block all SSH connections for VCS, for usabililty and security
If we allow SSH, then we'd have to manage known_hosts.
All VCS and submodule URLs should use HTTPS. SSH URLs have security vulns:
- https://blogs.msdn.microsoft.com/devops/2017/08/15/git-vulnerability-with-submodules/
- https://www.theregister.co.uk/2017/08/13/ssh_flaw_in_git_mercurial_svn/
- CVE-2017-1000117
I did a manual scan of the setup on jenkins.debian.net to see if I could find any suspicious URLs. Looks good so far. This is what I used:
$ find . -type f -print0 |xargs -0 grep -Eo 'ssh[:+][svn/]+...................'
$ find . -type f -print0 |xargs -0 grep -Eo 'ssh://-[^ "]+'
Edited by Hans-Christoph Steiner