fix(doc): Rewording

Signed-off-by: Bruno Verachten <[email protected]>

alpha/engagements/2024/Jenkins/update-2024-11.md

@@ -162,83 +162,151 @@ The team is targeting plugins with 10k installations:
 11. Released the [validating-string-parameter plugin](https://github.com/jenkinsci/validating-string-parameter-plugin/releases/tag/249.v75d865a_a_d530)
 12. Released the [warnings-ng plugin](https://github.com/jenkinsci/warnings-ng-plugin/releases/tag/v11.11.0)
 
-
-# Report Date: Nov 26, 2024
-## Current Status
-some plugins generate html thanks to javascript, and use onclick. These haven't been found by the csp scanner yet
-jensec now knows about it, but they won't have time to fix for the time being. We'll have to fix it by ourselves
-Basil thinks it's pretty rare though. Maybe we'll also find onBlur, onChange.
-
- The delivery pipeline plugin may have some of these onClick generated within Javascript.
-The vmanager plugin too: https://github.com/jenkinsci/vmanager-plugin/blob/b90087f1c0ed84ce8fb056715a897b6fe69db3fb/src/main/webapp/js/vmanager_report.js#L12732  
-We should maybe prioritize Groovy generating Javascript instead of Javascript generating Javascript/HTML
-Basil found some in quite a few plugins, like Jira Software Cloud plugin
-emailext has some too!
-emailext_template too
-testng has a lot of this stuff
-test result aggregator
-nexus platform plugin too
-emailext and jira software cloud plugins should be our priority
-Basil will create the tickets for email extension template, nexus platforms, tests results, and so on.
- testng-plugin-plugin/src/main/resources/hudson/plugins/testng/results/ClassResult/reportDetail.groovy
- testng-plugin-plugin/src/main/resources/hudson/plugins/testng/results/PackageResult/reportDetail.groovy
- testng-plugin-plugin/src/main/resources/hudson/plugins/testng/TestNGTestResultBuildAction/reportDetail.groovy
- test-results-aggregator-plugin/src/main/resources/com/jenkins/testresultsaggregator/TestResultsAggregatorTestResultBuildAction/reportDetail.groovy
- nexus-platform-plugin/src/main/resources/org/sonatype/nexus/ci/nxrm/NexusPublisherWorkflowStep/config.groovy
-
-Basil fixed BlueOcean yesterday. Olivier Lamy should release it.
-
-csp plugin has been released
-It include a big change (see release notes).
-It has been hardened, so it should catch more CSP violations that were previously missed.
-
-
-### Progress Summary
-
-### In-Progress Tasks
-2. Shlomo works on [[JENKINS-74098] Remove inline JS script and legacy onClick handler](https://github.com/jenkinsci/plot-plugin/pull/147) for the plot plugin
-3. Shlomo works on [build-cards not updating automatically without page refresh](https://github.com/jenkinsci/build-pipeline-plugin/pull/158) for the build-pipeline plugin
-5. Shlomo works on [Fix jQuery target element for tooltip to work correctly in AbstractNameValueHeader/rowHeader.jelly](https://github.com/jenkinsci/build-pipeline-plugin/pull/156) for the build-pipeline plugin
-3. Shlomo works on [[JENKINS-74806] Extract inline script bpp.jelly BuildPipelineView/bpp.jelly](https://github.com/jenkinsci/build-pipeline-plugin/pull/150) for the build-pipeline plugin
-6. Yaroslav works on [[JENKINS-74892] Remove inline JavaScript handler in ExtEmailTemplateManagement/index.groovy](https://github.com/jenkinsci/emailext-template-plugin/pull/128) for the emailext-template plugin
-7. Yaroslav works on [[JENKINS-74090] Remove unused checkUrl in TagAction/tagForm.jelly](https://github.com/jenkinsci/p4-plugin/pull/219) for the p4 plugin
-8. Yaroslav works on [[JENKINS-74091] Remove unused JavaScript in ManualWorkspaceImpl/config.jelly](https://github.com/jenkinsci/p4-plugin/pull/218) for the p4 plugin
