This method invokes one of several methods considered dangerous if used incorrectly.
Incorrect use of APIs can result in a security vulnerability.
- Don't panic, even if this issue is present in previous plugin releases. Do not change your code without understanding why the finding appears. You may end up not fixing the problem, only hiding it instead.
- Determine whether this finding is a false positive (see guidance below). This is an automated scan result, so that's always a possibility. In general, the rules err on the side of caution, so false positives are pretty common. If it is a false positive, do either of the following, and you're done!
- Mark it as such on the GitHub UI
- Suppress the finding through a simple code change:
Annotate the code location with
@SuppressWarnings("lgtm[jenkins/unsafe-calls]")or add this comment just before:// lgtm[jenkins/unsafe-calls]. This is supported when using the Jenkins Security Scan workflow and in other CodeQL scans that support suppressing findings this way.
- If this is a true positive finding, use the documentation below to resolve it.
If this finding is in a plugin hosted by the Jenkins project, you can also always contact the Jenkins Security Team via Jira or email to ask for help in resolving this finding.
This check can easily identify false positives, i.e. safe code that is marked as being unsafe.
Determine which of the listed methods are invoked by your code and review the argument for why this check detects them. If the problem being described does not apply to your code, you can ignore this finding.
The following methods should never be called in a plugin to weaken SSL/TLS protection, as they will change the SSL/TLS handling for the entire JVM:
javax.net.ssl.HttpsURLConnection#setDefaultSSLSocketFactoryjavax.net.ssl.HttpsURLConnection#setDefaultHostnameVerifier
The following methods should only be called after an appropriate user (usually Job/Configure or Overall/Administer permission, depending on context) has opted to ignore SSL/TLS problems.
javax.net.ssl.SSLContext#initjavax.net.ssl.HttpsURLConnection#setHostnameVerifierjavax.net.ssl.HttpsURLConnection#setSSLSocketFactory
java.lang.System#exitshould generally not be called in Jenkins plugin code, as the entire (controller or agent) process will be stopped.java.lang.Runtime#execshould not be called from build steps and similar contexts that execute on the controller, especially if some or all of the arguments are provided by users with limited permissions to access Jenkins. If this code is executed during a build, look intohudson.Launcherand distributed builds.
See the documentation on misc APIs for recommendations.