Updated encryption key file path to jfrog-home dir instead of jenkins…#141
Merged
naveenku-jfrog merged 5 commits intojfrog:mainfrom Feb 19, 2026
Conversation
naveenku-jfrog
had a problem deploying
to
frogbot
GitHub Actions
Failure
naveenku-jfrog
had a problem deploying
to
frogbot
GitHub Actions
Failure
naveenku-jfrog
had a problem deploying
to
frogbot
GitHub Actions
Failure
naveenku-jfrog
had a problem deploying
to
frogbot
GitHub Actions
Failure
|
📗 Scan Summary
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| } | ||
|
|
||
| // Add HTTP or HTTPS protocol according to the port | ||
| String proxyUrl = proxyConfiguration.port == 443 ? "https://" : "http://"; |
There was a problem hiding this comment.
🎯 Static Application Security Testing (SAST) Vulnerability
| Severity | Finding |
|---|---|
 Low |
Detected usage of communication methods lacking encryption. |
Full description
Vulnerability Details
| Rule ID: | java-insecure-protocol |
Overview
Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.
Vulnerable example
In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.
import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;
public class insecure_protocol_vuln {
public void connectToFrogService(String server) throws IOException {
String insecureHttpProtocol = "http://"; // Insecure protocol
String url = insecureHttpProtocol + server + "/frogEndpoint";
URL obj = new URL(url);
URLConnection conn = obj.openConnection(); // Vulnerable: Insecure protocol
conn.connect();
}
}Remediation
To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.
import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;
import javax.net.ssl.HttpsURLConnection;
public class insecure_protocol_safe {
public void connectToFrogService(String server) throws IOException {
String secureHttpProtocol = "https://"; // Secure protocol
String url = secureHttpProtocol + server + "/frogEndpoint";
URL obj = new URL(url);
HttpsURLConnection conn = (HttpsURLConnection) obj.openConnection(); // Safe: Secure protocol
conn.connect();
}
}
<br></details>
---
<div align='center'>
[🐸 JFrog Frogbot](https://jfrog.com/help/r/jfrog-security-user-guide/shift-left-on-security/frogbot)
</div>
bhanurp
approved these changes
Feb 19, 2026
1 task
bhanurp
pushed a commit
to bhanurp/jenkins-jfrog-plugin
that referenced
this pull request
Mar 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
What is the change?
Store encrypted key in a file under JfrogHomeDir
Why is this fix?
encrypted key file was stored in Jenkins Workspace which is not accessible and failing with
failed to stat encryption key file