-9. Yaroslav works on [Match inline event handlers in JavaScript files](https://github.com/daniel-beck/csp-scanner/pull/18) for the CSP scanner
-10. Yaroslav works on [Make plugin CSP compliant](https://github.com/jfrog/jenkins-artifactory-plugin/pull/952) for the jenkins-artifactory plugin
-11. Yaroslav works on [[JENKINS-74897] Address CSP violations](https://github.com/jenkinsci/testng-plugin-plugin/pull/335) for the testng-plugin plugin
-12. Yaroslav works on [[JENKINS-74108] Extract inline JavaScript from ListGitBranchesParameterDefinition/index.jelly](https://github.com/jenkinsci/list-git-branches-parameter-plugin/pull/28) for the list-git-branches-parameter plugin
-13. Shlomo works on [[JENKINS-74435] Extract inline JS script and legacy onClick handlers in ElectricflowPipelinePublisher/config.jelly](https://github.com/jenkinsci/electricflow-plugin/pull/395) for the electricflow plugin
-14. Shlomo works on [[JENKINS-74434] Extract inline JS script and legacy onClick handlers in ElectricflowAssociateBuildToRelease/config.jelly](https://github.com/jenkinsci/electricflow-plugin/pull/394) for the electricflow plugin
-15. Shlomo works on [[JENKINS-74433] Extract inline JS script and legacy onClick handlers in ElectricflowDeployApplication/config.jelly](https://github.com/jenkinsci/electricflow-plugin/pull/393) for the electricflow plugin
-16. Shlomo works on [[JENKINS-74432] Extract the inline JS and legacy onClick handlers in ElectricFlowTriggerRelease/config.jelly](https://github.com/jenkinsci/electricflow-plugin/pull/392) for the electricflow plugin
-17. Shlomo works on [[JENKINS-74431] Extract inline JS in ElectricFlowRunProcedure/config.jelly](https://github.com/jenkinsci/electricflow-plugin/pull/391) for the electricflow plugin
-18. Shlomo works on [[JENKINS-74083] Extract inline JS scripts in WorkflowPipelineView Fullscreen mode](https://github.com/jenkinsci/delivery-pipeline-plugin/pull/38) for the delivery-pipeline plugin
-19. Shlomo works on [[JENKINS-74085] Extract inline JS scripts in DeliveryPipelineView Fullscreen mode](https://github.com/jenkinsci/delivery-pipeline-plugin/pull/37) for the delivery-pipeline plugin
-20. Shlomo works on [Remove framework.prototype.prototype adjunct - Throws file not found error](https://github.com/jenkinsci/delivery-pipeline-plugin/pull/36) for the delivery-pipeline plugin
-
-### Completed Tasks
-1. Yaroslav has worked on [[JENKINS-74850] Remove unused inline Javascript handler](https://github.com/jenkinsci/global-build-stats-plugin/pull/84  for the global-build-stats plugin
-2. Yaroslav has worked on [[JENKINS-74741] Migrate from FromApply#applyResponse in ScriptlerBuilder.java](https://github.com/jenkinsci/scriptler-plugin/pull/126) for the scriptler plugin
-3. Yaroslav has worked on [[JENKINS-74026][JENKINS-74027] Improve CSP compatibility](https://github.com/jenkinsci/active-choices-plugin/pull/380) for the active choices plugin
-4. Yaroslav has worked on [[JENKINS-74025] Extract inline JavaScript from checkboxContent.jelly](https://github.com/jenkinsci/active-choices-plugin/pull/374) for the active choices plugin
-5. Yaroslav has worked on [[JENKINS-74029] Extract inline JavaScript from radioContent.jelly](https://github.com/jenkinsci/active-choices-plugin/pull/373) for the active choices plugin
-6. Yaroslav has worked on [[JENKINS-74871] Fix the broken jelly view](https://github.com/jenkinsci/validating-string-parameter-plugin/pull/147) for the validating-string-parameter plugin
-7. Yaroslav has worked on [[JENKINS-74081] Migrate legacy checkUrl in /ValidatingStringParameterDefinition/index.jelly](https://github.com/jenkinsci/validating-string-parameter-plugin/pull/146) for the validating-string-parameter plugin
