-
Bug
-
Resolution: Not A Defect
-
Minor
-
None
-
Jenkins 1.643, Windows, OWASP plugin 1.3.3
Now, as generating the html report has been fixed, I can load the report in the browser, but it does not render well nor do the "suppress" buttons work. When I look at the console of the browser, there are plenty of error messages related to security issues (chrome & firefox).
In IE, it seems to be somewhat better (no error message in the console), but even there the "suppress" buttons do not work at all.
- depends on
-
JENKINS-32296 Jenkins global security configuration page should provide option to configure the new "Content Security Policy"
-
- Closed
-
[JENKINS-32277] OWASP Dependency-Check Plugin's html-report is unusable
Reopening, as there may be something the plugin can do about this. Likely not though.
Markus Schlegel
added a comment - Thanks for the hint. Didn't realize, that this is caused by new security-flags of the jenkins server. When I first download the html report and then open it from the local disk, it works.
I have read https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy now and understand, that you made fundamental changes to how jenkins delivers files from the build result or from the workspace. As you've written, this makes many functionality unusable.
I would have expected that such a fundamental change should be reflected in the security settings page of Jenkins (that's where I first looked for a setting before I filed the bug report).
I am pretty sure, that there are MANY Jenkins installations which are solely accessible by the dev team members (and maybe other trusted users), where the CSP rule makes no sense at all.
Markus Schlegel
added a comment - Thanks for the hint. Didn't realize, that this is caused by new security-flags of the jenkins server. When I first download the html report and then open it from the local disk, it works.
I have read https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy now and understand, that you made fundamental changes to how jenkins delivers files from the build result or from the workspace. As you've written, this makes many functionality unusable.
I would have expected that such a fundamental change should be reflected in the security settings page of Jenkins (that's where I first looked for a setting before I filed the bug report).
I am pretty sure, that there are MANY Jenkins installations which are solely accessible by the dev team members (and maybe other trusted users), where the CSP rule makes no sense at all. I provided the rationale here: https://issues.jenkins-ci.org/browse/JENKINS-32026?focusedCommentId=244023&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-244023
Having a UI for this may be a good idea. It doesn't look like we can get rid of this any time soon. Could you file an improvement for core?
Markus Schlegel
added a comment - Filed JENKINS-32296 , thanks. 
Caused by:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09
Please see the documentation:
https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy