Git Product home page Git Product logo

securitylab's Introduction

GitHub Security Lab

This is the main git repository of GitHub Security Lab. We use it for these main purposes:

  • We share with our community some best practices about security research and vulnerability disclosures in our docs
  • We use issues on this repo to track CodeQL bounty requests.
  • We use it for publishing some of our proof-of-concept exploits (after the vulnerability has been fixed). These PoCs can be found in the SecurityExploits sub-directory.
  • Examples of CodeQL queries, which can be found in the CodeQL_Queries sub-directory.

CodeQL Resources

This section is yours! Do you want to share a cool CodeQL query with the community? Or an awesome tutorial or video, or some helpful tooling? Your contributions are welcome. Please open a pull request. See Contributing below.

Official resources

Example queries

Articles

Videos

Tools

Disclaimer

The recommendations from the GitHub Security Lab are provided graciously and it's ultimately the responsibility of the recipients to apply them or not. This concerns recommendations given through our written or audio content, our conferences, our answers in our community spaces, or our informal office hours.

Contributing

We welcome contributions to the CodeQL_Queries sub-directory and to the CodeQL Resources section of this README.

If you have written a cool CodeQL query that you would like to share with the community, then please open a pull request to add it to the CodeQL_Queries sub-directory. Put your query in its own new sub-directory. For example: CodeQL_Queries/cpp/mynewsubdir/mycoolquery.ql. Of course, if you think your query might be eligible for a bounty, then you should open a pull request to the codeql repo instead, as we do not offer bounties for queries submitted to this repo. The queries in this repo are usually highly specialized queries that only make sense for a specific codebase, such as queries that specifically target Chrome or Apache Struts, or utility queries that help you explore your code without necessarily finding a vulnerability. Such queries are inappropriate for the codeql repo, which is for general purpose queries only.

If you would like to add a link to the CodeQL Resources section of this README, to share a nice video or an awesome tool, then just add another bullet point in the appropriate section.

  • Each bullet point should consist of a hyperlinked title and a short description. The short description is optional if the title is already self-explanatory.
  • Please add new bullet points at the bottom of the list. In the future, we may choose some other ordering such as alphabetical but for now it is just a sequential list.

Please see CONTRIBUTING.md, CODE_OF_CONDUCT.md, and LICENSE.md for further information on our contributing guidelines and license.

securitylab's People

Contributors

adityasharad avatar agustingianni avatar altmas5 avatar anaarmas avatar anticomputer avatar antonio-morales avatar calumgrant avatar dependabot[bot] avatar eternalsakura avatar gagliardetto avatar infin8x avatar intrigus-lgtm avatar jarlob avatar jbj avatar jf205 avatar jkcso avatar jorgectf avatar kevinbackhouse avatar kmh11 avatar lcartey avatar m-y-mo avatar pwntester avatar rdmarsh2 avatar s0 avatar sj avatar v-p-b avatar xcorail avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

freemanzyq thunder2425 kevinbackhouse hackdemon23 mmsatari gdraperi fcccode m-y-mo eternalsakura thuanpv shabidev modulexcite gholamifrd ababook slowmistio theopolis bwry danildelegator robertdigital ducnhse130201 binerdd disconnect3d osssp silvrwolfboy 5l1v3r1 tiandiyixian alfaesal23 adrian-rt sambacha fractalmachine panickervinod evrohachik engkok mdlglobal-atlassian-net skyprx soy475 fengjixuchui javalangclass jeremiah-shichengge fhjfhf polling-repo-continua 1crazymoney limkokholefork tchigher mga369 securityforks ddosi shenliehuozhi jasonlou sixiangzhe ap3255 hirajanwin akademiasia yaojieno1 yichengzhong harrytran998 wangkun19930608 charismaticzone hixio-mh crackercat graham382 yanshu911 stemmm cybersecurity-team terrorizer1980 feiyunwill isabella232 kingking888 everpall lqingyu p0wn4j jarlob standardgalactic frohman357 0xpiyush tamasveiland imo954 takuya-miyazaki gagliardetto sshyran v-p-b hotelzululima fatgrass yanglingxi1993 flankersky 21gun5 cluesblues killvxk hobbit19 0x9k org-mars t4di5 zha0 tizianorosato wuxueeee mengjacky shiki985 intrigus-lgtm koocola lazyhack

securitylab's Issues

Java/CWE-036: Calling openStream on URLs created from remote source can lead to file disclosure

CVE ID(s)

None, but I spotted such a vulnerability in a non-public codebase some years ago.

Report

If openStream is called on a java.net.URL that was created from a remote source (query parameters, JSON, etc.)
an attacker can try to pass absolute URLs starting with file:// or jar:// to access
local resources in addition to remote ones.

Related pull request:
github/codeql#2899

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CodeQL query to detect SSRF in Python

CVE ID(s)

There's no CVE for this.

Report

  • I created a query to identify Server Side Request Forgery vulnerabilities in Python, currently my query supports the following libraries: requests, urllib, urllib2, httplib. The query uses taint-tracking to track the inputs from HTTP requests to the taint source request hosts. *

You can see the query here: github/codeql#3455

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
    Yes, on twitter :)

CPP: Out of order Linux permission dropping without checking return codes

The query in targeting an experimental folder in ql: github/codeql#3002 and the original feedback and design discussion: #37

CVE ID(s)

No CVEs as these bugs are in defense-in-depth and best-practice strategies.

Report

POS37-C. Ensure that privilege relinquishment is successful style bugs are particularly concerning when the permissions dropping is "out of order". In this context "out of order" means the user permissions are dropped first and subsequent calls to setgroups, initgroups or setgid-like functions will fail because the new effective user does not have permissions.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc)

Nope.

[USERNAME]: [SUMMARY]

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

  • CVE-20nn-nnnnn

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Java (Maven): Use of insecure protocol to download/upload artifacts

Published Research

mitm_build
Want to take over the Java ecosystem? All you need is a MITM!

CVE ID(s)

There are other projects without CVE numbers that need assignment still:
https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit#gid=0

Report

CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check

At the beginning of 2019, I began a multi-month long research project into the use of HTTP instead of HTTPS across the Java ecosystem. I found that many of the most popular projects in the ecosystem were using HTTP to resolve and upload artifacts that those projects downloaded and built.

This included projects such as these:

  • Kotlin Compiler
  • Groovy Compiler
  • Jenkins
  • Many JetBrains projects
  • Many Apache projects
  • Many Eclipse projects
  • Gradle building itself

As part of this research, I reached out to many of the most popular artifact servers in the Java ecosystem and asked them to join an initiative to formally decommission the use of HTTP on January 15th, 2020.

  • Sonatype Maven Central
  • JFrog JCenter
  • Gradle
  • Spring

The links to the announcements by these organizations can be found here.

At the time, the team at Sonatype Maven Central let me know that after analyzing their traffic for a month, they determined that 25% of their downloads still used HTTP instead of HTTPS.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I already have, but would post an updated post after this was merged.

Query

Unfortunately, since QL doesn't allow me to create querries against Gradle build logic yet, I'm only currently able to support Maven Pom XML files. However, this should still cover ~50% of the entire Java build tool ecosystem.

github/codeql#2413

Java (Maven): Actually fix the use of insecure protocol to download/upload artifacts

mitm_build

Good 'ol logo for this project.