-8. Yaroslav has worked on [[JENKINS-74072] Extract inline JavaScript from DependencyCheck/ResultAction/index.jelly](https://github.com/jenkinsci/dependency-check-plugin/pull/155) for the jenkinsci/dependency-check plugin
-9. Yaroslav has worked on [[JENKINS-74100] Extract inline JavaScript from GitlabLogoProperty/global.jelly](https://github.com/jenkinsci/gitlab-logo-plugin/pull/80) for the gitlab-logo plugin
-10. Yaroslav has worked on [[JENKINS-74890] Extract inline JavaScript from LogParserWriter.java](https://github.com/jenkinsci/log-parser-plugin/pull/135) for the log-parser plugin
-11. Yaroslav has worked on [[JENKINS-74893] Extract inline JavaScript event handlers](https://github.com/jenkinsci/build-failure-analyzer-plugin/pull/184) for the build-failure-analyzer plugin
-12. Shlomo has worked on [[JENKINS-74095] [JENKINS-74096] [JENKINS-74097] [JENKINS-74099] Remove legacy checkUrl handlers](https://github.com/jenkinsci/plot-plugin/pull/146) for the plot plugin
-13. Shlomo has worked on [[JENKINS-74103] ]Remove inline JS script and onClick handler in CatProjectViewRow.jelly](https://github.com/jenkinsci/categorized-view-plugin/pull/75) for the categorized-view plugin
-14. Shlomo has worked on [[JENKINS-74102] Remove inline JS script in catProjectView.jelly](https://github.com/jenkinsci/categorized-view-plugin/pull/74) for the categorized-view plugin
-
-### Released Plugins
-1. Released the [global-build-stats-plugin](https://github.com/jenkinsci/global-build-stats-plugin/releases/tag/316.vf8870f424d78)
-2. Released the [emailext-template-plugin](https://github.com/jenkinsci/emailext-template-plugin/releases/tag/219.v14fff547f78d)
-3. Released the [scriptler-plugin](https://github.com/jenkinsci/scriptler-plugin/releases/tag/385.vd01d180290b_c)
-4. Released the [validating-string-parameter-plugin](https://github.com/jenkinsci/validating-string-parameter-plugin/releases/tag/251.vc34e592b_8a_4d)
-5. Released the [gitlab-logo-plugin](https://github.com/jenkinsci/gitlab-logo-plugin/releases/tag/130.v9d2696eb_8dc6)
-6. Released the [log-parser-plugin](https://github.com/jenkinsci/log-parser-plugin/releases/tag/v2.3.6)
-7. Released the [plot-plugin](https://github.com/jenkinsci/plot-plugin/releases/tag/plot-2.2.0)
-8. Released the [categorized-view-plugin](https://github.com/jenkinsci/categorized-view-plugin/releases/tag/164.v1c1b_dd4cdb_62)
-
+# November 26, 2024 - Jenkins CSP Project Update
+
+## Ongoing Challenges
+Some key observations from our recent security review:
+- Many plugins still generate HTML via JavaScript using `onclick` events
+- These haven't been detected by the CSP scanner yet
+- Jensec acknowledges the issue but lacks immediate resources to address it
+- Basil notes these are relatively rare cases
+
+### Plugins of Concern
+- Delivery Pipeline Plugin: Potential inline JavaScript generation
+- VManager Plugin: Specific JavaScript concerns in https://github.com/jenkinsci/vmanager-plugin/blob/b90087f1c0ed84ce8fb056715a897b6fe69db3fb/src/main/webapp/js/vmanager_report.js#L12732
+- Jira Software Cloud Plugin
+- Email Extension Plugin
+- TestNG Plugin
+- Test Results Aggregator
+- Nexus Platform Plugin
+
+Priority files identified:
+- `testng-plugin-plugin/src/main/resources/hudson/plugins/testng/results/ClassResult/reportDetail.groovy`
+- `testng-plugin-plugin/src/main/resources/hudson/plugins/testng/results/PackageResult/reportDetail.groovy`
+- `testng-plugin-plugin/src/main/resources/hudson/plugins/testng/TestNGTestResultBuildAction/reportDetail.groovy`
+- `test-results-aggregator-plugin/src/main/resources/com/jenkins/testresultsaggregator/TestResultsAggregatorTestResultBuildAction/reportDetail.groovy`
+- `nexus-platform-plugin/src/main/resources/org/sonatype/nexus/ci/nxrm/NexusPublisherWorkflowStep/config.groovy`
+
+Additional Context:
