 So hello, we're doing a quick overview of how the security notifications work in Jenkins. So it's one of the projects for Jenkins Kubernetes operator. The idea is to expose security warnings there. And we will just go through how the ecosystem works. So just to start from public side, we have security advisers. There is a Jenkins security team working on that. And here, if you go to security advisers, you can find a lot of advisers being reduced by particular plugins, et cetera. So this is what we see in public. And here you can see that there is warning, for example, that there is a very high, high, medium, high, something like that. So this is information we have. And we also have information being exposed on the plugin side. So for example, let's take a look, for example, file system trigger plugin. It's nice use case because I used to be a maintainer of this plugin. Sorry about that. And yeah. So here you can see that right now there is a previous security warnings, XSC vulnerability. And it points you to security advisory. So this information is being retrieved from API provided by the update side, et cetera. So we have two components for that. Have you already investigated the infrastructure? Okay. So if not, I will just show it to you. So there is update center v2. So basically it's update center, which serves all the data for Jenkins. It's built regularly. And you can see it commits very like add to warnings to the advisory. And here you can see a file. So this is basically the information which is available about security vulnerabilities in our metadata. So here you can see that we have ID type, name, message, URL, and versions. So this is the information which is available in the player update center. And when we built the Jenkins plugin side, so this is a plugins Jenkins.io I was showing that. So plugins Jenkins.io consists of two components. One component is the API. So just a second, it's against insight I believe. So I have no memory of this place. So there are two repositories. One is plugin site, which is rather front end. It's currently aesthetic front end being built with Gatsby. So there is a lot of build time things. And to build it actually uses the data from the update center. Like this data metadata in a warning to JSON. And it also uses metadata provided by plugins site API. At the same time plugins site API also provides some runtime API. So you can get API for particular plugins. Maybe you could help me here with the URL. So what is it? First trigger API, right? So who could... API and plugin. No, the plugin is like to be specified later. So first then you specify API, then you have to specify plugin, then remove the plugin. Okay, so here we get this API which we've shown before. So here you can see some information, including security. Yes, security warnings. So this is information we expose. And as you can see this information is actually just exposed from here. So let's find it. So, yeah, first trigger. So this is the metadata which we inject. And here's an answer to your question. There is no data which could expose severity there. But at the same time, when we work on the security issues, actually we assign the CVE numbers. So what you might have seen for advisories. So for example, again, let's take this issue. So there is CVE 2021, 21657. So this is official CVE registered in all databases because Jenkins is a senior Daniel Burke as security officer set up the process. So we issue our own security advisories and they become available in all standard databases. So the scanning tools can pick them up, et cetera. And yeah, here's a sample of this snapshot. So here you can see that this information is still to be determined and there is no CVE score. Let's try to find something else because there should be interest with CVE score for this issue. Yeah, for example here. So again, you can see that it's basically information supplied by the Jenkins project as a part of security release. And here you can see that the severity level is high. So this 8.8 and there is attack vector. So it's standard CVE is a string. You can see some decoding here. Do you see it? Is it too small? Yeah, yeah. Yeah, so basically this is what you can get and this is what our security team submits as CNA. So at some point we have this data assigned. I cannot describe how exactly it's assigned because it's a part of security process. So I would be happy to show it but I'm just afraid about showing some sensitive data on the screen sharing and recording. So maybe we could talk later to Daniel back or you could raise the question to the developer in case. But what actually happens? We have this CVE scores long before we release the advisor because when we prepare the advisor, et cetera, all this process generation of this metadata for meter, et cetera, they are all automated. So what we would just need is to update our process to also inject this CVSS score here. It could be, for example, two fields, one with severity and another one with CVSS score. And once it's exposed in the update center, you can also propagate it to the plugin site API and expose it for your needs. Do you follow me? Yeah, yeah, I'm like getting the gist. So right now there is like no way to access the API, right? Well, yes and no. You can still retrieve this data directly from sites like Mitre, et cetera because all of them have API which you can use to extract this data. So in theory, you should be able to retrieve the data somehow from here. How exactly to do that? Like quite to scrape HTML or something like that. So yeah, so what would you need to do? You have this metadata. So, and again, here's a problem. This metadata doesn't include CVSS. Yeah, this is security, I would be so. Yeah, but when you, where you can find CVSS. So let's assume you do some, I'm not sure what exactly you're doing at the moment and how you plan to implement it and still take you to take a look. But yeah, there is this update center metadata and there is also Jenkins IO. So our Jenkins IO, all the advisors also managed by configuration score. And here, for example, we can go to content data and he's believe that, no, I was wrong. So it's insecurity. So in security, there is advisory and let's again take a look at our last advisory. Yeah, this one. So, yeah, this is our advisor, right? Yeah. And what you can see here that if you switch to the raw format, you will see that that actually this advisory is implemented as a set of metadata. So, yeah, I'm zooming in a bit. So here you can see, for example, where was our plugin you were talking about? Yeah. FS trigger. Yeah, FS trigger. Yeah, so FS trigger. So what you can see here, you can see that metadata ordering is quite strange because it's auto-generated. So we probably could do better on that. But what you can see that actually by just pulling this data and you can redefine the URL because this URL can be extracted from this URL. Yeah, yeah, yeah. So you can query this data just from GitHub and you can get the CVSS and severity from here. Yeah. So once that advisory is out, you can retrieve the data from here by applying some magic tricks. So basically in your case, you have two options. One is just somehow to pick the implementation. For example, in your code, you can just pull these files parts of them and expose metadata from there. It's one of the approaches. And another approach would be to go and to actually update the center two and plug in site API to expose this metadata. And