Projects Fixed

All Pull Requests (clicky) 
 - https://github.com/PolskiStevek/ZenGuard/pull/2
 - https://github.com/eclipse-ee4j/security-examples/pull/9
 - https://github.com/OneBusAway/onebusaway-gtfs-realtime-munin-plugin/pull/1
 - https://github.com/flowable/flowable-engine/pull/2170
 - https://github.com/MeasureAuthoringTool/MeasureAuthoringTool/pull/65
 - https://github.com/marcelo-mason/SimpleClans/pull/552
 - https://github.com/Atmosphere/atmosphere/pull/2400
 - https://github.com/CamelCookbook/camel-cookbook-examples/pull/96
 - https://github.com/yusuke/sign-in-with-twitter/pull/7
 - https://github.com/jenkinsci/cppcheck-plugin/pull/53
 - https://github.com/kuinne/somecloud/pull/1
 - https://github.com/robo-code/robocode/pull/26
 - https://github.com/b/kafka-websocket/pull/20
 - https://github.com/light/JOps/pull/3
 - https://github.com/vogellacompany/saneclipse/pull/47
 - https://github.com/Ethcelon/IAMonFire/pull/1
 - https://github.com/mortennobel/java-image-scaling/pull/44
 - https://github.com/eclipsesource/jshint-eclipse/pull/125
 - https://github.com/maths22/ftc-scoring/pull/1
 - https://github.com/silpion/jenkins-gitflow-plugin/pull/9
 - https://github.com/melistik/vaadin-grid-util/pull/61
 - https://github.com/joerghoh/cqdeploy/pull/1
 - https://github.com/johncarl81/parceler/pull/379
 - https://github.com/OneBusAway/onebusaway-cli/pull/1
 - https://github.com/usethesource/rascal/pull/1332
 - https://github.com/DataSystemsLab/GeoSpark/pull/422
 - https://github.com/digital-preservation/droid/pull/379
 - https://github.com/apache/dubbo-spring-boot-project/pull/675
 - https://github.com/baritonehands/jenkinsnuget/pull/4
 - https://github.com/pentaho/pdi-sdk-plugins/pull/80
 - https://github.com/winterstein/Eclipse-Markdown-Editor-Plugin/pull/84
 - https://github.com/jenkinsci/master-to-master-api-plugin/pull/1
 - https://github.com/lucidworks/spark-solr/pull/286
 - https://github.com/rasto/lcmc/pull/67
 - https://github.com/jberkel/pay-me/pull/18
 - https://github.com/hbaseinaction/gis/pull/4
 - https://github.com/joachim-rodrigues/graphiteIntegrator/pull/7
 - https://github.com/52North/epos/pull/2
 - https://github.com/michaelliao/jsonstream/pull/1
 - https://github.com/jenkinsci/inodes-monitor-plugin/pull/2
 - https://github.com/lucidworks/storm-solr/pull/8
 - https://github.com/idugalic/reactive-company/pull/9
 - https://github.com/dandelion/dandelion/pull/134
 - https://github.com/Atmosphere/atmosphere-samples/pull/90
 - https://github.com/hmsonline/storm-elastic-search/pull/5
 - https://github.com/jenkinsci/analysis-suite-plugin/pull/2
 - https://github.com/dgarijo/Widoco/pull/374
 - https://github.com/medcl/elasticsearch-analysis-ik/pull/756
 - https://github.com/gdubya/mqtt-notification-plugin/pull/10
 - https://github.com/opentracing-contrib/java-spanmanager/pull/17
 - https://github.com/conveyal/gtfs-api/pull/22
 - https://github.com/USGS-CIDA/coastal-hazards/pull/1693
 - https://github.com/bstick12/jenkins-ci-leastload/pull/1
 - https://github.com/GeoKnow/LinkedGeoData/pull/33
 - https://github.com/xzer/run-jetty-run/pull/214
 - https://github.com/w3c/omn/pull/34
 - https://github.com/EvilPort2/HackingTools/pull/1
 - https://github.com/yekaterinasavelyeva/lighthouse/pull/1
 - https://github.com/GaneshBabu-J/AddressBook/pull/2
 - https://github.com/PyvesB/PetMaster/pull/33
 - https://github.com/slimshadeey1/ChannelCommandAPI/pull/1
 - https://github.com/GistLabs/mechanize/pull/78
 - https://github.com/freedesktop/xdg-shared-mime-info/pull/2
 - https://github.com/wso2/carbon-device-mgt-plugins/pull/927
 - https://github.com/IQSS/dataverse/pull/6635
 - https://github.com/dkpro/dkpro-tc/pull/541
 - https://github.com/omar-farajallah/HAFETraining/pull/1
 - https://github.com/TechnionYP5777/UpAndGo/pull/361
 - https://github.com/robotframework/SwingLibrary/pull/131
 - https://github.com/Arronlong/httpclientutil/pull/49
 - https://github.com/52North/Supervisor/pull/70
 - https://github.com/airbnb/twitter-commons-sample/pull/2
 - https://github.com/Open-MBEE/util/pull/4
 - https://github.com/nielsbasjes/yauaa/pull/199
 - https://github.com/dkpro/dkpro-similarity/pull/74
 - https://github.com/kralq/distinguishable-gray-balls-plugin/pull/1
 - https://github.com/jenkinsci/easytestreport-plugin/pull/2
 - https://github.com/AuthMe/AuthMeReloaded/pull/2014
 - https://github.com/barchart/barchart-jenkins-cascade-plugin/pull/42
 - https://github.com/AnujaK/restfiddle/pull/448
 - https://github.com/mojohaus/tidy-maven-plugin/pull/33
 - https://github.com/prumble/LotusConnectionsPlugin/pull/1
 - https://github.com/biojava/biojava/pull/861
 - https://github.com/alexholmes/hadoop-book/pull/12
 - https://github.com/MidnightBSD/security-advisory/pull/4
 - https://github.com/jnidzwetzki/bboxdb/pull/204
 - https://github.com/vjuranek/matrix-checkout-strategies-plugin/pull/1
 - https://github.com/kwatters/brigade/pull/13
 - https://github.com/mulesoft-labs/quartz-mongodb/pull/17
 - https://github.com/wso2/carbon-commons/pull/406
 - https://github.com/tmfg/digitraffic-rail/pull/1
 - https://github.com/apache/unomi/pull/127
 - https://github.com/tinyspeck/jenkins-slack-plugin/pull/11
 - https://github.com/OlivierCroisier/restangular/pull/8
 - https://github.com/camunda/camunda-bpm-platform-osgi/pull/58
 - https://github.com/brix-cms/brix-cms/pull/231
 - https://github.com/NightWhistler/HtmlSpanner/pull/68
 - https://github.com/KostyaSha/block-queued-job-plugin/pull/2
 - https://github.com/pearson-enabling-technologies/elasticsearch-approx-plugin/pull/48
 - https://github.com/cloudera/cm_ext/pull/32
 - https://github.com/simplicityitself/Mongo-Tomcat-Sessions/pull/5
 - https://github.com/restfb/restfb/pull/1058
 - https://github.com/stsyhanou/SimpleCMS/pull/1
 - https://github.com/Evolveum/midpoint/pull/107
 - https://github.com/eclipse/linuxtools/pull/22
 - https://github.com/alexeykazakov/kitchensink-html5-mobile/pull/1
 - https://github.com/jvelo/mayocat-shop/pull/275
 - https://github.com/dbpedia/extraction-framework/pull/604
 - https://github.com/EaseTech/easytest-core/pull/137
 - https://github.com/UtopiaMinT/dealbot/pull/1
 - https://github.com/eugenp/tutorials/pull/8704
 - https://github.com/mcMMO-Dev/mcMMO/pull/4118
 - https://github.com/jenkinsci/dependency-queue-plugin/pull/3
 - https://github.com/jexp/store-utils/pull/52
 - https://github.com/nbbrd/jdemetra-access/pull/52
 - https://github.com/jenkinsci/exclusive-execution-plugin/pull/10
 - https://github.com/runelite/runelite/pull/10774
 - https://github.com/cscpswang/java-practice/pull/1
 - https://github.com/52North/terrainserver/pull/4
 - https://github.com/ukiuni/monitor-remote-job-plugin/pull/1
 - https://github.com/sarxos/webcam-capture/pull/758
 - https://github.com/jsflive/jsf22-examples/pull/5
 - https://github.com/crate/elasticsearch-timefacets-plugin/pull/19
 - https://github.com/itow0001/cron-shelve/pull/2
 - https://github.com/jenkinsci/configurationslicing-plugin/pull/24
 - https://github.com/jenkinsci/contrast-continuous-application-security-plugin/pull/57
 - https://github.com/BottegaIT/ddd-leaven-v2/pull/5
 - https://github.com/openanalytics/containerproxy/pull/31
 - https://github.com/OpenClinica/OpenClinica/pull/2703
 - https://github.com/theborakompanioni/thymeleaf-extras-shiro/pull/24
 - https://github.com/apache/tiles/pull/21
 - https://github.com/dsyer/sparklr-boot/pull/7
 - https://github.com/xishuixixia/quartz-monitor/pull/13
 - https://github.com/dcaoyuan/nbscala/pull/185
 - https://github.com/common-workflow-language/cwlviewer/pull/250
 - https://github.com/pulse00/Composer-Eclipse-Plugin/pull/143
 - https://github.com/pysambrero/revenge_studio/pull/1
 - https://github.com/pollend/TerasologyModuleService/pull/1
 - https://github.com/brwe/custom-endpoint-stub/pull/1
 - https://github.com/rstoyanchev/spring-mvc-chat/pull/15
 - https://github.com/SmartDataAnalytics/Sparqlify/pull/77
 - https://github.com/UrbanCode/terraform/pull/3
 - https://github.com/zhangdaiscott/jeecg/pull/53
 - https://github.com/SmartDeveloperHub/sdh-scm-harvester/pull/2
 - https://github.com/jeffmaury/kitchensink/pull/1
 - https://github.com/ApicaSystem/Apica.LoadtestPortal.JenkinsBuildRunner/pull/1
 - https://github.com/mvogiatzis/first-stories-twitter/pull/6
 - https://github.com/jenkinsci/external-scheduler-plugin/pull/1
 - https://github.com/ncjones/editorconfig-eclipse/pull/50
 - https://github.com/aslakknutsen/arquillian-showcase/pull/1
 - https://github.com/OneBusAway/onebusaway-cloud-services/pull/3
 - https://github.com/yahoo/egads/pull/69
 - https://github.com/openmrs/openmrs-module-webservices.rest/pull/423
 - https://github.com/orientechnologies/spring-data-orientdb/pull/92
 - https://github.com/jenkinsci/codedx-plugin/pull/1
 - https://github.com/vincentrussell/json-data-generator/pull/21
 - https://github.com/mabodx/hw2-bom/pull/1
 - https://github.com/Rogiel/l2jserver2/pull/41
 - https://github.com/usethesource/rascal-eclipse/pull/10
 - https://github.com/pentaho/pentaho-platform/pull/4635
 - https://github.com/Silverpeas/silverpeasmobile/pull/19
 - https://github.com/opentripplanner/OpenTripPlanner/pull/2973
 - https://github.com/jenkinsci/freestyle-multibranch-plugin/pull/3
 - https://github.com/Codearte/catch-exception/pull/56
 - https://github.com/jenkinsci/cloudtest-plugin/pull/35
 - https://github.com/m2e-code-quality/m2e-code-quality/pull/231
 - https://github.com/Open-MBEE/mms/pull/338
 - https://github.com/myungchoi/GT-FHIR2/pull/48
 - https://github.com/Alfresco/gytheio/pull/148
 - https://github.com/knowm/Yank/pull/63
 - https://github.com/hs-web/hsweb-framework/pull/155
 - https://github.com/yahoo/storm-perf-test/pull/4
 - https://github.com/jenkinsci/database-postgresql-plugin/pull/3
 - https://github.com/NLPchina/elasticsearch-analysis-ansj/pull/180
 - https://github.com/mayconbordin/postgis-geojson/pull/3
 - https://github.com/Multiverse/Multiverse-Portals/pull/535
 - https://github.com/apache/incubator-samoa/pull/84
 - https://github.com/alexholmes/hdfs-file-slurper/pull/17
 - https://github.com/LivePersonInc/ephemerals/pull/5
 - https://github.com/JimmyU1/IShare/pull/1
 - https://github.com/bkmeneguello/extreme-notification-plugin/pull/2
 - https://github.com/tomdz/storm-esper/pull/12
 - https://github.com/games647/FastLogin/pull/295
 - https://github.com/openzipkin/zipkin-gcp/pull/168
 - https://github.com/RichardWarburton/lambda-behave/pull/99
 - https://github.com/ttrelle/spring-data-examples/pull/2
 - https://github.com/omnifaces/optimusfaces/pull/30
 - https://github.com/nickgrealy/aws-sqs/pull/7
 - https://github.com/jenkinsci/create-and-run-job-trigger-plugin/pull/3
 - https://github.com/jenkins-zh/mirror-adapter/pull/9
 - https://github.com/couchbase/couchbase-kafka-connector/pull/27
 - https://github.com/openimaj/openimaj/pull/187
 - https://github.com/rabbitmq/rabbitmq-tutorials/pull/257
 - https://github.com/synopsys-arc-oss/dynamic-search-view-plugin/pull/1
 - https://github.com/jenkinsci/walldisplay-plugin/pull/52
 - https://github.com/alexholmes/hadoop-utils/pull/4
 - https://github.com/openanalytics/shinyproxy/pull/189
 - https://github.com/apache/netbeans-mavenutils-nbm-maven-plugin/pull/6
 - https://github.com/CodeCrafter47/BungeeTabListPlus/pull/513
 - https://github.com/enil/gitlab-api-plugin/pull/1
 - https://github.com/code4craft/jsoup-learning/pull/5
 - https://github.com/jenkinsci/bitkeeper-plugin/pull/2
 - https://github.com/wso2/jaggery/pull/211
 - https://github.com/opentracing-contrib/java-spring-cloud/pull/274
 - https://github.com/apache/marmotta/pull/44
 - https://github.com/LogentriesCommunity/logentries-jenkins/pull/3
 - https://github.com/ctpconsulting/query/pull/67
 - https://github.com/maripo/jenkins-blink1-plugin/pull/1
 - https://github.com/amitmohleji/xebialabs-code-snippets/pull/1
 - https://github.com/airsonic/airsonic/pull/1502
 - https://github.com/SAP/cloud-language-servers-container/pull/44
 - https://github.com/dice-group/gerbil/pull/339
 - https://github.com/Swagger2Markup/swagger2markup-maven-plugin/pull/56
 - https://github.com/att/XACML/pull/59
 - https://github.com/apache/gora/pull/199
 - https://github.com/jenkinsci/bazaar-plugin/pull/16
 - https://github.com/kontalk/tigase-server/pull/8
 - https://github.com/libraryaddict/LibsDisguises/pull/428
 - https://github.com/davemckain/qtiworks/pull/76
 - https://github.com/toto1310/fscrawler_dev3/pull/1
 - https://github.com/melin/super-diamond/pull/32
 - https://github.com/dadoonet/elasticsearch-httpclient/pull/2
 - https://github.com/BertrandDechoux/cascading.learn/pull/6
 - https://github.com/igniterealtime/Spark/pull/479
 - https://github.com/ikedam/extensible-choice-parameter/pull/38
 - https://github.com/EasyinnovaSL/DPFManager/pull/501
 - https://github.com/nativelibs4java/BridJ/pull/108
 - https://github.com/griffon/griffon/pull/307
 - https://github.com/52North/SES/pull/34
 - https://github.com/esales/menudinamico2/pull/1
 - https://github.com/rapportive-oss/storm-json/pull/4
 - https://github.com/sculptor/sculptor/pull/219
 - https://github.com/sbx0/Space/pull/2
 - https://github.com/BottegaIT/ddd-cqrs-sample/pull/2
 - https://github.com/treygrainger/solr-in-action/pull/8
 - https://github.com/jprante/elasticsearch-plugin-deploy/pull/6
 - https://github.com/eshioji/trident-tutorial/pull/4
 - https://github.com/mraible/ajax-login/pull/4
 - https://github.com/wso2/product-apim/pull/7440
 - https://github.com/Open-MBEE/mpspi/pull/3
 - https://github.com/geoscript/geoscript-js/pull/55
 - https://github.com/Praqma/compatibility-action-storage-plugin/pull/1
 - https://github.com/apache/incubator-twill/pull/7
 - https://github.com/CogComp/cogcomp-nlp/pull/727
 - https://github.com/daniel-beck/compress-buildlog-plugin/pull/3
 - https://github.com/Revivius/nb-darcula/pull/168
 - https://github.com/ArcBees/gwtquery/pull/386
 - https://github.com/jenkinsci/jsgames-plugin/pull/1
 - https://github.com/xyzrlee/api/pull/13
 - https://github.com/geosolutions-it/geoserver-manager/pull/230
 - https://github.com/vvakame/JsonPullParser/pull/44
 - https://github.com/jenkinsci/downstream-buildview-plugin/pull/11
 - https://github.com/Blazebit/blaze-persistence/pull/1003
 - https://github.com/uaarkoti/cors-filter/pull/2
 - https://github.com/alibaba/LuaViewSDK/pull/93
 - https://github.com/jenkinsci/gerrit-trigger-plugin/pull/411
 - https://github.com/danko-david/javaexperience-generic-storage/pull/1
 - https://github.com/jenkinsci/extension-filter-plugin/pull/5
 - https://github.com/jenkinsci/aws-codecommit-jobs-plugin/pull/7
 - https://github.com/Netflix-Skunkworks/dynaslave-plugin/pull/7
 - https://github.com/apache/any23/pull/155
 - https://github.com/enioka/jqm/pull/385
 - https://github.com/Terracotta-OSS/accelerated-build-now-plugin/pull/5
 - https://github.com/jenkinsci/database-mysql-plugin/pull/4
 - https://github.com/Chungsaeha/Project/pull/4
 - https://github.com/kayahr/pherialize/pull/18
 - https://github.com/jenkinsci/libvirt-slave-plugin/pull/18
 - https://github.com/apache/mina-asyncweb/pull/1
 - https://github.com/jenkinsci/debian-package-builder-plugin/pull/65
 - https://github.com/mohanv/jenkins-artifact-parameter-plugin/pull/1
 - https://github.com/Talend/components/pull/1596
 - https://github.com/52North/SOS-Test-Suite/pull/15
 - https://github.com/pvdlg/boilerpipe/pull/3
 - https://github.com/apache/geronimo-specs/pull/16
 - https://github.com/hazelcast/hazelcast-simulator/pull/1815
 - https://github.com/bearyinnovative/jenkins-bearychat-plugin/pull/25
 - https://github.com/deepspark/deepspark/pull/5
 - https://github.com/apache/struts1/pull/8
 - https://github.com/gordonad/enterprise-spring-best-practices/pull/3
 - https://github.com/dhis2/dhis2-core/pull/4853
 - https://github.com/CeON/CERMINE/pull/91
 - https://github.com/I-TECH/openmrs-module-kenyaemr/pull/181
 - https://github.com/addthis/hydra/pull/300
 - https://github.com/PyvesB/AdvancedAchievements/pull/656
 - https://github.com/Mach5/supersonic/pull/96
 - https://github.com/LiuJianan/FingerBoard/pull/1
 - https://github.com/spring-projects/spring-analytics/pull/23
 - https://github.com/jenkinsci/eggplant-plugin/pull/5
 - https://github.com/usethesource/capsule/pull/22
 - https://github.com/Melati/Melati/pull/26
 - https://github.com/eclipse/reddeer/pull/2061
 - https://github.com/MyCATApache/Mycat-NIO/pull/13
 - https://github.com/FreekDB/b52-reader/pull/1
 - https://github.com/nkns165/discard-old-build/pull/4
 - https://github.com/slimshadeey1/Bungee-Arena/pull/2
 - https://github.com/jenkinsci/environment-manager-tools-plugin/pull/9
 - https://github.com/OpenSOC/opensoc-streaming/pull/18
 - https://github.com/wso2-attic/product-emm/pull/390
 - https://github.com/diffblue/eclipse-cbmc/pull/63
 - https://github.com/ff4j/ff4j/pull/401
 - https://github.com/kstutz/jobtemplates/pull/2
 - https://github.com/OrangeChocolate/sight_spot_trip/pull/1
 - https://github.com/Backelite/sonar-swift/pull/261
 - https://github.com/snazzy79/concurrent-login-plugin/pull/1
 - https://github.com/apache/tapestry3/pull/2
 - https://github.com/gorkem/j2v8forjsdt/pull/4
 - https://github.com/apache/tajo/pull/1067
 - https://github.com/harpreetsingh/internetmemeplugin/pull/1
 - https://github.com/IBM/microprofile-meeting-concurrency/pull/3
 - https://github.com/jenkinsci/job-poll-action-plugin/pull/6
 - https://github.com/wangchaobin/gitlab-automatic-item-creator/pull/1
 - https://github.com/lvotypko/backup-jobs-plugin/pull/1
 - https://github.com/jereanon/elasticsearch-omg/pull/1
 - https://github.com/rest-assured/rest-assured/pull/1271
 - https://github.com/jenkins-infra/update-center2/pull/336
 - https://github.com/jcsirot/ansible-plugin/pull/23
 - https://github.com/nalbam/sample-spring/pull/152
 - https://github.com/MentorQuesta/questa-vrm/pull/4
 - https://github.com/terma/ajax-list-view-jenkins-plugin/pull/2