+- Basil fixed BlueOcean yesterday
+- Olivier Lamy is expected to release it
+- CSP plugin has been released with significant changes
+
+## Plugin Modernization Updates
+
+### Active Choices Plugin (Yaroslav)
+- Improved CSP compatibility (https://github.com/jenkinsci/active-choices-plugin/pull/380)
+- Extracted inline JavaScript:
+ - From `checkboxContent.jelly` (https://github.com/jenkinsci/active-choices-plugin/pull/374)
+ - From `radioContent.jelly` (https://github.com/jenkinsci/active-choices-plugin/pull/373)
+
+### Artifactory Plugin (Yaroslav)
+- Working on making the plugin CSP compliant (https://github.com/jfrog/jenkins-artifactory-plugin/pull/952)
+
+### Build Failure Analyzer Plugin (Yaroslav)
+- Extracted inline JavaScript event handlers (https://github.com/jenkinsci/build-failure-analyzer-plugin/pull/184)
+
+### Build Pipeline Plugin (Shlomo)
+- Ongoing work on multiple pull requests:
+ - Addressing build cards not updating automatically (https://github.com/jenkinsci/build-pipeline-plugin/pull/158)
+ - Fixing jQuery tooltip targeting (https://github.com/jenkinsci/build-pipeline-plugin/pull/156)
+ - Extracting inline scripts from various Jelly files (multiple PRs)
+
+### Categorized View Plugin (Shlomo)
+- Removed inline JavaScript scripts
+ - Removed inline JS script in `CatProjectViewRow.jelly` (https://github.com/jenkinsci/categorized-view-plugin/pull/75)
+ - Removed inline JS script in `catProjectView.jelly` (https://github.com/jenkinsci/categorized-view-plugin/pull/74)
+
+### Delivery Pipeline Plugin (Shlomo)
+- Extracting inline JavaScript scripts in Fullscreen mode
+ - Work on Workflow Pipeline View (https://github.com/jenkinsci/delivery-pipeline-plugin/pull/38)
+ - Work on Delivery Pipeline View (https://github.com/jenkinsci/delivery-pipeline-plugin/pull/37)
+- Removing framework prototype adjuncts (https://github.com/jenkinsci/delivery-pipeline-plugin/pull/36)
+
+### Dependency Check Plugin (Yaroslav)
+- Extracted inline JavaScript from `DependencyCheck/ResultAction/index.jelly` (https://github.com/jenkinsci/dependency-check-plugin/pull/155)
+
+### ElectricFlow Plugin (Shlomo)
+- Extracting inline JavaScript and legacy onClick handlers from configuration files:
+ - In `ElectricflowPipelinePublisher/config.jelly` (https://github.com/jenkinsci/electricflow-plugin/pull/395)
+ - In `ElectricflowAssociateBuildToRelease/config.jelly` (https://github.com/jenkinsci/electricflow-plugin/pull/394)
+ - In `ElectricflowDeployApplication/config.jelly` (https://github.com/jenkinsci/electricflow-plugin/pull/393)
+ - In `ElectricFlowTriggerRelease/config.jelly` (https://github.com/jenkinsci/electricflow-plugin/pull/392)
+ - In `ElectricFlowRunProcedure/config.jelly` (https://github.com/jenkinsci/electricflow-plugin/pull/391)
+
+### Email Extension Template Plugin (Yaroslav)
+- Removing inline JavaScript handlers (https://github.com/jenkinsci/emailext-template-plugin/pull/128)
+
+### GitLab Logo Plugin (Yaroslav)
+- Extracted inline JavaScript from `GitlabLogoProperty/global.jelly` (https://github.com/jenkinsci/gitlab-logo-plugin/pull/80)
+
+### Global Build Stats Plugin (Yaroslav)
+- Removed unused inline JavaScript handler (https://github.com/jenkinsci/global-build-stats-plugin/pull/84)
+
+### List Git Branches Parameter Plugin (Yaroslav)
+- Extracted inline JavaScript from `ListGitBranchesParameterDefinition/index.jelly` (https://github.com/jenkinsci/list-git-branches-parameter-plugin/pull/28)
+
+### Log Parser Plugin (Yaroslav)
+- Extracted inline JavaScript from `LogParserWriter.java` (https://github.com/jenkinsci/log-parser-plugin/pull/135)
+
+### P4 Plugin (Yaroslav)
+- Removed unused checkUrl (https://github.com/jenkinsci/p4-plugin/pull/219)
