql
+ ${revision}
+
org.flywaydb
flyway-mysql
@@ -88,12 +97,21 @@
com.fasterxml.jackson.dataformat
jackson-dataformat-toml
+
+ com.fasterxml.jackson.datatype
+ jackson-datatype-jsr310
+
com.google.code.gson
gson
+
+ org.flywaydb
+ flyway-database-postgresql
+
+
org.flywaydb
flyway-mysql
@@ -102,6 +120,10 @@
org.flywaydb
flyway-sqlserver
+
+ org.jenkins-ci.plugins
+ jackson2-api
+
@@ -226,11 +248,22 @@
+
true
src/main/resources
+
+
+
+
+ org.jenkins-ci.tools
+ maven-hpi-plugin
+ 3.58-rc1621.0cb_cd49b_b_c68
+
+
+