 - https://github.com/elexis/elexis-3-core/pull/392
 - https://github.com/menacher/nerdronix/pull/1
 - https://github.com/jenkinsci/agile-cockpit-notification-plugin/pull/1
 - https://github.com/biblelamp/JavaExercises/pull/9
 - https://github.com/OneBusAway/onebusaway-gtfs-realtime-from-nextbus-cli/pull/13
 - https://github.com/Fruzenshtein/security-spr/pull/7
 - https://github.com/javasoze/kamikaze/pull/7
 - https://github.com/chocoteam/choco-report/pull/1
 - https://github.com/Mindgamesnl/OpenAudioMc/pull/121
 - https://github.com/awslabs/aws-codedeploy-plugin/pull/107
 - https://github.com/buildheroes/buildheroes-plugin/pull/1
 - https://github.com/ikedam/jobcopy-builder/pull/12
 - https://github.com/SAP/cloud-roo-addon/pull/1
 - https://github.com/deeplearning4j/oreilly-book-dl4j-examples/pull/6
 - https://github.com/dCache/oncrpc4j/pull/89
 - https://github.com/jenkinsci/callback-buildstep-plugin/pull/1
 - https://github.com/atolcd/alfresco-trashcan-cleaner/pull/11
 - https://github.com/geoserver/geoserver/pull/4043
 - https://github.com/kato-im/jenkins-lechat-plugin/pull/1
 - https://github.com/heremaps/buildrotator-plugin/pull/3
 - https://github.com/apache/opennlp/pull/371
 - https://github.com/dcm4che/dcm4che/pull/671
 - https://github.com/NationalSecurityAgency/datawave/pull/742
 - https://github.com/jenkinsci/file-leak-detector-plugin/pull/8
 - https://github.com/svn2github/commons-vfs/pull/3
 - https://github.com/dkpro/dkpro-toolbox/pull/7
 - https://github.com/LaisvydasLT/lsf-cloud/pull/10
 - https://github.com/apache/bigtop/pull/595
 - https://github.com/jenkinsci/gssh-plugin/pull/1
 - https://github.com/52North/fotoquest-series-api/pull/10
 - https://github.com/TechnionYP5777/Info-Evaluation/pull/329
 - https://github.com/dkpro/dkpro-csniper/pull/5
 - https://github.com/jenkinsci/parasoft-findings-plugin/pull/4
 - https://github.com/blitz-io/blitz-jenkins/pull/1
 - https://github.com/RUB-NDS/WS-Attacker/pull/26
 - https://github.com/AlmasB/FXGL/pull/748
 - https://github.com/akaigoro/df4j/pull/6
 - https://github.com/leeadkins/elasticsearch-redis-river/pull/9
 - https://github.com/nbbrd/jdemetra-dotstat/pull/96
 - https://github.com/jenkinsci/literate-api/pull/6
 - https://github.com/arago/rike/pull/81
 - https://github.com/square/rack-servlet/pull/18
 - https://github.com/opentracing/opentracing-java/pull/371
 - https://github.com/jenkinsci/cvs-tag-plugin/pull/2
 - https://github.com/lincolnthree/errai-ui-demo/pull/2
 - https://github.com/BroadleafCommerce/BroadleafCommerce/pull/2243
 - https://github.com/ProjectKorra/ProjectKorra/pull/1054
 - https://github.com/javatuples/javatuples/pull/13
 - https://github.com/Kuvaldis/playground/pull/1
 - https://github.com/apache/geronimo-xbean/pull/22
 - https://github.com/apache/streams/pull/494
 - https://github.com/david-schuler/javalanche/pull/16
 - https://github.com/attdevsupport/ARO/pull/21
 - https://github.com/Comcast/hlsparserj/pull/11
 - https://github.com/jenkinsci/hpe-network-virtualization-plugin/pull/1
 - https://github.com/scalecube/scalecube-services/pull/705
 - https://github.com/dbuos/php-builtin-web-server-plugin/pull/1
 - https://github.com/rpetti/display-upstream-changes-plugin/pull/2
 - https://github.com/aep/btrfs-workspace-plugin/pull/2
 - https://github.com/thorntail/thorntail-examples/pull/221
 - https://github.com/wikimedia/analytics-refinery-source/pull/3
 - https://github.com/korpling/ANNIS/pull/652
 - https://github.com/jenkinsci/gcloud-plugin/pull/1
 - https://github.com/recampbell/google-login/pull/22
 - https://github.com/jenkinsci/artifactory-plugin/pull/41
 - https://github.com/hpcloud/cloudfoundry-jenkins/pull/18
 - https://github.com/jenkinsci/persistent-parameter-plugin/pull/6
 - https://github.com/eclipse-ee4j/eclipselink-examples/pull/1
 - https://github.com/cloudera/cm_api/pull/83
 - https://github.com/FunnyGuilds/FunnyGuilds/pull/1200
 - https://github.com/larusba/neo4j-jdbc/pull/17
 - https://github.com/zsmartsystems/com.zsmartsystems.zwave/pull/15
 - https://github.com/rackerlabs/blueflood/pull/835
 - https://github.com/mocleiri/github-oauth-plugin/pull/47
 - https://github.com/normanmaurer/niosmtp/pull/36
 - https://github.com/Weltraumschaf/darcs-plugin/pull/16
 - https://github.com/apache/camel-kafka-connector/pull/86
 - https://github.com/env3d/env3d-jsweet-http-server/pull/1
 - https://github.com/jrialland/parserjunior/pull/1
 - https://github.com/brendano/ark-tweet-nlp/pull/50
 - https://github.com/linagora/linshare-core/pull/24
 - https://github.com/feixiao/DesignPattern/pull/1
 - https://github.com/onebeartoe/3D-Modeling/pull/1
 - https://github.com/killme2008/xmemcached/pull/108
 - https://github.com/jenkinsci/jabber-server-plugin/pull/6
 - https://github.com/jenkinsci/grinder-plugin/pull/4
 - https://github.com/bluecrystalsign/signer-source/pull/9
 - https://github.com/corydissinger/raw4j/pull/25
 - https://github.com/jaeksoft/opensearchserver/pull/1919
 - https://github.com/openmrs/openmrs-module-metadatasharing/pull/51
 - https://github.com/radargun/radargun/pull/637
 - https://github.com/arun-gupta/docker-java-sample/pull/22
 - https://github.com/alphagov/pay-connector/pull/2097
 - https://github.com/guardian/solr-field-update/pull/1
 - https://github.com/danko-david/javaexperience-core/pull/1
 - https://github.com/openmrs/openmrs-core/pull/3122
 - https://github.com/jtransc/jtransc/pull/301
 - https://github.com/mediathekview/MediathekView/pull/489
 - https://github.com/Jochen-A-Fuerbacher/FailedJobDeactivator/pull/3
 - https://github.com/jenkinsci/meliora-testlab-plugin/pull/1
 - https://github.com/ialbors/log-command-plugin/pull/1
 - https://github.com/raydac/netbeans-mmd-plugin/pull/62
 - https://github.com/svaury/computerdb/pull/1
 - https://github.com/snowflakedb/snowflake-kafka-connector/pull/98
 - https://github.com/OpenFeign/feign-vertx/pull/9
 - https://github.com/52North/OpenSensorSearch/pull/58
 - https://github.com/bucchi/OAuth2.0ProviderForJava/pull/2
 - https://github.com/jkransen/framboos/pull/6
 - https://github.com/jdeolive/geodb/pull/32
 - https://github.com/maroxa86/Reis/pull/1
 - https://github.com/lbovet/jminix/pull/17
 - https://github.com/jenkinsci/figlet-buildstep-plugin/pull/1
 - https://github.com/hmsonline/storm-cassandra-cql/pull/68
 - https://github.com/jenkinsci/categorized-view-plugin/pull/20
 - https://github.com/USGS-CIDA/geotiff-iosp/pull/20
 - https://github.com/jenkinsci/htmlunit/pull/1
 - https://github.com/raphaeljolivet/java2typescript/pull/84
 - https://github.com/salyh/elasticsearch-security-plugin/pull/21
 - https://github.com/pac4j/play-pac4j/pull/295
 - https://github.com/kurtraschke/gtfs-rt-dump/pull/1
 - https://github.com/bhurling/bitbucket-approve-plugin/pull/1
 - https://github.com/hoobalias/TuneKeeper/pull/11
 - https://github.com/dreamXiong/hgl/pull/1
 - https://github.com/apache/myfaces/pull/83
 - https://github.com/cloudinary/cloudinary_java/pull/196
 - https://github.com/knowm/Sundial/pull/67
 - https://github.com/jenkinsci/marathon-plugin/pull/59
 - https://github.com/devlauer/jenkins-keycloak-plugin/pull/7
 - https://github.com/apache/brooklyn-library/pull/179
 - https://github.com/findbugsproject/findbugs/pull/182
 - https://github.com/dadoonet/elasticsearch-beyonder/pull/105
 - https://github.com/AKSW/RDFUnit/pull/102
 - https://github.com/BlackLabs/play-morphia/pull/133
 - https://github.com/tjitze/RankPL/pull/3
 - https://github.com/RestComm/media-core/pull/862
 - https://github.com/rstoyanchev/spring-mvc-31-demo/pull/7
 - https://github.com/apache/asterixdb-hyracks/pull/5
 - https://github.com/smartrics/RestFixture/pull/257
 - https://github.com/lejon/T-SNE-Java/pull/18
 - https://github.com/serenity-bdd/serenity-jbehave/pull/239
 - https://github.com/janakamarasena/product-is-clone/pull/6
 - https://github.com/pister/wint/pull/7
 - https://github.com/opentracing-contrib/java-jdbi/pull/25
 - https://github.com/fcrepo4/fcrepo4/pull/1628
 - https://github.com/hmsonline/storm-cassandra/pull/55
 - https://github.com/asascience-open/ncSOS/pull/190
 - https://github.com/jenkinsci/gitbucket-plugin/pull/14
 - https://github.com/52North/series-hibernate/pull/54
 - https://github.com/LeonelSoriano/test-angular-javaee/pull/1
 - https://github.com/neo4j-contrib/rabbithole/pull/89
 - https://github.com/ova2/primefaces-cookbook/pull/8
 - https://github.com/IHTSDO/snomed-template-service/pull/2
 - https://github.com/jenkinsci/pendingchanges-plugin/pull/2
 - https://github.com/ViaVersion/ViaVersion/pull/1656
 - https://github.com/lihengming/spring-boot-api-project-seed/pull/209
 - https://github.com/q13117/test-repo/pull/1
 - https://github.com/pereferrera/trident-lambda-splout/pull/3
 - https://github.com/MidnightBSD/midnightbsd-app-store/pull/7
 - https://github.com/rschildmeijer/deft/pull/158
 - https://github.com/jgritman/httpbuilder/pull/88
 - https://github.com/jmdns/jmdns/pull/195
 - https://github.com/odrotbohm/spring-restbucks/pull/95
 - https://github.com/joerghoh/cq5-utils/pull/2
 - https://github.com/octanner/kafka-logs-jenkins/pull/1
 - https://github.com/jruby/jruby-parser/pull/51
 - https://github.com/jenkinsci/gitlab-plugin/pull/1026
 - https://github.com/StripesFramework/stripes-injection-enricher/pull/1
 - https://github.com/jenkinsci/netx/pull/1
 - https://github.com/everwatchsolutions/bullpen/pull/42
 - https://github.com/pebbleblog/pebble/pull/13
 - https://github.com/synopsys-arc-oss/ownership-plugin/pull/7
 - https://github.com/fluorumlabs/scroll-target-for-flow/pull/1
 - https://github.com/jenkinsci/async-job-plugin/pull/1
 - https://github.com/ethauvin/DataProviderTest/pull/1
 - https://github.com/uberVU/elasticsearch-river-github/pull/20
 - https://github.com/jenkinsci/build-pipeline-extension-layout-plugin/pull/1
 - https://github.com/stvnfx/qodedev-talk-nifi-demo/pull/1
 - https://github.com/graphaware/neo4j-framework/pull/106
 - https://github.com/pagseguro/pagseguro-java-sdk/pull/63
 - https://github.com/fernandogodoy/projeto-java/pull/1
 - https://github.com/drewr/elasticsearch-clojure-repl/pull/1
 - https://github.com/jenkinsci/implied-labels-plugin/pull/3
 - https://github.com/InseeFr/Bauhaus-Back-Office/pull/35
 - https://github.com/IBM/microprofile-meeting-websockets/pull/2
 - https://github.com/jexp/batch-import/pull/128
 - https://github.com/vert-x3/vertx-jca/pull/16
 - https://github.com/jlewallen/jenkins-hipchat-plugin/pull/77
 - https://github.com/sbd/zap-jenkins-pipeline-plugin/pull/9
 - https://github.com/ron190/jsql-injection/pull/90501
 - https://github.com/codehaus-cargo/cargo/pull/129
 - https://github.com/apache/brooklyn-server/pull/1086
 - https://github.com/ddf-project/DDF/pull/370
 - https://github.com/jenkinsci/build-publisher-plugin/pull/11
 - https://github.com/cerner/beadledom/pull/171
 - https://github.com/jenkinsci/persona-plugin/pull/6
 - https://github.com/searchisko/searchisko/pull/300
 - https://github.com/locationtech/jts/pull/516
 - https://github.com/nhuray/dropwizard-spring/pull/14
 - https://github.com/Byclosure/gcloud-sdk-plugin/pull/3
 - https://github.com/mongeez/mongeez/pull/77
 - https://github.com/domino-succ/domino/pull/4
 - https://github.com/vert-x3/vertx-examples/pull/375
 - https://github.com/Hygieia/hygieia-publisher-jenkins-plugin/pull/23
 - https://github.com/sithu/cmpe273-assignment1/pull/1
 - https://github.com/quintona/storm-r/pull/1
 - https://github.com/viritin/viritin/pull/365
 - https://github.com/nirbar/jenkins-ibvc-plugin/pull/1
 - https://github.com/jcodec/jcodec/pull/401
 - https://github.com/joinfaces/joinfaces-maven-war-example/pull/205
 - https://github.com/microsoft/Git-Credential-Manager-for-Mac-and-Linux/pull/123
 - https://github.com/hyperhq/hyper-slaves-plugin/pull/5
 - https://github.com/chrischabot/oacurls/pull/3
 - https://github.com/JoelJ/ez-templates/pull/62
 - https://github.com/blemale/gatling-jenkins-plugin/pull/2
 - https://github.com/lvotypko/exclusive-labels-plugin/pull/1
 - https://github.com/apache/twill/pull/88
 - https://github.com/SonarSource/sonar-java/pull/2807
 - https://github.com/opentracing-contrib/java-globaltracer/pull/13
 - https://github.com/synopsys-arc-oss/extra-tool-installers-plugin/pull/2
 - https://github.com/microsoft/vso-httpclient-java/pull/32
 - https://github.com/geotools/geotools/pull/2806
 - https://github.com/kmoloniewicz/dashboard-vaadin/pull/1
 - https://github.com/Blazemeter/blazemeter-jenkins-plugin/pull/84
 - https://github.com/apache/uima-uimafit/pull/84
 - https://github.com/elasticjob/elastic-job-lite/pull/719
 - https://github.com/jsr107/RI/pull/75
 - https://github.com/yahoo/yql-plus/pull/99
 - https://github.com/m-y-mo/myfaces-trinidad_20165019/pull/1
 - https://github.com/robovm/robovm/pull/1262
 - https://github.com/apache/drill/pull/1976
 - https://github.com/apache/servicemix5/pull/10
 - https://github.com/apache/any23-server/pull/1
 - https://github.com/chauth/confluence_http_authenticator/pull/58
 - https://github.com/infinispan-demos/infinispan-wf-swarm-example/pull/9
 - https://github.com/jprante/elasticsearch-skywalker/pull/14
 - https://github.com/scouter-project/scouter/pull/675
 - https://github.com/flipkart-incubator/Lois/pull/7
 - https://github.com/jenkinsci/daily-quote-plugin/pull/3
 - https://github.com/jenkinsci/deployment-notification-plugin/pull/8
 - https://github.com/candlepin/candlepin/pull/2606
 - https://github.com/OneBusAway/onebusaway-gtfs-realtime-api/pull/15
 - https://github.com/Multiverse/Multiverse-Core/pull/2175
 - https://github.com/OneBusAway/onebusaway-everylastlogin/pull/2
 - https://github.com/thymeleaf/thymeleaf-extras-conditionalcomments/pull/7
 - https://github.com/Azure/azure-event-hubs-java/pull/464
 - https://github.com/jschuhmacher/acceleo/pull/1
 - https://github.com/jenkinsci/multi-module-tests-publisher-plugin/pull/14
 - https://github.com/laffer1/justjournal/pull/34
 - https://github.com/dropwizard-jobs/dropwizard-jobs/pull/125
 - https://github.com/ghillert/botanic-ng/pull/8
 - https://github.com/apache/deltaspike/pull/103
 - https://github.com/adobe/eventhub-akka-connector/pull/5
 - https://github.com/jboss-fuse/hawt-app/pull/7
 - https://github.com/timboudreau/nb-nodejs/pull/47
 - https://github.com/apache/cxf-dosgi/pull/7
 - https://github.com/JavaMoney/jsr354-ri/pull/327
 - https://github.com/jenkinsci/openconnect-plugin/pull/2
 - https://github.com/vjuranek/copy-project-link/pull/1
 - https://github.com/onap/so/pull/6
 - https://github.com/swagger-api/swagger-codegen/pull/10036
 - https://github.com/garethjevans/couchdb-statistics-plugin/pull/2
 - https://github.com/yash50/testlgtm/pull/4
 - https://github.com/cafarm/transit-api-webapp/pull/1
 - https://github.com/ibi-group/datatools-server/pull/279
 - https://github.com/devtty/store/pull/55
 - https://github.com/rinrinne/export-params-plugin/pull/1
 - https://github.com/ifnul/ums-backend/pull/21
 - https://github.com/jenkinsci/flyway-runner-plugin/pull/13
 - https://github.com/JnRouvignac/AutoRefactor/pull/437
 - https://github.com/boxuk/jslint-jenkins-plugin/pull/15
 - https://github.com/ImyvmCircle/Deathmoney/pull/3
 - https://github.com/gnu-mcu-eclipse/eclipse-plugins/pull/376
 - https://github.com/taksan/elastic-axis-plugin/pull/1
 - https://github.com/kurtraschke/wmata-gtfsrealtime/pull/4
 - https://github.com/jenkinsci/google-cloudbuild-plugin/pull/24
 - https://github.com/KaiserpfalzEDV/kp-central/pull/1
 - https://github.com/LeonTG/TeamHealth/pull/1
 - https://github.com/apache/james-hupa/pull/1
 - https://github.com/linkedpipes/etl/pull/798
 - https://github.com/jsievers/tycho-demo/pull/9
 - https://github.com/steveliles/jetty-embedded-spring-mvc/pull/4
 - https://github.com/JodaOrg/joda-time-i18n/pull/2
 - https://github.com/conveyal/gtfs-validator/pull/49
 - https://github.com/apache/myfaces-html5/pull/1
 - https://github.com/apache/cloudstack/pull/3877
 - https://github.com/0opslab/opslabJutil/pull/18
 - https://github.com/jenkinsci/lib-jenkins-maven-artifact-manager/pull/1
 - https://github.com/dockstore/dockstore/pull/3224
 - https://github.com/suryagaddipati/codeclimate-plugin/pull/3
 - https://github.com/cloudera/livy/pull/349
 - https://github.com/bixo/bixo/pull/70
 - https://github.com/cbuescher/HLClientExampleMaven/pull/1
 - https://github.com/jenkinsci/config-provider-model/pull/2
 - https://github.com/hpsa/hp-operations-orchestration-automation-execution-plugin/pull/3
 - https://github.com/sockeqwe/Vaadin-MVP-Lite/pull/7
 - https://github.com/teamed/qulice/pull/1069
 - https://github.com/camsys/onebusaway-nyc/pull/40
 - https://github.com/jenkinsci/jcaptcha-plugin/pull/1
 - https://github.com/dataArtisans/cascading-flink/pull/73
 - https://github.com/dapeng-soa/dapeng-soa/pull/12
 - https://github.com/opentracing-contrib/java-tracerresolver/pull/43
 - https://github.com/jenkinsci/trilead-ssh2/pull/39
 - https://github.com/XavientInformationSystems/Data-Ingestion-Platform/pull/32
 - https://github.com/adhulipa/tika-pooled-time-series/pull/1
 - https://github.com/EvoSuite/evosuite/pull/280
 - https://github.com/52North/subverse/pull/2
 - https://github.com/ezbz/projectx/pull/4
 - https://github.com/microsoft/spring-data-cosmosdb/pull/487
 - https://github.com/SAP/jcomigrationhelperplugin/pull/1
 - https://github.com/google/gson/pull/1650
 - https://github.com/tburch/jsonblob/pull/47
 - https://github.com/devexperts/aprof/pull/16
 - https://github.com/jenkinsci/maven-info-plugin/pull/7
 - https://github.com/jenkinsci/json-lib/pull/3
 - https://github.com/google/infra-structured-map/pull/1
 - https://github.com/osintegrators/JavaSpringGranny/pull/1
 - https://github.com/52North/WPS-Extension-Skeleton/pull/6
 - https://github.com/cschneider/Karaf-Tutorial/pull/62
 - https://github.com/awslabs/aws-codebuild-jenkins-plugin/pull/91
 - https://github.com/jenkinsci/buildflow-extensions-plugin/pull/2
 - https://github.com/jenkinsci/cocoemma-plugin/pull/1