+- Removed unused JavaScript in `ManualWorkspaceImpl/config.jelly` (https://github.com/jenkinsci/p4-plugin/pull/218)
+
+### Plot Plugin (Shlomo)
+- Removing inline JavaScript script and legacy onClick handlers (https://github.com/jenkinsci/plot-plugin/pull/147)
+- Removed legacy checkUrl handlers (https://github.com/jenkinsci/plot-plugin/pull/146)
+
+### Scriptler Plugin (Yaroslav)
+- Migrated from `FromApply#applyResponse` in `ScriptlerBuilder.java` (https://github.com/jenkinsci/scriptler-plugin/pull/126)
+
+### TestNG Plugin (Yaroslav)
+- Addressing CSP violations (https://github.com/jenkinsci/testng-plugin-plugin/pull/335)
+
+### Validating String Parameter Plugin (Yaroslav)
+- Fixed broken Jelly view (https://github.com/jenkinsci/validating-string-parameter-plugin/pull/147)
+- Migrated legacy checkUrl (https://github.com/jenkinsci/validating-string-parameter-plugin/pull/146)
+
+## Released Plugins
+1. Global Build Stats Plugin (https://github.com/jenkinsci/global-build-stats-plugin/releases/tag/316.vf8870f424d78)
+2. Email Extension Template Plugin (https://github.com/jenkinsci/emailext-template-plugin/releases/tag/219.v14fff547f78d)
+3. Scriptler Plugin (https://github.com/jenkinsci/scriptler-plugin/releases/tag/385.vd01d180290b_c)
+4. Validating String Parameter Plugin (https://github.com/jenkinsci/validating-string-parameter-plugin/releases/tag/251.vc34e592b_8a_4d)
+5. GitLab Logo Plugin (https://github.com/jenkinsci/gitlab-logo-plugin/releases/tag/130.v9d2696eb_8dc6)
+6. Log Parser Plugin (https://github.com/jenkinsci/log-parser-plugin/releases/tag/v2.3.6)
+7. Plot Plugin (https://github.com/jenkinsci/plot-plugin/releases/tag/plot-2.2.0)
+8. Categorized View Plugin (https://github.com/jenkinsci/categorized-view-plugin/releases/tag/164.v1c1b_dd4cdb_62)
+
+## Key Highlights
+- Continued progress in modernizing Jenkins plugins
+- Systematic removal of legacy JavaScript and inline event handlers
+- Enhanced Content Security Policy (CSP) compatibility
+- Proactive identification and resolution of potential security vulnerabilities
+
+## Next Steps
+- Continue plugin modernization efforts
+- Prioritize plugins with known CSP challenges
+- Expand CSP scanner capabilities
+- Collaborate with plugin maintainers to implement best practices
+
+## Conclusion: Momentum and Progress in November
+
+November has been a remarkable month of systematic security improvements for the Jenkins ecosystem.
+The team's focused efforts on Content Security Policy (CSP)
+compatibility and plugin modernization have yielded significant results,
+with 20 plugins released and many critical updates completed.
+
+The team's strategic approach—focusing on plugins with varying installation bases from 40k to as low as 10k installations—demonstrates a comprehensive commitment to security across the Jenkins plugin landscape.
+Notable achievements include modernizing plugins like Build Pipeline, HTML Publisher, Active Choices, and addressing CSP compatibility in critical areas.
+
+Of particular interest is the team's proactive identification of JavaScript-generated HTML and inline event handlers in various plugins.
+By prioritizing plugins like Email Extension and Jira Software Cloud,
+the team is systematically addressing potential security vulnerabilities that could have gone unnoticed.
+
+As we approach the final month of this project in December,
+the groundwork laid in November positions us strongly to complete our security enhancement mission.
+The collaborative efforts of team members Shlomo and Yaroslav,
+who have been meticulously working on extracting inline scripts and improving plugin compatibility,
+exemplify the dedication driving these improvements.
+
+The momentum is clear: Jenkins is becoming more secure, one plugin at a time.