the likely was advisory generation scripts. So this metadata is automatically injected because Daniel Beck and other security elites do not write it on by hand. They have tools we should generate that. So these tools would also need to be updated to inject these entries, but technically it's possible. Okay, okay. Okay, so basically you have a classic choice of any open source developer, whether you implement a hack by using another data source or whether you implement the proper solution. Yeah. And I have no advice what pass to take. I suggest talking to your mentors. Maybe Daniel Beck would be willing to provide some guidance. I can assure you that implementation is quite easy, but it may take some time to deliver these components because it needs review, it needs release. We do continuous delivery for all the components. So basically it requires some reviews. I'm a maintainer of this repository, so I can help. But yeah, it's your choice whether you want to do that. And my action item is to actually share this video so that you can decide how you approach that. Okay, okay, sure. Okay, any questions? Nothing else. I'll look into it, so I'll try something. It's okay. Yeah, happy to help. Thank you. Yeah, thank you too. So I guess I will stop the recording then and if we have no other questions, just thanks everyone and let's talk later. Sounds good. So yeah, look at it, if you have such questions, don't hesitate to ask in the chat. So you're using Pyrschlaps Slack at the moment, right? Yeah. So I'm in this Slack and you are totally welcome to pick me if you have any questions. Implementation. Thanks, Oleg. Thanks, Christian. Yeah, you're welcome. Actually, I do have a question. So I heard that we have a Discord now, or is that more of a, no, okay. No, we do have a Discord now. So let me show it to you. Okay. So full disclaimer, it's yet to be announced because it's in the Discovery state. Okay. So we have Community Jenkins Ion. So this is Discord, which is actually a concert by the company which currently develops a Discord. And yeah, thanks a lot to them. So here we have initiated some initial category. It's in preview. So yeah, some things might be different, some things might not work, but here, for example, we created an entry for GSOC. There is just a quick summary about how to get information, et cetera. And yeah, if you want to discuss something, we can try using this channel because I can totally imagine that for some of these cases, a Discord could be better than a million pieces in the charts, especially now the situation when we have CDF Slack and the Gitter with Jenkins. Well, to be honest, I think that maybe it's time to kill Gitter and replace it by Discord. Okay. I was like, oh man, we have all of the, I like the thing I like about Gitter is that it also has the reference on the side to all of the activity, especially if your Gitter is tied to a repo, that you can immediately see information about pull requests that are open. I love that you can be able to immediately see stars or just cloning things, but mostly also mostly the pull requests and stuff. It's just an extra reference. And that's why I really like Gitter, but it's mostly based on like a, it truly is if it's tied to a repository. I think I find it helpful, but I don't know. I don't know where the feature is going in different directions. Well, it's here to be decided because currently it's prototype. Okay. So we are looking in that whether it can be used. So already here and Gavin driving that. Okay, cool. Yeah, I saw that on this channel. That's why I wanted to bring it up. So I was like, if I didn't realize it was still in development, but I did see it in the developers and I was like, oh no. So. Yeah, so yeah, basically it's currently in preview. I have an action item to actually make it more explicit that it's in preview. Before that, I just did welcome to discourse. Okay. So this one, but I think that I will be trying to make it even more explicit that it's preview. Okay. And for the rest, yeah, you are welcome to try it out. But yeah, the intention is not to introduce yet another channel. Yes. But to consolidate some channels because currently it's just a sprawl almost everywhere. Right. So we want to actually kill some of the remaining RC channels. We moved to a liberal chat and we have only four RC channels left. It's also something we need to announce formally. It's just in the mailing list, but yeah, there are things here and there. So yeah, and here if you want to share your feedback, there is side feedback. And of course there is a question, Yagni somewhere. So just a second time looking for that. But yeah, that was definitely a question started somewhere about whether we actually need that. And you're welcome to participate. I'm just looking for this chat. Goal and purpose of community jinkers. I know regarding other communication channels. So it's Angelik who started it. I'll probably drop it to the mailing list. And I had to do that. It's so true. But yeah, actually I think that it's important to try because we had issues with communication channels and jinkers for a long time. And if this course resolves our issue I'm totally for that. And I have no hard feelings about removing the majority of Gitter channels. Especially once it is a pony because Gitter threads are still terrible. Well, they're better than they used to be. Yes, yeah, the threads are not good. I do agree with you on that. The threads are not great, but the only thing I really like though is having the reference to the repository on the side and being able to reference it like that. But yeah, the threads are not great and Gitter at all. So. All right, cool. That's all I have to ask you. Yeah, so we just tried it out. And I think that, yeah, again, it's a good opportunity for providing feedback. I have some personal interests in that as events officer. For example, I want to introduce language groups. So, yeah, you might have seen some activities from me on Twitter about the Spanish jinkers and jinkers from there. And well, I study French as you may have noticed from the previous phrase, my French is terrible, but I'm working on a playground for language practice. There is also jinkers through community, but it's an experiment because actually, yeah, all our community is in telegram or meetup.com at the moment. But yeah, again, I created a placeholder just in case. So that everyone who's interested, they can go there, discover and navigate to our chairs. And we have a lot, including using Jenkins, developing Jenkins, sorry, it's in Russian. But yeah, it's like that. And telegram doesn't support threats at all. So I would say particularly for developer channel and for Russian speaker user channel, it's a kind of nightmare because in a user channel, we have something like 400 messages per day. And there is no threats in telegram. So how people manage to have a reasonable conversation that I don't know, I just view the channel. So yeah, okay, anything else for today? Again, then I'll stop screen sharing and yeah, thanks for good questions. I will create the videos. Maybe I'll cut it to two because Gavin might use some quick overview of discourse for his announcements and work. And yeah, the team can use the security part of it as well. But I would rather ask Daniel to create a bigger deep dive, but I hope it helps. That's it for today. And thanks all. Thank you. Thanks, Oleg. Thanks, Christian. Yeah, bye. See you. Bye, Oleg.