 - https://github.com/pirone/salaodazilda/pull/1
 - https://github.com/Bil372Project/372_071_Edulity/pull/20
 - https://github.com/sdeleuze/spring-backbone-todo/pull/4
 - https://github.com/apache/samza-hello-samza/pull/73
 - https://github.com/department-of-veterans-affairs/vitals/pull/1
 - https://github.com/ysc/APDPlat/pull/77
 - https://github.com/iverberk/jenkins-nomad/pull/6
 - https://github.com/jenkinsci/mock-security-realm-plugin/pull/6
 - https://github.com/Sargemck/JDK_Parameter_Choice/pull/3
 - https://github.com/pentaho/pentaho-mongodb-plugin/pull/195
 - https://github.com/OneBusAway/onebusaway-client-library/pull/21
 - https://github.com/OneBusAway/onebusaway-status-exporter/pull/1
 - https://github.com/pmerienne/trident-ml/pull/18
 - https://github.com/jsvitak/jbpm-workflow-plugin/pull/1
 - https://github.com/pentaho/data-access/pull/1088
 - https://github.com/jenkinsci/emailext-template-plugin/pull/4
 - https://github.com/jenkinsci/imagecomparison-plugin/pull/1
 - https://github.com/ox-it/gaboto/pull/1
 - https://github.com/Terracotta-OSS/terracotta-core/pull/1107
 - https://github.com/sendgridlabs/loaderio-jenkins-plugin/pull/1
 - https://github.com/openkm/document-management-system/pull/218
 - https://github.com/danko-david/javaexperience-saac/pull/1
 - https://github.com/tebexio/BuycraftX/pull/150
 - https://github.com/sbose78/active-mq/pull/1
 - https://github.com/datasalt/splout-db/pull/48
 - https://github.com/jenkinsci/bitbucket-plugin/pull/70
 - https://github.com/abel533/Mybatis-Spring/pull/44
 - https://github.com/52North/SensorPlanningService/pull/8
 - https://github.com/openhab/openhab1-addons/pull/5938
 - https://github.com/neo4j-contrib/spatial/pull/366
 - https://github.com/yjshen/zzzzobspk/pull/1
 - https://github.com/JLLeitschuh/bad-pom/pull/5
 - https://github.com/JLarky/jenkins-kato-plugin/pull/1
 - https://github.com/iipc/openwayback/pull/423
 - https://github.com/hyperhq/hyper-build-step-plugin/pull/18
 - https://github.com/jenkinsci/copy-to-slave-plugin/pull/12
 - https://github.com/UtopiaMinT/deebot/pull/2
 - https://github.com/akraxx/gitlab-jira-integration/pull/34
 - https://github.com/jeremylong/DependencyCheck/pull/2471
 - https://github.com/microsoft/azure-tools-for-java/pull/3976
 - https://github.com/pentaho/mondrian/pull/1190
 - https://github.com/jenkinsci/pipeline-maven-plugin/pull/229
 - https://github.com/jbosstools/jbosstools-freemarker/pull/85
 - https://github.com/kmader/spark-scifio/pull/1
 - https://github.com/ajsutton/disruptorWizard/pull/2
 - https://github.com/seam/seam-example-confbuzz/pull/5
 - https://github.com/ojbc/main/pull/7
 - https://github.com/taskurotta/taskurotta/pull/139
 - https://github.com/jenkinsci/heavy-job-plugin/pull/6
 - https://github.com/anylogic/alogic/pull/7
 - https://github.com/DavidTanner/aws-beanstalk-publisher/pull/12
 - https://github.com/jenkinsci/inflectra-spira-integration-plugin/pull/2
 - https://github.com/justice3120/app-detector-plugin/pull/5
 - https://github.com/apache/aries-journaled-events/pull/22
 - https://github.com/iluwatar/java-design-patterns/pull/1184
 - https://github.com/adaptris/jaxrs-client-proxy/pull/55
 - https://github.com/jenkinsci/environment-plugin/pull/1
 - https://github.com/la-team/light-admin/pull/276
 - https://github.com/mnemonic-no/act-platform/pull/6
 - https://github.com/svanoort/pipeline-graph-analysis-plugin/pull/10
 - https://github.com/apache/aries-rsa/pull/41
 - https://github.com/mikaelgrev/miglayout/pull/73
 - https://github.com/Transkribus/TranskribusSwtGui/pull/295
 - https://github.com/spring-by-example/spring-by-example/pull/13
 - https://github.com/VanRoy/spring-cloud-dashboard/pull/26
 - https://github.com/Impetus/Kundera/pull/1041
 - https://github.com/jenkinsci/appthwack-plugin/pull/2
 - https://github.com/castor-data-binding/castor/pull/81
 - https://github.com/jenkinsci/beaker-builder-plugin/pull/4
 - https://github.com/jenkinsci/paaslane-plugin/pull/1
 - https://github.com/kohsuke/jenkins/pull/39
 - https://github.com/jhinrichsen/cors-plugin/pull/5
 - https://github.com/torakiki/sejda/pull/376
 - https://github.com/deepu105/jhipster-roles/pull/5
 - https://github.com/GeoLatte/geolatte-geom/pull/91
 - https://github.com/jenkinsci/sauce-ondemand-plugin/pull/69
 - https://github.com/jenkinsci/ci-game-plugin/pull/23
 - https://github.com/jenkinsci/node-sharing-plugin/pull/115
 - https://github.com/Atmosphere/atmosphere-extensions/pull/246
 - https://github.com/apache/hadoop-common/pull/49
 - https://github.com/klout/brickhouse/pull/170
 - https://github.com/SAP/HANAVora-Extensions/pull/11
 - https://github.com/odrotbohm/rest-microservices/pull/16
 - https://github.com/asciidoctor/asciidoctor-maven-plugin/pull/421
 - https://github.com/52North/smartSensorEditor/pull/22
 - https://github.com/defect/exjobb/pull/1
 - https://github.com/rexlin600/springboot-sutra-pavilion/pull/1
 - https://github.com/ha-jdbc/ha-jdbc/pull/119
 - https://github.com/difi/move-deploy-manager/pull/7
 - https://github.com/querydsl/querydsl/pull/2527
 - https://github.com/jenkinsci/changes-since-last-success-plugin/pull/5
 - https://github.com/apache/maven-enforcer/pull/62
 - https://github.com/opentraffic/traffic-engine/pull/12
 - https://github.com/apache/dubbo-samples/pull/147
 - https://github.com/webanno/webanno/pull/1601
 - https://github.com/fluorumlabs/url-parameter-mapping/pull/11
 - https://github.com/muminc/spring-rest-example/pull/4
 - https://github.com/jenkinsci/failure-visualizer-plugin/pull/1
 - https://github.com/willdurand/Karotz-Plugin/pull/3
 - https://github.com/apache/mina-vysper/pull/14
 - https://github.com/INRIA/spoon/pull/3243
 - https://github.com/jesusaurus/jenkins-logstash-plugin/pull/3
 - https://github.com/OneBusAway/onebusaway-siri/pull/7
 - https://github.com/arroyc/azure-acs-plugin/pull/1
 - https://github.com/rikturnbull/aws-parameter-store-plugin/pull/6
 - https://github.com/michaelneale/jenkins-lifx-notifier-plugin/pull/2
 - https://github.com/cosmin/IClojure/pull/34
 - https://github.com/1000Memories/photon-core/pull/4
 - https://github.com/sturtesm/appdynamics-paypal-integration-java-checkout/pull/1
 - https://github.com/jenkinsci/anything-goes-formatter-plugin/pull/4
 - https://github.com/dockstore/dockstore-cli/pull/16
 - https://github.com/ponxu/blog4j/pull/2
 - https://github.com/jenkinsci/ca-apm-plugin/pull/10
 - https://github.com/USGS-CIDA/cida-owsutils-geoserver/pull/26
 - https://github.com/TridentSDK/TridentSDK/pull/83
 - https://github.com/OneBusAway/onebusaway-gtfs-realtime-nagios-plugin/pull/1
 - https://github.com/diegoceccarelli/json-wikipedia/pull/40
 - https://github.com/osiam/addon-self-administration/pull/203
 - https://github.com/infinitest/infinitest/pull/278
 - https://github.com/square/cascading2-protobufs/pull/28
 - https://github.com/jenkinsci/phing-plugin/pull/2
 - https://github.com/matsim-org/matsim/pull/818
 - https://github.com/janinko/ghprb/pull/494
 - https://github.com/resty-gwt/resty-gwt/pull/400
 - https://github.com/chrischabot/oacurl/pull/10
 - https://github.com/OneBusAway/onebusaway-gtfs-realtime-from-siri-cli/pull/4
 - https://github.com/outbrain/gruffalo/pull/3
 - https://github.com/intuit/Tank/pull/100
 - https://github.com/twitter-archive/iago/pull/48
 - https://github.com/espertechinc/esper/pull/182
 - https://github.com/jenkinsci/jobrequeue-plugin/pull/7
 - https://github.com/jenkinsci/jenkins.rb/pull/128
 - https://github.com/hcoles/pitest/pull/732
 - https://github.com/linkedin/ml-ease/pull/2
 - https://github.com/JodaOrg/joda-time-hibernate/pull/13
 - https://github.com/skyscreamer/nevado/pull/114
 - https://github.com/jenkinsci/external-resource-dispatcher-plugin/pull/9
 - https://github.com/knowm/XChart/pull/415
 - https://github.com/rombert/release/pull/1
 - https://github.com/jenkinsci/clearcase-plugin/pull/36
 - https://github.com/jenkinsci/chosen-views-tabbar/pull/3
 - https://github.com/jboss-switchyard/tools/pull/686
 - https://github.com/ocpsoft/rewrite/pull/290
 - https://github.com/rapidftr/RapidFTR-Android/pull/215
 - https://github.com/JodaOrg/joda-time-jsptags/pull/2
 - https://github.com/jenkinsci/archived-artifact-url-viewer-plugin/pull/2
 - https://github.com/jenkinsci/drupal-developer-plugin/pull/2
 - https://github.com/fneves-datalex/job-node-stalker/pull/2
 - https://github.com/zhaozhiming/mttr/pull/1
 - https://github.com/Reading-eScience-Centre/edal-java/pull/124
 - https://github.com/jenkinsci/fedora-module-build-system-plugin/pull/1
 - https://github.com/legendtang/jtapi-legacy-openshift/pull/1
 - https://github.com/opentracing-contrib/java-jaxrs/pull/137
 - https://github.com/mthak/diskcheck-plugin/pull/13
 - https://github.com/alexnederlof/Jasper-report-maven-plugin/pull/61
 - https://github.com/apache/maven-integration-testing/pull/55
 - https://github.com/codecentric/jenkins-deployment-dashboard-plugin/pull/25
 - https://github.com/webbit/webbit/pull/148
 - https://github.com/jenkinsci/kmap-plugin/pull/2
 - https://github.com/jghoman/haivvreo/pull/33
 - https://github.com/Intel-bigdata/HiBench/pull/602
 - https://github.com/julianhyde/linq4j/pull/30
 - https://github.com/danko-david/javaexperience-webrpc/pull/1
 - https://github.com/jenkinsci/compound-slaves-plugin/pull/8
 - https://github.com/timols/jenkins-gitlab-merge-request-builder-plugin/pull/228
 - https://github.com/jenkinsci/newgen-servers-plugin/pull/1
 - https://github.com/PramodhKumarM/DevOpsClassCodes-Copy/pull/1
 - https://github.com/jenkinsci/jx-pipelines-plugin/pull/16
 - https://github.com/ikedam/groovy-label-assignment/pull/3
 - https://github.com/jdye64/garcon/pull/12
 - https://github.com/oracle/wookiee-zookeeper/pull/49
 - https://github.com/Lewuathe/hckrnews-plugin/pull/1
 - https://github.com/arnaudroger/SimpleFlatMapper/pull/706
 - https://github.com/projectodd/wunderboss/pull/22
 - https://github.com/spinn3r/noxy/pull/19
 - https://github.com/reinier-vegter/tst_jenkins_old/pull/7
 - https://github.com/mabodx/hw4-bom/pull/1
 - https://github.com/afimb/chouette/pull/61
 - https://github.com/USGS-CIDA/MyPubs/pull/121
 - https://github.com/weamylady2/iOS_remote/pull/23
 - https://github.com/dschanoeh/Kayak/pull/36
 - https://github.com/enviroCar/enviroCar-server/pull/355
 - https://github.com/taylorleese/google-app-engine-jappstart/pull/7
 - https://github.com/KDE/wikitolearn-course-midtier/pull/1
 - https://github.com/pmaccamp/global-variable-string-parameter/pull/1
 - https://github.com/apache/wicket/pull/405
 - https://github.com/nramaker/TwitterNetPromoter/pull/1
 - https://github.com/TridentSDK/Trident/pull/91
 - https://github.com/GeoWebCache/geowebcache/pull/822
 - https://github.com/sismics/reader/pull/172
 - https://github.com/medcl/elasticsearch-analysis-pinyin/pull/224
 - https://github.com/jzy3d/jzy3d-api/pull/117
 - https://github.com/openpnp/openpnp/pull/953
 - https://github.com/bigpandaio/bigpanda-jenkins-plugin/pull/9
 - https://github.com/jenkinsci/model-selenium-project/pull/1
 - https://github.com/nroduit/Weasis/pull/114
 - https://github.com/CavemanCraig/TutorialDemo_OLD/pull/3
 - https://github.com/myrrix/myrrix-recommender/pull/3
 - https://github.com/xebia-france-training/xebia-petclinic/pull/3
 - https://github.com/RuslanIsniuk/Expenses-Management-Application/pull/1
 - https://github.com/kirklund/geode-logback/pull/1
 - https://github.com/52North/triturus/pull/9
 - https://github.com/jenkinsci/changelog-history-plugin/pull/6
 - https://github.com/jenkinsci/scm-sync-configuration-plugin/pull/71
 - https://github.com/deepshiftlabs/nerrvana-plugin-for-jenkins-ci/pull/1
 - https://github.com/DrChainsaw/AmpControl/pull/32
 - https://github.com/jenkinsci/chosen-plugin/pull/2
 - https://github.com/e-biz/spring-dbunit/pull/54
 - https://github.com/52North/sos-importer/pull/103
 - https://github.com/kamilfb/mqtt-spy/pull/132
 - https://github.com/apache/maven-jmod-plugin/pull/4
 - https://github.com/micromata/javaapiforkml/pull/24
 - https://github.com/jibaro/dl4j-spark-cdh5-examples/pull/1
 - https://github.com/liudong0624/WATika1.18/pull/1
 - https://github.com/pulse00/Symfony-2-Eclipse-Plugin/pull/264
 - https://github.com/Jasig/NewsReaderPortlet/pull/154
 - https://github.com/elasticinbox/elasticinbox/pull/58
 - https://github.com/SpoonLabs/gumtree-spoon-ast-diff/pull/119
 - https://github.com/errai/errai/pull/382
 - https://github.com/jenkinsci/appaloosa-plugin/pull/7
 - https://github.com/structr/structr/pull/537
 - https://github.com/MilkBowl/Vault/pull/793
 - https://github.com/jenkinsci/jsunit-plugin/pull/2
 - https://github.com/TheHortonMachine/hortonmachine/pull/56
 - https://github.com/BroadleafCommerce/LegacyDemoSite/pull/217
 - https://github.com/DPOH-VAR/PowerNBT/pull/35
 - https://github.com/cantaloupe-project/cantaloupe/pull/348
 - https://github.com/mvanholsteijn/spring-paas-petstore/pull/1
 - https://github.com/simonsoft/cms-indexing-xml/pull/6
 - https://github.com/apparao2017/mvnrepo/pull/1
 - https://github.com/jenkinsci/htmlresource-plugin/pull/2
 - https://github.com/jenkinsci/core-js/pull/1
 - https://github.com/SoftwareBuildService/gitblit-plugin/pull/9
 - https://github.com/apache/myfaces-extcdi/pull/4
 - https://github.com/nativelibs4java/JNAerator/pull/121
 - https://github.com/SmartBear/soapui/pull/497
 - https://github.com/jenkinsci/parallel-test-executor-plugin/pull/100
 - https://github.com/52North/OX-Framework/pull/61
 - https://github.com/jenkinsci/golo-plugin/pull/1
 - https://github.com/jenkinsci/pipeline-classpath-step-plugin/pull/4
 - https://github.com/steppenwells/guardian-management/pull/3
 - https://github.com/OneBusAway/onebusaway-gtfs-realtime-trip-updates-producer-demo/pull/2
 - https://github.com/opensourceBIM/BIMserver/pull/1107
 - https://github.com/daniel-beck/jenkins-keep-slave-disconnected-plugin/pull/1
 - https://github.com/ICIJ/node-tika/pull/26
 - https://github.com/acogoluegnes/Spring-Batch-in-Action/pull/1
 - https://github.com/jprante/elasticsearch-gatherer/pull/2
 - https://github.com/stubhub/bigdime/pull/98
 - https://github.com/jenkinsci/maven-deployment-linker-plugin/pull/6
 - https://github.com/xwiki/xwiki-clover-maven/pull/1
 - https://github.com/ikedam/authorize-project/pull/2
 - https://github.com/odata4j/odata4j/pull/6
 - https://github.com/BaseXdb/basex/pull/1808
 - https://github.com/nalbam/sample-tomcat/pull/28
 - https://github.com/sithu/stomp-client/pull/1
 - https://github.com/OneBusAway/onebusaway-alexa/pull/119
 - https://github.com/jenkinsci/exclusion-plugin/pull/10
 - https://github.com/jenkinsci/impersonation-plugin/pull/1
 - https://github.com/Buam/ultimatesigns/pull/2
 - https://github.com/tmfg/digitraffic-marine/pull/1
 - https://github.com/ThunderGemios10/Survival-Games/pull/85
 - https://github.com/GoogleCloudPlatform/google-cloud-datastore/pull/247
 - https://github.com/nurkiewicz/typeof/pull/8
 - https://github.com/jenkinsci/grails-plugin/pull/13
 - https://github.com/hortonworks/hive-json/pull/13
 - https://github.com/menonvarun/test-results-analyzer/pull/15
 - https://github.com/acdvorak/intellij-lessc-plugin/pull/105
 - https://github.com/jenkinsci/icescrum-plugin/pull/2
 - https://github.com/Silverpeas/Silverpeas-Core/pull/1054
 - https://github.com/mjeanroy/springhub/pull/1
 - https://github.com/EastWoodYang/gradle-repo-jenkins-plugin/pull/3
 - https://github.com/jenkinsci/mailmap-resolver-plugin/pull/2
 - https://github.com/livelessons-spring/building-microservices/pull/19
 - https://github.com/Mobisocial/EasyNFC/pull/2
 - https://github.com/cgbystrom/netty-tools/pull/18
 - https://github.com/apache/maven-assembly-plugin/pull/17
 - https://github.com/ukiuni/call-remote-job-plugin/pull/2
 - https://github.com/jenkinsci/caliper-ci-plugin/pull/4
 - https://github.com/david4096/notdockstore/pull/5
 - https://github.com/mojavelinux/forge-plugin-arquillian-extensions/pull/2
 - https://github.com/jghoman/finagle-java-example/pull/3
 - https://github.com/lvotypko/javatest-report/pull/1
 - https://github.com/jenkinsci/chef-identity-plugin/pull/5
 - https://github.com/OHDSI/SqlRender/pull/209
 - https://github.com/LiveRamp/hank/pull/345
 - https://github.com/morficus/Parameterized-Remote-Trigger-Plugin/pull/27
 - https://github.com/jenkinsci/dropdown-viewstabbar-plugin/pull/6
 - https://github.com/jenkinsci/diagnostics-plugin/pull/2
 - https://github.com/tltv/gantt/pull/89
 - https://github.com/spinscale/dropwizard-blog-sample/pull/5
 - https://github.com/CopadoSolutions/copado-jenkins-plugin/pull/2
 - https://github.com/delta-rho/RHIPE/pull/47
 - https://github.com/jaune162/cloud-netflix/pull/1
 - https://github.com/eclipse/eclipse-collections/pull/796
 - https://github.com/welovecoding/editorconfig-netbeans/pull/123
 - https://github.com/miltonio/milton2/pull/128
 - https://github.com/jenkinsci/boot-clj-plugin/pull/3
 - https://github.com/HyperDunk/DR-TIKA/pull/1
 - https://github.com/dbeaver/dbeaver/pull/7884
 - https://github.com/USGS-CIDA/cida-auth/pull/112
 - https://github.com/OneBusAway/onebusaway-gtfs-realtime-exporter/pull/10
 - https://github.com/MovingBlocks/TeraBullet/pull/4
 - https://github.com/OneBusAway/onebusaway-gtfs-realtime-visualizer/pull/14
 - https://github.com/databricks/learning-spark/pull/42
 - https://github.com/ManuelB/facebook-recommender-demo/pull/5
 - https://github.com/naver/nbase-arc/pull/186
 - https://github.com/jenkinsci/dbCharts-plugin/pull/2
 - https://github.com/syl20bnr/jobgenerator-jenkins/pull/20
 - https://github.com/apache/servicemix/pull/54
 - https://github.com/JWebUnit/jwebunit/pull/12
 - https://github.com/siddhi-io/siddhi/pull/1621
 - https://github.com/apache/hama/pull/26
 - https://github.com/agoncal/agoncal-application-petstore-ee6/pull/42
 - https://github.com/suguru/elasticsearch-analysis-japanese/pull/2
 - https://github.com/locationtech/geogig/pull/491
 - https://github.com/rlf/uSkyBlock/pull/1250
 - https://github.com/thinkgem/jeesite/pull/498
 - https://github.com/skadistats/clarity-examples/pull/42
 - https://github.com/SeleniumHQ/fluent-selenium/pull/28
 - https://github.com/floodlight/floodlight/pull/837
 - https://github.com/jenkinsci/flaky-test-handler-plugin/pull/13
 - https://github.com/NackademinJan/LibraryTestJenkins/pull/1
 - https://github.com/weiyin/appetize-jenkins-plugin/pull/3
 - https://github.com/jenkinsci/hall-plugin/pull/1
 - https://github.com/akquinet/androlog/pull/13
 - https://github.com/tomtom-international/openlr/pull/42
 - https://github.com/MicroFocus/micro-focus-performance-center-integration/pull/11
 - https://github.com/johnewart/gearman-java/pull/18
 - https://github.com/veraPDF/veraPDF-rest/pull/51
 - https://github.com/kevinfealey/appscansource-scanner/pull/3
 - https://github.com/OneBusAway/onebusaway-csv-entities/pull/16
 - https://github.com/spullara/mustache.java/pull/245
 - https://github.com/SonarQubeCommunity/sonar-scm-stats/pull/13
 - https://github.com/danko-david/javaexperience-rpc/pull/1
 - https://github.com/skyscreamer/yoga/pull/249
 - https://github.com/garethjevans/cucumber-slack-notifier-plugin/pull/8
 - https://github.com/bcdev/beam/pull/40
 - https://github.com/maplesteve/JiraTestResultReporter/pull/10
 - https://github.com/p4paul/p4-jenkins/pull/48
 - https://github.com/zvpdev/pvsstudio-maven-plugin/pull/1
 - https://github.com/louisrli/arbitrary-parameters-plugin/pull/1
 - https://github.com/52North/wps-client-lib/pull/17
 - https://github.com/awconstable/company-manager/pull/1
 - https://github.com/OneBusAway/onebusaway-guice-jetty-exporter/pull/1
 - https://github.com/tobato/FastDFS_Client/pull/194
 - https://github.com/jenkinsci/android-apk-size-watcher-plugin/pull/3
 - https://github.com/CreditMutuelArkea/Openstack-Jenkins-HeatPlugin-closed-see-readme-/pull/4
 - https://github.com/jeremylong/odc-falsepositives/pull/1
 - https://github.com/yash50/hsweb-3.0.4/pull/1
 - https://github.com/j-easy/easy-batch/pull/367
 - https://github.com/elBukkit/MagicArenas/pull/9
 - https://github.com/dooApp/FXForm2/pull/184
 - https://github.com/jenkinsci/codescan-plugin/pull/1
 - https://github.com/Bukkit/Bukkit/pull/1122
 - https://github.com/inception-project/inception/pull/1617
 - https://github.com/apache/openwebbeans-meecrowave-examples/pull/8
 - https://github.com/danko-david/javaexperience-datareprez/pull/1
 - https://github.com/apache/maven-doxia/pull/18
 - https://github.com/jenkinsci/campfire-plugin/pull/9
 - https://github.com/oriolbcn/c4s-cloudfoundry-adapter/pull/1
 - https://github.com/membrane/service-proxy/pull/349
 - https://github.com/playn/playn/pull/84
 - https://github.com/voodoodyne/subethasmtp/pull/96
 - https://github.com/jenkinsci/build-history-metrics-plugin/pull/2
 - https://github.com/MaineC/elasticsearch-query-templates/pull/2
 - https://github.com/apache/maven-2/pull/1
 - https://github.com/blazegraph/database/pull/156
 - https://github.com/christ66/cobertura/pull/19
 - https://github.com/2xel/spring-bootstrap-tiles/pull/1
 - https://github.com/JBEI/ice/pull/96
 - https://github.com/openmrs/openmrs-module-radiology/pull/515
 - https://github.com/developersdo/dev-dom-skills-ws/pull/16
 - https://github.com/jenkinsci/enhanced-old-build-discarder-plugin/pull/4
 - https://github.com/alauda/alauda-devops-pipeline-plugin/pull/41
 - https://github.com/ptgoetz/storm-jms/pull/37
 - https://github.com/Open-MBEE/docbook/pull/1
 - https://github.com/jenkinsci/openshift-deployer-plugin/pull/14
 - https://github.com/toyzhou/phm/pull/1
 - https://github.com/4thline/cling/pull/250
 - https://github.com/AMCBridgeDevTeam/build-configurator-plugin/pull/1
 - https://github.com/SICSoftwareGmbH/kpp-management-plugin/pull/6
 - https://github.com/sofastack/sofa-lookout/pull/78
 - https://github.com/xwiki/xwiki-commons/pull/86
 - https://github.com/kohsuke/com4j/pull/83
 - https://github.com/jenkinsci/chromedriver-plugin/pull/7
 - https://github.com/DreamExposure/DisCal-Discord-Bot/pull/29
 - https://github.com/jhalterman/stormcell/pull/1
 - https://github.com/alibaba/p3c/pull/644
 - https://github.com/jenkinsci/extras-client-demo/pull/1
 - https://github.com/wso2/product-iots/pull/1940
 - https://github.com/adamcin/crx-content-package-deployer/pull/5
 - https://github.com/atomashpolskiy/bt/pull/138
 - https://github.com/ShifuML/guagua/pull/104
 - https://github.com/unitsofmeasurement/uom-se/pull/207
 - https://github.com/jenkinsci/loadfocus-loadtest-plugin/pull/5
 - https://github.com/prospero238/liquibase-runner/pull/11
 - https://github.com/BioPAX/validator/pull/15
 - https://github.com/lincolnthree/hibernate-demo/pull/1
 - https://github.com/apache/geronimo-genesis/pull/1
 - https://github.com/PolskiStevek/EpicGuard/pull/7
 - https://github.com/m-y-mo/activemq_20155254/pull/1
 - https://github.com/apache/incubator-streampipes/pull/11
 - https://github.com/ngageoint/mrgeo-geoserver-plugin/pull/4
 - https://github.com/dormaayan/Corpus/pull/28
 - https://github.com/ChristianBecker/http-post-plugin/pull/2
 - https://github.com/jhalterman/sarge/pull/14
 - https://github.com/52North/series-rest-api/pull/490
 - https://github.com/onap/archive-dcae-apod-analytics/pull/1
 - https://github.com/robward-scisys/sldeditor/pull/449
 - https://github.com/jenkinsci/crap4j-plugin/pull/3
 - https://github.com/absolutegalaber/jwt-oauth2-example/pull/9
 - https://github.com/jenkinsci/almasw-modbuilder-plugin/pull/2
 - https://github.com/atdl4j/atdl4j/pull/33
 - https://github.com/jenkinsci/kubernetes-pipeline-plugin/pull/73
 - https://github.com/jenkinsci/dom4j/pull/6
 - https://github.com/apache/maven-archetype/pull/37
 - https://github.com/sdbg/sdbg/pull/163
 - https://github.com/apache/oodt/pull/117
 - https://github.com/astamuse/asta4d/pull/30
 - https://github.com/octo-technology/sonar-objective-c/pull/127
 - https://github.com/RestComm/sip-servlets/pull/376
 - https://github.com/52North/movingcode/pull/9
 - https://github.com/OneBusAway/onebusaway-uk/pull/7
 - https://github.com/palantir/eclipse-typescript/pull/360
 - https://github.com/neo4j-contrib/neo4j-graph-algorithms/pull/929
 - https://github.com/wso2-attic/product-esb/pull/666
 - https://github.com/apache/tuscany-das/pull/1
 - https://github.com/vincentrussell/sql-to-mongo-db-query-converter/pull/26
 - https://github.com/jenkinsci/compact-columns-plugin/pull/4
 - https://github.com/jenkinsci/CFLint-plugin/pull/1
 - https://github.com/damienbiggs/parameter-pool-plugin/pull/2
 - https://github.com/OpenSextant/SolrTextTagger/pull/89
 - https://github.com/splicemachine/spliceengine/pull/3218
 - https://github.com/abel533/Mapper/pull/725
 - https://github.com/google/jse4conf/pull/1
 - https://github.com/ceki/pomapo/pull/1
 - https://github.com/OpenHFT/Chronicle-Queue/pull/640
 - https://github.com/osiam/addon-administration/pull/154
 - https://github.com/oracle/opengrok/pull/3039
 - https://github.com/okocraft/Imperatrix/pull/22
 - https://github.com/jensalm/spring-rest-server/pull/7
 - https://github.com/talios/coffee-maven-plugin/pull/36
 - https://github.com/restlet/restlet-framework/pull/12
 - https://github.com/antonyh/hippo-site-nucleus/pull/13
 - https://github.com/ICT-BDA/EasyML/pull/114
 - https://github.com/ops4j/org.ops4j.pax.web/pull/280
 - https://github.com/52North/eventing-rest-api/pull/6
 - https://github.com/apache/isis/pull/172
 - https://github.com/jenkinsci/disk-usage-plugin/pull/42
 - https://github.com/Nodeclipse/nodeclipse-1/pull/233
 - https://github.com/LightGuard/catch-demo/pull/1
 - https://github.com/mabodx/hw0-bom/pull/1
 - https://github.com/spring-projects/spring-flex-roo/pull/7
 - https://github.com/infochimps-labs/wonderdog/pull/22
 - https://github.com/mabodx/hw1-bom/pull/1
 - https://github.com/jplag/jplag/pull/78
 - https://github.com/sockeqwe/AnnotatedAdapter/pull/26
 - https://github.com/elaatifi/orika/pull/12
 - https://github.com/datasift/datasift-java/pull/125
 - https://github.com/jenkinsci/ion-deployer-plugin/pull/1
 - https://github.com/otecteng/onealert-trigger/pull/1
 - https://github.com/jenkinsci/node-iterator-api-plugin/pull/5
 - https://github.com/jbosstools/jbosstools-maven-plugins/pull/76
 - https://github.com/httl/httl/pull/236
 - https://github.com/wso2/product-is/pull/7530
 - https://github.com/paulwellnerbou/git-changelog-jenkins-plugin/pull/9
 - https://github.com/v1v/percentage-du-node-column-plugin/pull/1
 - https://github.com/SAP-samples/cloud-sfsf-benefits-ext/pull/14
 - https://github.com/Norconex/collector-filesystem/pull/51
 - https://github.com/pentaho/modeler/pull/362
 - https://github.com/FirePub/jenkinsci-mber-plugin/pull/2
 - https://github.com/google/git-appraise-eclipse/pull/5
 - https://github.com/osluocra/PlantPlaces/pull/1
 - https://github.com/tomakehurst/wiremock/pull/1266
 - https://github.com/jenkinsci/eclipse-update-site-plugin/pull/1
 - https://github.com/agoncal/agoncal-application-petstore-ee7/pull/18
 - https://github.com/OneBusAway/onebusaway-vdv-modules/pull/11
 - https://github.com/jenkinsci/cucumber-performance-plugin/pull/7
 - https://github.com/52North/WPS/pull/287
 - https://github.com/apache/manifoldcf/pull/108
 - https://github.com/amplab/succinct/pull/44
 - https://github.com/sk89q/WarmRoast/pull/18
 - https://github.com/jenkinsci/jswidgets-plugin/pull/5
 - https://github.com/selendroid/selendroid/pull/1190
 - https://github.com/angelozerr/tern.java/pull/473
 - https://github.com/suguru/mongo-java-async-driver/pull/1
 - https://github.com/jenkinsci/android-emulator-plugin/pull/80
 - https://github.com/happysoul/test/pull/3
 - https://github.com/bcvsolutions/forest-index/pull/1
 - https://github.com/orientechnologies/orientdb/pull/9136
 - https://github.com/jingwei/krati/pull/12
 - https://github.com/wso2/developer-studio/pull/203
 - https://github.com/jenkinsci/join-plugin/pull/15
 - https://github.com/18838928050/ssmtest/pull/1
 - https://github.com/JanusGraph/janusgraph/pull/1956
 - https://github.com/openmrs/openmrs-module-reporting/pull/194
 - https://github.com/RohanNagar/thunder/pull/672
 - https://github.com/GoogleCloudPlatform/appengine-tck/pull/107
 - https://github.com/ViaVersion/ViaBackwards/pull/183
 - https://github.com/lmco/streamflow/pull/49
 - https://github.com/ilx/ksadmin/pull/1
 - https://github.com/AppiumTestDistribution/AppiumTestDistribution/pull/627
 - https://github.com/EngineHub/CommandHelper/pull/552
 - https://github.com/jbarrus/jenkins-badge-setter/pull/2
 - https://github.com/advantiss/builds-chain-fingerprinter/pull/2
 - https://github.com/DBCDK/log-tracer/pull/41
 - https://github.com/jenkinsci/nexus-artifact-uploader-plugin/pull/17
 - https://github.com/openEHR/adl2-core/pull/12
 - https://github.com/jenkinsci/createjobadvanced-plugin/pull/4
 - https://github.com/jenkinsci/housekeeper-plugin/pull/1
 - https://github.com/gabrieldinu/Andrei_Cracana_BidStore/pull/1
 - https://github.com/jenkins-infra/ircbot/pull/78
 - https://github.com/Moocar/logback-gelf/pull/71
 - https://github.com/jbox2d/jbox2d/pull/65
 - https://github.com/asdf2014/CapturePackage/pull/1
 - https://github.com/ifedorenko/p2-browser/pull/23
 - https://github.com/vfarcic/docker-flow-jenkins/pull/1
 - https://github.com/Kixeye/chassis/pull/4
 - https://github.com/gcauchis/chat/pull/2
 - https://github.com/splunk/splunkforjenkins/pull/16
 - https://github.com/jenkinsci/metrics-ganglia-plugin/pull/1
 - https://github.com/mysql-time-machine/replicator/pull/57
 - https://github.com/jenkinsci/jobtype-column-plugin/pull/6
 - https://github.com/apache/npanday-its/pull/1
 - https://github.com/hantsy/seam3-sandbox/pull/2
 - https://github.com/jenkinsci/job-log-logger-plugin/pull/2
 - https://github.com/apache/netbeans-mavenutils-archetype-netbeans-platform-app-archetype/pull/1
 - https://github.com/UISpec4J/UISpec4J/pull/36
 - https://github.com/DSpace/xoai/pull/75
 - https://github.com/jiwhiz/JiwhizBlogWeb/pull/9
 - https://github.com/reficio/soap-ws/pull/65
 - https://github.com/eclipse/ditto/pull/617
 - https://github.com/j256/ormlite-core/pull/171
 - https://github.com/riverma/tika-netcdf/pull/1
 - https://github.com/tamingtext/book/pull/34
 - https://github.com/CoreMedia/jangaroo-tools/pull/66
 - https://github.com/michaellavelle/spring-data-dynamodb/pull/99
 - https://github.com/junoyoon/simpleupdatesiterepo/pull/4
 - https://github.com/IBM/ibm-cloud-devops/pull/8
 - https://github.com/iMingle/Pear/pull/3
 - https://github.com/datanucleus/datanucleus-core/pull/324
 - https://github.com/Terracotta-OSS/offheap-store/pull/69
 - https://github.com/jenkinsci/extras-ec2-launcher/pull/1
 - https://github.com/pereferrera/trident-hackaton/pull/1
 - https://github.com/criccomini/ezdb/pull/13
 - https://github.com/BitMEX/api-connectors/pull/423
 - https://github.com/facebookarchive/linkbench/pull/36
 - https://github.com/Transitime/core/pull/33
 - https://github.com/jenkinsci/global-build-stats-plugin/pull/18
 - https://github.com/rubiconred/myst-jenkins-plugin/pull/1
 - https://github.com/payara/Payara/pull/4484
 - https://github.com/michaeljfazio/hp-quality-center-plugin/pull/1
 - https://github.com/Stratio/Decision/pull/193
 - https://github.com/apache/maven-release/pull/37
 - https://github.com/Aconex/scrutineer/pull/37
 - https://github.com/athkalia/Just-Another-Android-App/pull/101
 - https://github.com/52North/dao-series-api/pull/194
 - https://github.com/IncPlusPlus/betterstat-server/pull/117
 - https://github.com/leonardxfce/9024-XP/pull/95
 - https://github.com/ToastShaman/dropwizard-auth-jwt/pull/43
 - https://github.com/mguymon/model-citizen/pull/33
 - https://github.com/Vlatombe/linenumbers-plugin/pull/1
 - https://github.com/onap/vid/pull/7
 - https://github.com/chompi/openrtb2x/pull/50
 - https://github.com/jenkinsci/console-column-plugin/pull/5
 - https://github.com/jamesagnew/hapi-fhir/pull/1708
 - https://github.com/bijukunjummen/spring-cloud-ping-pong-sample/pull/4
 - https://github.com/dhanji/loop/pull/17
 - https://github.com/aerospike/aerospike-client-java/pull/157
 - https://github.com/SpoonLabs/coming/pull/206
 - https://github.com/sakserv/hadoop-mini-clusters/pull/71
 - https://github.com/SonarSource/sonar-xml/pull/134
 - https://github.com/jenkinsci/perfpublisher-plugin/pull/21
 - https://github.com/eclipse/pdt/pull/43
 - https://github.com/dandelion/dandelion-datatables/pull/335
 - https://github.com/Multiverse/Multiverse-Inventories/pull/346
 - https://github.com/danko-david/javaexperience-web/pull/1
 - https://github.com/heremaps/fluentd-plugin/pull/3
 - https://github.com/lincolnthree/errai-ui-ghostwriter/pull/1
 - https://github.com/mttkay/signpost/pull/25
 - https://github.com/jenkinsci/hsts-filter-plugin/pull/3
 - https://github.com/RIPE-NCC/whois/pull/604
 - https://github.com/onap/clamp/pull/1
 - https://github.com/sryza/simplesparkapp/pull/6
 - https://github.com/GPars/GPars/pull/63
 - https://github.com/jenkinsci/cron_column-plugin/pull/6
 - https://github.com/dadoonet/spring-elasticsearch/pull/230
 - https://github.com/Alfresco/alfresco-sdk/pull/593
 - https://github.com/jenkinsci/environment-script-plugin/pull/16
 - https://github.com/sanity/quickml/pull/157
 - https://github.com/sockeqwe/fragmentargs/pull/112
 - https://github.com/jenkinsci/cli-commander-plugin/pull/3
 - https://github.com/jenkinsci/avatar-plugin/pull/2
 - https://github.com/52North/WNS/pull/1
 - https://github.com/jenkinsci/gitcolony-plugin/pull/3
 - https://github.com/ViaVersion/ViaRewind/pull/152
 - https://github.com/jenkinsci/easyant-plugin/pull/1
 - https://github.com/jenkinsci/variant-plugin/pull/7
 - https://github.com/zsmartsystems/com.zsmartsystems.bluetooth.bluegiga/pull/9
 - https://github.com/childRon/vcarta-admin/pull/1
 - https://github.com/akquinet/vaadinator/pull/48
 - https://github.com/52North/geoar-codebase/pull/2
 - https://github.com/ParallelAI/SpyGlass/pull/31
 - https://github.com/ColeJackes/QuizbowlMachineLearning/pull/1
 - https://github.com/jenkinsci/perfectomobile-plugin/pull/7
 - https://github.com/jenkinsci/dynamic-extended-choice-parameter-plugin/pull/3
 - https://github.com/tinkerpop/rexster/pull/394
 - https://github.com/scoophealth/oscar/pull/2
 - https://github.com/jenkinsci/jclouds-plugin/pull/136
 - https://github.com/asterixds/activiti/pull/1
 - https://github.com/patrickfav/density-converter/pull/6
 - https://github.com/jruby/jruby-openssl/pull/192
 - https://github.com/liferay/liferay-maven-support/pull/20
 - https://github.com/jenkinsci/gallio-plugin/pull/4
 - https://github.com/linouxis9/ARMStrong/pull/3
 - https://github.com/magro/kryo-serializers/pull/123
 - https://github.com/dakrone/elasticsearch-glacier/pull/1
 - https://github.com/jenkinsci/findbugs-plugin/pull/18
 - https://github.com/dkpro/dkpro-lab/pull/109
 - https://github.com/jenkinsci/buildgraph-view-plugin/pull/38
 - https://github.com/wso2/product-app-manager/pull/363
 - https://github.com/apache/servicemix-specs/pull/15
 - https://github.com/jenkinsci/gitorious-plugin/pull/5
 - https://github.com/confluentinc/ksql/pull/4511
 - https://github.com/wso2/carbon-identity-framework/pull/2739
 - https://github.com/JPressProjects/jpress/pull/135
 - https://github.com/Open-MBEE/K/pull/3
 - https://github.com/nysenate/OpenLegislation/pull/42
 - https://github.com/fschopp/mina-sshd/pull/1
 - https://github.com/openmrs/openmrs-module-fhir/pull/227
 - https://github.com/stratosphere/stratosphere/pull/923
 - https://github.com/kite-sdk/kite/pull/500
 - https://github.com/tomighty/tomighty/pull/130
 - https://github.com/Cognifide/Slice/pull/122
 - https://github.com/yahoo/mysql_perf_analyzer/pull/26
 - https://github.com/52North/awi-nearrealtime-sos/pull/20
 - https://github.com/jenkinsci/cvs-mail-address-resolver-plugin/pull/1
 - https://github.com/jenkinsci/favorite-plugin/pull/28
 - https://github.com/senbox-org/snap-desktop/pull/103
 - https://github.com/52North/helgoland-server/pull/25
 - https://github.com/sbryzak/ticket-monster/pull/2
 - https://github.com/apache/metamodel/pull/238
 - https://github.com/betfair/cougar/pull/104
 - https://github.com/apache/incubator-ratis/pull/53
 - https://github.com/alibaba/tamper/pull/13
 - https://github.com/LilyPad/Bukkit-Connect/pull/54
 - https://github.com/jenkinsci/leiningen-plugin/pull/15
 - https://github.com/microsoft/azure-app-service-plugin/pull/27
 - https://github.com/awslabs/aws-device-farm-jenkins-plugin/pull/102
 - https://github.com/Sprengnetter-Immobilienbewertung/jenfluence/pull/9
 - https://github.com/loadimpact/loadimpact-jenkins-plugin/pull/1
 - https://github.com/zcourts/higgs/pull/27
 - https://github.com/jenkinsci/ios-device-connector-plugin/pull/7
 - https://github.com/ryantenney/metrics-spring/pull/225
 - https://github.com/mabodx/hw1-bom121/pull/1
 - https://github.com/avengerpenguin/r2r/pull/3
 - https://github.com/jenkinsci/docker-slaves-plugin/pull/30
 - https://github.com/yahoo/sherlock/pull/28
 - https://github.com/jenkinsci/cloverphp-plugin/pull/9
 - https://github.com/AlanArBras/TP_CSR/pull/1
 - https://github.com/ace-han/coordinator/pull/7
 - https://github.com/brianfrankcooper/YCSB/pull/1406
 - https://github.com/LightGuard/HolyCannoli-mongo/pull/1
 - https://github.com/jenkinsci/parameter-separator-plugin/pull/10
 - https://github.com/unitsofmeasurement/indriya/pull/272
 - https://github.com/devnull-tools/build-notifications-plugin/pull/22
 - https://github.com/rherrmann/eclipse-extras/pull/63
 - https://github.com/omarisai/eclipse-builder/pull/1
 - https://github.com/jenkinsci/azure-cli-plugin/pull/21
 - https://github.com/mewin/WorldGuard-Region-Events/pull/18
 - https://github.com/wlu-mstr/hbase-ormlite/pull/1
 - https://github.com/conveyal/matsim2gtfs/pull/1
 - https://github.com/torquebox/jruby-maven-plugins/pull/102
 - https://github.com/apache/myfaces-tobago/pull/26
 - https://github.com/rstoyanchev/spring-sockjs-protocol-webapp/pull/1
 - https://github.com/eclipse/mylyn.docs/pull/13
 - https://github.com/conveyal/cluster-broker/pull/1
 - https://github.com/tackley/guardian-configuration/pull/3
 - https://github.com/jenkinsci/console-tail-plugin/pull/3
 - https://github.com/jenkinsci/concurrent-run-blocker-plugin/pull/1
 - https://github.com/rubicon-project/prebid-cache-java/pull/34
 - https://github.com/vincentrussell/nexus3-x509-dn-security-plugin/pull/1
 - https://github.com/fordfrog/apgdiff/pull/267
 - https://github.com/palantir/eclipse-less/pull/10
 - https://github.com/keeps/roda/pull/1517
 - https://github.com/echurchill/CityWorld/pull/45
 - https://github.com/sasidhardw/circlecitest/pull/1
 - https://github.com/bootswithdefer/LogBlock/pull/7
 - https://github.com/apache/maven/pull/323
 - https://github.com/yanghua/banyan/pull/3
 - https://github.com/apache/tuscany-sdo/pull/3
 - https://github.com/LightGuard/arquillian-openwebbeans-war-support/pull/1
 - https://github.com/apache/empire-db/pull/10
 - https://github.com/medcl/elasticsearch-analysis-stconvert/pull/37
 - https://github.com/jenkinsci/extras-memory-monitor/pull/6
 - https://github.com/jenkinsci/javatest-report-plugin/pull/3
 - https://github.com/Stratehm/stratum-proxy/pull/114
 - https://github.com/qos-ch/slf4j/pull/231
 - https://github.com/orbisgis/h2gis/pull/1031
 - https://github.com/projeto-siga/siga/pull/1283
 - https://github.com/neo4j-contrib/graph-collections/pull/26
 - https://github.com/hantsy/angularjs-springmvc-sample/pull/19
 - https://github.com/jpmc216/akamai-replication-agent/pull/1
 - https://github.com/internetarchive/heritrix3/pull/310
 - https://github.com/OneBusAway/onebusaway-wiki-integration/pull/1
 - https://github.com/synopsys-arc-oss/job-restrictions-plugin/pull/2
 - https://github.com/flowdock/jenkins-flowdock-plugin/pull/19
 - https://github.com/mattmoor/oauth-credentials/pull/1
 - https://github.com/jruby/joni/pull/47
 - https://github.com/jenkinsci/disable-bitbucket-multibranch-status-plugin/pull/1
 - https://github.com/jenkinsci/selenium-plugin/pull/145
 - https://github.com/mojavelinux/seam-forge/pull/1
 - https://github.com/OpenNTF/SocialSDK/pull/1780
 - https://github.com/snicoll/spring-boot-daemon/pull/23
 - https://github.com/jenkinsci/configure-job-column-plugin/pull/3
 - https://github.com/jenkinsci/chef-tracking-plugin/pull/3
 - https://github.com/PeteGoo/tcSlackBuildNotifier/pull/178
 - https://github.com/spinscale/elasticsearch-river-streaming-json/pull/1
 - https://github.com/opoo/opoopress/pull/18
 - https://github.com/chostrander/Odds-N-Ends/pull/1
 - https://github.com/caelum/caelum-stella/pull/259
 - https://github.com/jenkinsci/database-sqlite-plugin/pull/4
 - https://github.com/smallnest/Jax-RS-Performance-Comparison/pull/8
 - https://github.com/cdapio/cdap/pull/11860
 - https://github.com/OpenSLX/eaas-server/pull/4
 - https://github.com/jenkinsci/job-exporter-plugin/pull/2
 - https://github.com/quintona/storm-pattern/pull/2
 - https://github.com/wso2/wso2-synapse/pull/1485
 - https://github.com/jenkinsci/font-awesome-icons-plugin/pull/1
 - https://github.com/01Sharpshooter/Social/pull/1
 - https://github.com/bols-blue/deploygate-plugin/pull/1
 - https://github.com/MayankSainiTk20/embed-grafana-graph/pull/1
 - https://github.com/jenkinsci/clif-performance-testing-plugin/pull/4
 - https://github.com/conveyal/datatools-service-alerts/pull/1
 - https://github.com/globalbioticinteractions/globalbioticinteractions/pull/459
 - https://github.com/Alluxio/alluxio/pull/10882
 - https://github.com/jenkinsci/codebeamer-xunit-importer-plugin/pull/5
 - https://github.com/fluorumlabs/async-manager/pull/5
 - https://github.com/zhaoshuxue/springBoot/pull/2
 - https://github.com/perf4j/perf4j/pull/23
 - https://github.com/apache/myfaces-extval/pull/17
 - https://github.com/sakaiproject/sakai/pull/7876
 - https://github.com/kfricilone/Taylir/pull/46
 - https://github.com/pentaho/pentaho-metaverse/pull/617
 - https://github.com/adrianmilne/esper-demo-nuclear/pull/2
 - https://github.com/hobbit-project/DataStorageBenchmark/pull/7
 - https://github.com/OneBusAway/onebusaway-gtfs-to-barefoot/pull/4
 - https://github.com/itesla/ipst/pull/382
 - https://github.com/xautlx/s2jh4net/pull/30
 - https://github.com/mhassanpur/crittercism-dsym/pull/1
 - https://github.com/tmobile/pacbot/pull/419
 - https://github.com/groupon/DotCi/pull/265
 - https://github.com/davidsoergel/jlibsvm/pull/15
 - https://github.com/matlux/jvm-breakglass/pull/23
 - https://github.com/kevinburke/doony/pull/99
 - https://github.com/apache/rya/pull/312
 - https://github.com/jenkinsci/nis-notification-lamp-plugin/pull/2
 - https://github.com/RestComm/smscgateway/pull/301
 - https://github.com/jwmach1/parameterized-scheduler/pull/12
 - https://github.com/easymock/easymock/pull/253
 - https://github.com/elastic/elasticsearch-hdfs/pull/10
 - https://github.com/mjeanroy/junit-servers/pull/138
 - https://github.com/palantir/eclipse-tslint/pull/30
 - https://github.com/john-westcott-iv/ansible-tower-plugin/pull/9
 - https://github.com/pwntester/SpringBreaker/pull/1
 - https://github.com/UrbanCode/ibm-continuous-release-plugin/pull/2
 - https://github.com/DavidNexuss/BullNexMC-Plugin/pull/1
 - https://github.com/sdorra/scm-manager/pull/2
 - https://github.com/vngx/vngx-jsch/pull/19
 - https://github.com/josefkarasek/eap-rolling-update/pull/2
 - https://github.com/OneBusAway/onebusaway-client-library-demo/pull/1
 - https://github.com/kmader/TIPL/pull/9
 - https://github.com/cfeclipse/cfeclipse/pull/130
 - https://github.com/childe/hangout/pull/151
 - https://github.com/USGS-CIDA/nude/pull/11
 - https://github.com/jenkinsci/page-note-plugin/pull/1
 - https://github.com/apetraru/bookstore/pull/3
 - https://github.com/hdiv/hdiv/pull/105
 - https://github.com/oyse/yedit/pull/51
 - https://github.com/aadnk/ProtocolLib/pull/170
 - https://github.com/microsoft/deep-space/pull/27
 - https://github.com/stevegal/jenkins-aws-bucket-credentials/pull/7
 - https://github.com/xwiki/xwiki-rendering/pull/180
 - https://github.com/v1v/jenkinslint-plugin/pull/20
 - https://github.com/jenkinsci/adaptive-disconnector-plugin/pull/1
 - https://github.com/krukow/clj-ds/pull/18
 - https://github.com/kamatama41/jenkins-deadmanssnitch-plugin/pull/5
 - https://github.com/e-biz/androidkickstartr/pull/118
 - https://github.com/IBM/microprofile-meeting-persistence/pull/2
 - https://github.com/terma/github-pr-coverage-status/pull/29
 - https://github.com/jenkinsci/catalogic-ecx-plugin/pull/2
 - https://github.com/adityasharad/lgtm-workshop/pull/2
 - https://github.com/GoogleCloudPlatform/datanucleus-appengine/pull/2
 - https://github.com/ingenieux/codecommit-url-helper/pull/5
 - https://github.com/dlsc-software-consulting-gmbh/WorkbenchFX/pull/193
 - https://github.com/mkremins/fanciful/pull/84
 - https://github.com/jenkinsci/java-client-api/pull/448
 - https://github.com/DaisyDiff/DaisyDiff/pull/13
 - https://github.com/OneBusAway/onebusaway-guice-jsr250/pull/1
 - https://github.com/RapidPM/rapidpm-dependencies/pull/30
 - https://github.com/magro/memcached-session-manager/pull/416
 - https://github.com/senseidb/bobo/pull/23
 - https://github.com/datablend/fluxgraph/pull/8
 - https://github.com/kuinne/somersaultcloud/pull/1
 - https://github.com/praveenkumar5766/Sonarqube-java/pull/1
 - https://github.com/jenkinsci/build-steps-from-json-plugin/pull/3
 - https://github.com/eclipse/deeplearning4j-examples/pull/941
 - https://github.com/agorava/agorava-core/pull/12
 - https://github.com/violetumleditor/violetumleditor/pull/61
 - https://github.com/USGS-CIDA/geo-data-portal/pull/284
 - https://github.com/jenkinsci/emma-plugin/pull/10
 - https://github.com/jenkinsci/consul-kv-builder-plugin/pull/13
 - https://github.com/jenkinsci/cucumber-trend-report-plugin/pull/2
 - https://github.com/uber-common/jvm-profiler/pull/65
 - https://github.com/MyCoRe-Org/mir/pull/438
 - https://github.com/apache/servicecomb-toolkit/pull/77
 - https://github.com/enlivenhq/teamcity-slack/pull/48
 - https://github.com/togglz/togglz/pull/361
 - https://github.com/apache/incubator-sdap-mudrod/pull/52
 - https://github.com/paulkrause88/subversion4cloudforge/pull/4
 - https://github.com/nielsbasjes/logparser/pull/55
 - https://github.com/jenkinsci/nodenamecolumn-plugin/pull/4
 - https://github.com/amuniz/bitbucket-branch-source-plugin/pull/22
 - https://github.com/ORCID/ORCID-Source/pull/5775
 - https://github.com/ncolomer/elasticsearch-osmosis-plugin/pull/29
 - https://github.com/AvanzaBank/astrix/pull/57
 - https://github.com/release-engineering/pom-manipulation-ext/pull/738
 - https://github.com/twitter/hraven/pull/172
 - https://github.com/Swagger2Markup/spring-swagger2markup-demo/pull/27
 - https://github.com/dadoonet/fscrawler/pull/896
 - https://github.com/gephi/gephi/pull/2171
 - https://github.com/jenkinsci/ghprb-plugin/pull/768
 - https://github.com/digidotcom/xbee-java/pull/152
 - https://github.com/jenkinsci/office-365-connector-plugin/pull/193
 - https://github.com/aluetjen/mongodb-document-upload/pull/1
 - https://github.com/jenkinsci/metrics-diskusage-plugin/pull/2
 - https://github.com/alphagov/pay-adminusers/pull/690
 - https://github.com/brunoribeiro/sql-parser/pull/1
 - https://github.com/k-qing/build-line-plugin/pull/1
 - https://github.com/52North/WeatherDataCollector/pull/5
 - https://github.com/arangamani/gem-publisher-jenkins/pull/2
 - https://github.com/bio2rdf/bio2rdf-scripts/pull/459
 - https://github.com/jenkinsci/lucene-search-plugin/pull/12
 - https://github.com/shasts/jsf-twitter-bootstrap/pull/2
 - https://github.com/apache/juddi/pull/7
 - https://github.com/mktmpio/mktmpio-jenkins-plugin/pull/1
 - https://github.com/seagull1985/LuckyFrameWeb/pull/7
 - https://github.com/thymeleaf/thymeleafsandbox-biglist-reactive/pull/2
 - https://github.com/GluuFederation/oxTrust/pull/1913
 - https://github.com/reficio/p2-maven-plugin/pull/153
 - https://github.com/upgundecha/ifttt-build-notifier/pull/3
 - https://github.com/jenkinsci/nodepool-agents-plugin/pull/41
 - https://github.com/freedomotic/freedomotic/pull/481
 - https://github.com/Credo-Zhao/init-spring/pull/3
 - https://github.com/matschaffer/corundum/pull/1
 - https://github.com/datanucleus/datanucleus-rdbms/pull/332
 - https://github.com/jenkinsci/ca-service-virtualization-plugin/pull/5
 - https://github.com/switchgears/extreme-feedback-plugin/pull/3
 - https://github.com/eclipse-ee4j/jersey/pull/4391
 - https://github.com/tomdz/sphinx-maven/pull/23
 - https://github.com/authorjapps/zerocode/pull/362
 - https://github.com/adityardesai/tikabuild/pull/1
 - https://github.com/joerghoh/cq5-healthcheck/pull/46
 - https://github.com/wy-scm/hidden-parameter-plugin/pull/1
 - https://github.com/angelozerr/angularjs-eclipse/pull/232
 - https://github.com/apache/servicemix-bundles/pull/141
 - https://github.com/jenkinsci/global-post-script-plugin/pull/8
 - https://github.com/apache/commons-rdf/pull/55
 - https://github.com/polopoly/rest4jmx/pull/11
 - https://github.com/opengeospatial/teamengine/pull/422
 - https://github.com/openstack/monasca-common/pull/5
 - https://github.com/jenkinsci/blueocean-maven-plugin/pull/6
 - https://github.com/asitang/tika_pdf_celgene/pull/1
 - https://github.com/balazstarint/codebeamer-result-trend-updater-plugin/pull/3
 - https://github.com/csamuel/jenkins-notifo-plugin/pull/2
 - https://github.com/department-of-veterans-affairs/EchoExtractor/pull/1
 - https://github.com/jenkinsci/ec2-cloud-axis-plugin/pull/10
 - https://github.com/Praqma/logging-plugin/pull/1
 - https://github.com/kbriggs/jenkins-git-chooser-alternative-plugin/pull/2
 - https://github.com/numenta/htm.java/pull/551
 - https://github.com/apache/bahir-flink/pull/76
 - https://github.com/hakko/musiccabinet/pull/35
 - https://github.com/williamkouwonou/biblitheque-y1/pull/1
 - https://github.com/easylo/composer-security-checker-plugin/pull/3
 - https://github.com/ashwini-anand/custom-detector-tika/pull/1
 - https://github.com/apache/helix/pull/742
 - https://github.com/Hive2Hive/Hive2Hive/pull/159
 - https://github.com/frohoff/ysoserial/pull/139
 - https://github.com/spotify/helios/pull/1287
 - https://github.com/subes/invesdwin-nowicket/pull/8
 - https://github.com/Parallels/jenkins-parallels/pull/12
 - https://github.com/senseidb/zoie/pull/16
 - https://github.com/OneBusAway/onebusaway-gtfs-modules/pull/140
 - https://github.com/cboylan/jenkins-log-console-log/pull/6
 - https://github.com/jfullam/jenkins-application-director/pull/1
 - https://github.com/terrymanu/miracle-framework/pull/3
 - https://github.com/jenkinsci/backlog-plugin/pull/5
 - https://github.com/hs-web/hsweb-printer/pull/7
 - https://github.com/apache/stanbol/pull/18
 - https://github.com/liuweijw/fw-cloud-framework/pull/31
 - https://github.com/githubeyaneu/eyan_helper/pull/1
 - https://github.com/jenkinsci/build-view-column-plugin/pull/4
 - https://github.com/jenkinsci/jna-posix/pull/1
 - https://github.com/msrb/copr-plugin/pull/1
 - https://github.com/department-of-veterans-affairs/Leo/pull/1
 - https://github.com/netarchivesuite/netarchivesuite/pull/87
 - https://github.com/jenkinsci/dumpling-plugin/pull/2
 - https://github.com/youtube/api-samples/pull/273
 - https://github.com/jenkinsci/lib-task-reactor/pull/6
 - https://github.com/chirino/lmdbjni/pull/17
 - https://github.com/cymhh123/bank_center/pull/1
 - https://github.com/jcsirot/custom-job-icon-plugin/pull/9
 - https://github.com/hs-web/hsweb-expands/pull/10
 - https://github.com/jsubercaze/simhashdb/pull/1
 - https://github.com/Sebastian1984/tika/pull/1
 - https://github.com/apache/incubator-optiq-csv/pull/2
 - https://github.com/onap/ui-dmaapbc/pull/1
 - https://github.com/aloiscochard/elasticsearch-osem/pull/3
 - https://github.com/vaimr/pipeline-multibranch-defaults-plugin/pull/8
 - https://github.com/komoot/photon/pull/449
 - https://github.com/apache/incubator-optiq-linq4j/pull/2
 - https://github.com/AKuznetsov/russianmorphology/pull/20
 - https://github.com/JavaMoney/jsr354-api/pull/128
 - https://github.com/conveyal/gtfs-lib/pull/273
 - https://github.com/Transkribus/TranskribusCore/pull/43
 - https://github.com/robovm/robovm-robopods/pull/135
 - https://github.com/virtix/webdriver/pull/1
 - https://github.com/camunda/camunda-bpm-platform/pull/647
 - https://github.com/yasu-s/fxcop-runner-plugin/pull/2
 - https://github.com/mesos/hadoop/pull/74
 - https://github.com/awslabs/aws-codepipeline-plugin-for-jenkins/pull/34
 - https://github.com/knowm/XChange/pull/3397
 - https://github.com/52North/SOS/pull/747
 - https://github.com/fletchto99/Chrome-Password-Dumper/pull/2
 - https://github.com/wangweiomg/credit-center/pull/1
 - https://github.com/laszlomiklosik/jenkins-jira-issue-updater/pull/9
 - https://github.com/phreakadelle/ant-in-workspace-plugin/pull/1
 - https://github.com/jenkinsci/docker-traceability-plugin/pull/31
 - https://github.com/Slikey/EffectLib/pull/57
 - https://github.com/jenkinsci/database-plugin/pull/8
 - https://github.com/estatio/estatio/pull/98
 - https://github.com/rhuss/jolokia/pull/430
 - https://github.com/jenkinsci/anonymous-token-root-plugin/pull/1
 - https://github.com/quartz-scheduler/quartz/pull/557
 - https://github.com/hazelcast/hazelcast-code-samples/pull/386
 - https://github.com/dkpro/dkpro-lsr/pull/12
 - https://github.com/dkpro/dkpro-core-examples/pull/32
 - https://github.com/apache/logging-log4j-audit/pull/23
 - https://github.com/OneBusAway/onebusaway-configuration-doclet/pull/1
 - https://github.com/mayconbordin/streaminer/pull/8
 - https://github.com/DigitalMediaServer/DigitalMediaServer/pull/126
 - https://github.com/computology/packagecloud-plugin/pull/8
 - https://github.com/jenkinsci/azure-slave-plugin/pull/77
 - https://github.com/mstr-dfeng/mail-reminder-plugin/pull/1
 - https://github.com/Transkribus/TranskribusClient/pull/9
 - https://github.com/jenkinsci/iojs-plugin/pull/2
 - https://github.com/debrief/debrief/pull/4781
😢 Apparently GitHub won't render 1,596 links.

Here is perhaps a more reasonable way to view this. (Maybe, not sure, it's still pretty bad):
JLLeitschuh/bulk-security-pr-generator#2

Here's a third way to view the data that uses the PR search/filter logic.

Report

This project builds on top of the original query running here:
https://lgtm.com/rules/1511115648721/

And the 'All For One' submission here: #21

I developed an automated tool that used data from LGTM to automatically create 1,596 PRs against all known projects vulnerable to this security issue.

The results according to data collected while the automated PR creation bot was running was that over the 2 days it took to run, I was able to fix 4387 vulnerabilities fixed in 2320 files across 1596 projects!

So far, 252 of these PRs are in the in the 'closed' state at the time of this post.

Most of them are merges, other were closed and merged manually, or via different mechanisms, and very few were just closed outright. Most of the ones that were closed outright, the maintainers quickly archived the repository.

The automated tool used to fix this vulnerability can be found here:
https://github.com/JLLeitschuh/bulk-security-pr-generator
The save_points file contains all the data collected during the operation of this tool.

burn_open_source_vuns_with_fire

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Heck yea! I live streamed doing it too!
https://twitter.com/JLLeitschuh/status/1226995322825695233

CPP: Missing/incomplete TLS server certificate hostname validation

Fixes/Issues/CVE ID(s)

  • CVE-2020-13615 qorelanguage/qore: qorelanguage/qore#3820 - super quick fix, and include examples on reporting the underlying verification error. We should explore reserving a CVE for this.
  • CVE-2020-13616 pichi-router/pichi - pichi-router/pichi@4698664 super quick fix!
  • CVE-2020-13614 axel-download-accelerator/axel - axel-download-accelerator/axel#263 - fix has landed. We should explore reserving a CVE for this.
  • arvidn/libtorrent - arvidn/libtorrent#4415 - fix has landed, defense in depth to verify trackers, and protect the confidentiality of connections, for example Ubuntu's. Cannot imagine more impact from a MITM in this situation.
  • others are in-progress where an issue has been opened or email notification acknowledged.

Report

Here are the queries that will help you find bugs: #55 and a README.md is provided with a quick description of each bug type.

The root-cause is that OpenSSL and Boost ASIO APIs do not verify hostnames of TLS server certificates. If a client loads root CAs from the OS they are vulnerable to a MITM. The problem is well documented here: https://github.com/iSECPartners/ssl-conservatory and examples on how to fix the bug exist on the OpenSSL wiki: https://wiki.openssl.org/index.php/Hostname_validation

It is possible to test TLS clients using sslsplit or using an example CA and localhost + fake certificate described here: https://gist.github.com/theopolis/aeaa8e4808f6b09328dd6996a2ed6c34 When using this example the TLS client under test connects to localhost and should reject the fake certificate.

[X] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Maybe in the distant future, if anyone else is planning something similar I am happy to help them.

Edit: Yes planning on a recap post about how these issues show up in all types of tools.

Python : Add Xpath injection query

CVE

There is no CVE for this.

Report

This query adds Xpath injection query to codeql-python. It models the lxml package.

It detects the following code patterns.

f = StringIO('<foo><bar></bar></foo>')
tree = etree.parse(f)
r = tree.xpath('`sink`')
root = etree.XML("<xmlContent>")
find_text = etree.XPath("`sink`")
root = etree.XML("<xmlContent>")
find_text = etree.EtXPath("`sink`")

The PR also includes necessary tests for the same.

Link to the corresponding PR [github/codeql#3522]

CodeQL query to detect open Spring Boot actuator endpoints

CVE ID(s)

There's no CVE for this.

Report

I created a query to detect open (unauthenticated) Spring Boot actuators that can lead to sensitive information disclosure or even RCE.

The details are present in PR: github/codeql#2901

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Java: CWE-297 Insecure JavaMail SSL configuration

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
JavaMail is commonly used in Java applications for sending emails. There are some other popular third-party libraries like Apache Commons Email which are built on JavaMail and facilitate the integration. Authenticated mail sessions require user credentials and mail sessions can require SSL/TLS authentication.

It is a common security vulnerability that host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.

This query validates configuration of both JavaMail and SimpleMail. I've tested the query against some popular GitHub projects. The relevant PR is 3491.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
    Yes, CodeQL is very cool and I'm glad to contribute to the query library.

CodeQL query for finding ReDoS and Regex Injection vulnerabilities in Java

CVE ID(s)

There's no CVE for this.

Report

I created 2 queries to detect ReDoS and Regex Injection vulnerabilities in Java.
The details including the list of covered cases (with examples) are present in PR: github/codeql#2743

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

[USERNAME]: [SUMMARY]

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

  • CVE-20nn-nnnnn

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Python : Add support for detecting XSLT Injection

CVE

There is no CVE for this.

Report

This query adds Xslt injection query to codeql-python. It models the lxml package.

It detects the following code patterns.

root = etree.XML("<xmlContent>")
find_text = etree.XSLT("`sink`")
sink = etree.XML(xsltQuery)
tree = etree.parse(f)
result_tree = tree.xslt(sink)

The PR also includes necessary tests for the same.

Link to the corresponding PR: [github/codeql#3521]

Java: Using Custom Approval template with old spring security oauth library can lead to remote code execution

CVE ID(s)

Report

Spring Security OAuth, versions 2.3 prior to 2.3.3 and 2.2 prior to 2.2.2 and 2.1 prior to 2.1.2 and 2.0 prior to 2.0.15 and older unsupported versions, contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.

Spring security has OAuth solution for solve single sign on requirements. If developers use this library with old spring security oauth library and default approval page , developer will be affected from this vulnerability.

OAuth authorization code flow is like below. CVE-2018-1260 is focused on step 4. RCE attacks happened in step 4, if developer used default approval page. For prevent it , custom approval page or latest jar should be used.

image

Related pull request:
github/codeql#3140

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
    Yes.

CWE-094 ScriptEngine in java

CVE ID(s)

No CVE

Report

Using ScriptEngine in java without any protection could lead to arbitrary code execution. github/codeql#2850

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CodeQL query to find if an Django application is vulnerable to CSRF

CVE ID(s)

There's no CVE for this.

Report

When a Django project is created, the CSRF middleware is activated by default in the MIDDLEWARE setting, thereby providing CSRF protection to all the views. It is also possible to disable this to make development easier and unless decorators such as csrf_protect() is used to protect the every single critical views, the application will be vulnerable to Cross-Site Request Forgery (CWE-352).

CSRF Protection can be enabled/ Disabled by adding/ removing the django.middleware.csrf.CsrfViewMiddleware from the MIDDLEWARE variable.

This PR adds a CodeQL query with unit tests, which checks if any forms of CSRF prevention mechanism is enabled.

CSRF mechanism tested:

  1. Presence of django.middleware.csrf.CsrfViewMiddleware in MIDDLEWARE variable.
  2. Presence of any decorators such as requires_csrf_token(), ensure_csrf_cookie(), csrf_protect()
  3. Presence of import of CsrfViewMiddleware class
    The details are present in PR: github/codeql#3296
  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Add check for disabled HTTPOnly setting in Tomcat

CVE ID(s)

There's no CVE for this.

Report

Tomcat beyond vesion 6 has enable HTTPOnly for JSESSIONID by default. But, it's possible to disable it, which allowed an attacker get another user's sessionid by Cross-Site Scripting(XSS) attack,

[CWE-1004: Sensitive Cookie Without 'HttpOnly' ]Flag(https://cwe.mitre.org/data/definitions/1004.html)

Tomcat HTTPOnly can be disabled via web.xml configuration by add config below

useHttpOnly false

I created a CodeQL check ([Semmle/ql]#2912(github/codeql#2912)) which finds all Tomcat's web.xml set useHttpOnly to false

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Java : add MongoDB injection sinks

CVE

There is no CVE for this.

Report

This query adds MongoDB NoSQL injection sinks. It models the official mongodb-java driver.

It detects the following code patterns.

DBObject databaseQuery = (DBObject) JSON.parse('sink');

and

BasicDBObject bdb = BasicDBObject.parse('sink');

Link to the PR:[github/codeql#3542]

CodeQL query for MVEL injections

CVE ID(s)

Report

I added a query that looks for expression language injections via MVEL, please see github/codeql#3329

MVEL is a powerful expression language that allows, in particular, calling arbitrary methods. That may lead to arbitrary code execution. In past, there were several issues (not reported by myself) due to unsafe evaluation of MVEL expressions:

  • CVE-2014-3120: RCE in Elasticsearch, see also this blog post

  • CVE-2013-6468: RCE in Drools

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I am planning to write a blog post about the query I wrote and catching MVEL injections with CodeQL.

Java: CWE-532 sensitive info logging

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
CVE-2019-10212 (not reported by me)

There are many other examples of this category in the CVE database.

PR:
Semmle/ql#3090
Semmle/ql#3487

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. Third-party logging utilities like Log4J and SLF4J are widely used in Java projects. When sensitive information are written to logs without properly set logging levels, it is accessible to potential attackers who gains access to the
file storage.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CSHARP: Experimental query for tainted WebClient

CVE ID(s)

No CVE.
I found an instance of this issue in a private code repository, this code pattern is mentioned also in the following presentation https://youtu.be/E5_S_Yip3gc?t=559

Report

The WebClient class provides a variety of methods for data transmission and communication with a particular URI. Despite of the class' naming convention, the URI scheme can also identify local resources, not only remote ones. Tainted by user-supplied input, the URI can be leveraged to access resources available on the local file system, therefore leading to the disclosure of sensitive information. This can be trivially achieved by supplying path traversal sequences (../) followed by an existing directory or file path.

Sanitization of user-supplied URI values using the StartsWith("https://") method is deemed insufficient in preventing arbitrary file reads. This is due to the fact that .NET ignores the protocol handler (https in this case) in URIs like the following: "https://../../../../etc/passwd".

I think that the query is specially interesting since this a "mistake" that a developer can easily make unless he deeply know the internals of the function and .net.

The query has already being merged into the official repo github/codeql#3486

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CodeQL query to detect insecure MaxLengthRequest values in ASP.NET applications

Report

ASP.NET applications with large MaxLengthRequest are vulnerable to denial of service attacks. The recommended value by Microsoft is 4096 KB (4 MB) so anything larger than that gets flagged as a warning. This checks corresponds to CWE-016 which didn't exist previously in QL and corresponds to common insecure configurations.

This issue is still commonly found in ASP.NET applications and have been related to the mitigations of other CVEs in the past such as:

CodeQL query PR: github/codeql#2355

Netty HTTP Response Splitting (CRLF Injection) due to disabled header validation

CVE ID(s)

I also updated the netty documentation to call this out more explicitly to developers in the future:
netty/netty#9646

Report

Query: github/codeql#2192

This query detects uses of new DefaultHttpHeaders(false) which disables the internal CRLF injection checks of netty leaving the library vulnerable to CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

I actually didn't end up using this query to find CVE-2019-17513 or CVE-2019-16771, instead, I found them using the fuzzy search built into GitHub. I do, however, hope that this query will prevent this vulnerability from appearing in the future.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

[Java] CWE-939 - Address improper URL authorization

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

  • CVE-2020-11000

Some GitHub projects with this issue detected by the new CodeQL query and have addressed the problem are:

The first project (/slymax/webview) has been forked over 340 times. This issue is very common in Android applications allowing leakage of sensitive user information.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

This report is associated with CodeQL PR #3236.

Apps that rely on URL Parsing to verify that a given URL is pointing to a trust server may be susceptible to many different ways to get URL parsing and verification wrong, which allows an attacker to register a fake site to break the access control. As the webview of affected mobile applications trusts the fake site, sensitive user information like access tokens and session cookies can be disclosed to attackers.

As demonstrated in Common Android app vulnerabilities from Sebastian Porst of Google, this is a very common issue with commercial Android applications.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Yes, I think making the community aware of this issue publicly and widely will help a lot of projects.

CodeQL query for disabled revocation checking

CVE ID(s)

The query found several places in Apache CXF and Cloudstack where certificate revocation checking was disabled:

Report

I added a query that looks for disabled revocation checking in Java, please see github/codeql#3436

Using a revoked certificate may be dangerous. One of the most common reasons why a certificate authority (CA) revokes a certificate is that the private key has been compromised. For example, the private key might have been stolen by an adversary.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I am planning to write a blog post about the query I wrote and catching such issues with CodeQL.

Java: PRNG used when CSPRNG is required

PRNG -> Pseudorandom Number Generator (predictably random)
CSPRNG -> Cryptographically Secure Pseudorandom Number Generator

CVE ID(s)

Most of these were not found using CodeQL. Most of them were found using GitHub's fuzzy code search.

I've got at least one CVE in flight for this currently.

Report

The goal of this query is to detect the use of a PRNG like java.util.Random, org.apache.commons.lang.RandomStringUtils, org.apache.commons.text.RandomStringGenerator, or java.util.concurrent.ThreadLocalRandom in a security sensitive context.
Security sensitive would be things like password reset URLs, token cookies, & temporary reset passwords.

This vulnerability can have up to a CVSSv3 score of 9.8/10 depending upon the use of the insecure data generated.

Query

The query can be found here: github/codeql#2694

Talk about the Query?

Sure, why not.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Divide and conquer broken for large values, due to overflow (CWE-190)

CVE ID(s)

There's no CVE for this.

Report

Divide and conquer algorithms like binary search or merge sort
have to calculate a mid point, when they are dividing the task.
(Splitting the task into [low, mid] and [mid, high])
This is often done as mid = (low+high)/2, but this will fail, when
low and high are big numbers (2^30). In this case overflow will have happened (before the division),
leading to a negative value.
Using this negative value to access an array will then lead to an
ArrayIndexOutOfBoundsException.

Running this query on the demo lgtm.com projects will generate 5 hits.
2 hits (first and second) are kind of false positive, because they are binary searching a fixed size array.
Nevertheless, the code is still (potentially) broken for large values.

It's probably quite hard to (remotely) exploit this problem, since an array would need to have at least 2^30 elements and an application will probably fail with an OOM before that.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Query: github/codeql#2838

XPath Injection query in java

CVE ID(s)

No CVE

Report

XPath injection is available in c# and javascript query but it is not available in java query. Created a xpath injection query in java github/codeql#2800

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CodeQL query to detect weak (duplicated) encryption keys for ASP.NET Telerik Upload

Report

ASP.NET Telerik upload allows developers to easily manage file uploads. The transmission between the client and the server must be encrypted and impossible to decode, so the data cannot be used by a malicious entity in an attack against the server. The main security recommendation for Telerik is setting custom unique strong random values for Telerik.AsyncUpload.ConfigurationEncryptionKey and Telerik.Upload.ConfigurationHashKey. This checks corresponds to CWE-310 which didn't exist previously in QL and corresponds to cryptographic errors.

CodeQL query PR: github/codeql#2359

Java: Add SSRF query for Java

CVE ID(s)

There are no CVE's found with this query yet as this has not been tested against projects on lgtm.

Report

*An SSRF vulnerability allows an attacker to make the victim server communicate with attacker controlled server. This is usually a critical issue which can lead to an RCE.

  • My PR adds support for the following API's

    • Java 11 java.net.http package
    • Apache HttpClient

  • It also models flows through URI and URL classes.

  • It also includes library tests, query tests and qhelp files along with nicely documented code.

Please note, github/codeql#3452 tackles a similar issue. but there are quite a few difference between this one and that. i have written a brief over here

Link to corresponding PR: [github/codeql#3454]

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Yes, I have around 10 PR's open as of now across both the codeql repos. I also have a few more ideas which I plan to write a query for. Once, I am done with those, I plan on writing a set of blogs documenting the process of writing the query from the scratch. That would ideally help attract newcomers to codeql.

CodeQL query to detect OGNL injections

CVE ID(s)

There's no CVE for this.

Report

I created a query to detect OGNL injections in Java code. The query raises a flag if user-provided OGNL expression is evaluated. OGNL library and Struts2 (OgnlUtil class) are supported.

The details are present in PR: github/codeql#3294

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

[Java]: CWE-523 Insecure HSTS configuration

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
HSTS (HTTP Strict Transport Security) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. HSTS is specified in RFC 6797 and is supported by all major browsers and web servers. Missing or incorrect configuration allows unprotected transport of credentials.

HSTS started to be widely accepted and configured in recent years. This query detects insecure HSTS configuration with the Tomcat server. I've tested the query against some GitHub projects, and a test case has been submitted as well. The relevant PR is PR #3534.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
    Yes, I enjoy working with CodeQL queries and contributing to the project.

CodeQL query to detect Unified EL injections

CVE ID(s)

There's no CVE for this.

Report

I created a query to detect Unified EL (javax.el) injections in Java code. The query raises a flag if user-provided expression is evaluated. ExpressionFactory.createValueExpression, ExpressionFactory.createMethodExpression and ELProcessor are supported.

The details are present in PR: github/codeql#3323

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Dynamic reflection class

CVE ID(s)

None

Report

Created query for unsafe reflection in java github/codeql#2756

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CodeQL query to detect XSLT injections

CVE ID(s)

There's no CVE for this.

Report

I created a query to detect XSLT injections in Java code. The query raises a flag if user-provided XSLT stylesheet is processed. StreamSource, SAXSource, StAXSource and DOMSource are supported as well as creating the Transformer via Templates.

XSLT injection can lead to RCE.

The details are present in PR: github/codeql#3363

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CodeQL query to detect Server-Side Template Injections (JavaScript)

CVE ID(s)

There's no CVE for this.

Report

I created a query to detect Server-Side Template Injections in several popular rendering engines: jade/pug, dot, ejs and nunjucks. Usually, such template injections lead to RCE.
The details are present in PR - github/codeql#3394 , which contain query to detect SSTI and help page with description and examples.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CodeQL query for finding CSRF vulnerabilities in Spring applications

CVE ID(s)

There's no CVE for this.

Report

Spring has built-in CSRF protection. However, it's possible to disable it, which most likely makes the application vulnerable to Cross-Site Request Forgery (CWE-352).

Spring CSRF protection can be disabled via Java configuration (more details here):

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) {
    http
      .csrf(csrf ->
        csrf.disable()
      );
  }
}

I created a CodeQL check (github/codeql#2586) which finds all invocations of CsrfConfigurer.disable() method.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Go/CWE-643: XPath Injection Query in Go

CVE ID(s)

  • None

Report

OWASP on XPath Injection:

XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to.

github/codeql-go#66

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Python : Add query to detect Server Side Template Injection

CVE

This is a very common issue. Multiple blogs and hackerone reports cover this. I am including a few of them here.

  1. uber.com may RCE by Flask Jinja2 Template Injection
  2. RCE with Flask Jinja Template Injection
  3. CVE-2019-8341 (disputed)
  4. Exploring SSTI in Flask/Jinja2
  5. Uber 遠端代碼執行- Uber.com Remote Code Execution via Flask Jinja2 Template Injection
  6. Jinja2 Server Side Template Injection Research

Report

This query detects instances where user input is embedded in a template in an unsafe manner.

The PR adds support for multiple Python templating engines. As of now it covers

  1. Django Templating Engine
  2. Jinja Templating Engine[7000 stars]
  3. Chameleon Templating Engine [106 stars]
  4. Mako Tempalteing Engine [81 stars]
  5. Genshi Templating Engine [35 stars]
  6. Trender Templating Engine[16 stars]
  7. cheetah
  8. chevron
  9. airspeed

The PR also includes tests along with well documented code.

Link to the PR:[github/codeql#3396]

--- Edit history:
25 June : updated the list of template engines and added a few references in the cve section.

CodeQL query for SpEL injections

CVE ID(s)

Report

CVE-2018-1273 is an RCE in older versions of Spring Data Commons. The library builds a SpEL expression using user input and then runs it in a powerful context. This type of issues is also known as Expression Language Injection. This issue was identified and reported by Philippe Arteau from GoSecure. I added a query that looks for tainted data flows which may result to a SpEL injection, please see github/codeql#3291

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I am planning to write a blog post about the query I wrote and catching SpEL injections with CodeQL.

CodeQL query to detect pages with validationRequest disabled

Report

Request validation is a feature in ASP.NET that protects web applications against potentially malicious content in requests, specifically against cross-site scripting attacks.

This issue is still commonly found in custom ASP.NET applications. Vulnerabilities found in commercial products are normally marked as XSS:

CodeQL query PR: github/codeql#2358

Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET

Report

ASP.NET applications ship with requestValidationMode enabled by default as it consists of built-in validations to protect against code injections. It is not recommended to set it to other value different than 4.5 as doing so will disable some or all protections for HTTP requests. This check belongs to the category CWE-016 which didn't exist previously in QL and corresponds to common insecure configurations.

This issue is still commonly found in ASP.NET applications and CVEs caused by this usually get labeled as code injection vulnerabilities:

CodeQL query PR: github/codeql#2356

Initial websocket support for Javascript (SockJS)

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

  • CVE-2020-11537
    An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API.

Report

May be later as part of CodeQL usage summary.

Java : Add query to detect Server Side Template Injection

CVE

This query has not been tested against all lgtm projects. So, there is no CVE found using this PR.

Report

This query detects instances where user input is embedded in a template in an unsafe manner.

The PR adds support for multiple Java templating engines. As of now it covers

  1. Velocity Templating Engine
  2. Freemarker Templating Engine
  3. Pebble Templating Engine

I also plan on including the Jinjava Templating Engine

The PR is as of now a WIP. I can't get the unit tests to run properly as the stubs for the libraries are not yet included. I had raised this concern over slack a few days back but I haven't received any responses yet.

Link to the PR:[github/codeql#3353]

CodeQL query to detect JNDI injections

CVE ID(s)

There's no CVE for this.

Report

I created a query to detect JNDI injections in Java code. The query raises a flag if a user-provided name is used in JNDI lookup. JNDI InitialContext as well as Spring's and Apache Shiro's JndiTemplate are supported.

The details are present in PR: github/codeql#3288

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CodeQL query for unsafe TLS versions

CVE ID(s)

Report

I added a query that looks for unsafe TLS versions in Java, please see github/codeql#3438

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

I am planning to write a blog post about the query and catching such issues with CodeQL.

gagliardetto: Query to detect incorrect conversion between numeric types

CVE ID(s)

There's no CVE for this.

Report

This might become part of a wider-scoped article on Golang standard-library bugs.

[Java] CWE-918: Query for server side request forgery (SSRF) detection

CVE ID(s)

None

Report

If network request are made using java.net.URL constructed directly from a user-provided value, an attacker might be able to bypass security restrictions such as external firewalls and execute request on internal services by providing URLs like http://127.0.0.1:8081/admin

Related pull request:
github/codeql#3452

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

CodeQL query for finding LDAP Injection (CWE-90) vulnerabilities in Java

CVE ID(s)

There's no CVE for this.

Report

I created a query to detect LDAP Injection vulnerabilities in Java (CWE-90). Plain JNDI, UnboundID, Spring LDAP and Apache LDAP API are covered.

The details including the complete list of covered APIs and classes (with examples) are present in PR: github/codeql#2651

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.