Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40494

Administrative monitor for installed unsafe plugins

      (Given the nature of this feature I'd really like to have it in LTS ASAP, therefore marking this as Bug so it shows up on the candidates list)

      As announced on the developers mailing list, we will start releasing security advisories about unmaintained plugins with security vulnerabilities without a fix if necessary:
      https://groups.google.com/d/msg/jenkinsci-dev/NaAqqChOVmY/BvA_TuzjAQAJ

      These plugins need to be marked as 'unsafe' in Jenkins.

      • backend-update-center2 needs to be extended (perhaps as separate Downloadable?)
      • Core needs to be extended to
        • consume the new metadata
        • show warnings in appropriate places (admin monitor for installed plugins, plugin manager for updates and available/installed plugins)

          [JENKINS-40494] Administrative monitor for installed unsafe plugins

          Jesse Glick added a comment -

          I suppose you could create a separate Downloadable but I see no particular advantage to that. Would seem easier to add a new top-level section to update-center.json and thus to UpdateSite.Data. I would suggest something like:

          "pluginWarnings": [
            {
              "name": "do-anything-you-like",
              "message": "This plugin allows all users to do anything they like and so it is not safe to install."
            },
            {
              "name": "acme-builder",
              "version": "1.2",
              "Versions 1.2 and older of this plugin are known to initiate meltdowns in the Acme reactor core. Please update to 1.3 or above right away."
            }
          ]
          

          Since I happen to know that you have access to a vendor plugin which provides customized update sites, I would encourage you to prototype delivering comparable metadata from that plugin, or work with someone who could do such a prototype.

          Jesse Glick added a comment - I suppose you could create a separate Downloadable but I see no particular advantage to that. Would seem easier to add a new top-level section to update-center.json and thus to UpdateSite.Data . I would suggest something like: "pluginWarnings" : [ { "name" : " do -anything-you-like" , "message" : "This plugin allows all users to do anything they like and so it is not safe to install." }, { "name" : "acme-builder" , "version" : "1.2" , "Versions 1.2 and older of this plugin are known to initiate meltdowns in the Acme reactor core. Please update to 1.3 or above right away." } ] Since I happen to know that you have access to a vendor plugin which provides customized update sites, I would encourage you to prototype delivering comparable metadata from that plugin, or work with someone who could do such a prototype.

          Daniel Beck added a comment -

          Using UpdateSite this way would introduce weirdness related to multiple update sites. Not sure I'm a fan of that. Investigating…

          Daniel Beck added a comment - Using UpdateSite this way would introduce weirdness related to multiple update sites. Not sure I'm a fan of that. Investigating…

          Daniel Beck added a comment -

          Daniel Beck added a comment - Work in progress PR: https://github.com/jenkinsci/jenkins/pull/2680

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/model/UpdateSite.java
          core/src/main/java/jenkins/security/UpdateSiteWarningsConfiguration.java
          core/src/main/java/jenkins/security/UpdateSiteWarningsMonitor.java
          core/src/main/resources/hudson/PluginManager/table.jelly
          core/src/main/resources/hudson/PluginManager/table.properties
          core/src/main/resources/jenkins/security/Messages.properties
          core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.groovy
          core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.properties
          core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/help.html
          core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/style.css
          core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.groovy
          core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.properties
          test/src/test/java/hudson/model/UpdateSiteTest.java
          test/src/test/resources/plugins/warnings-update-center-malformed.json
          war/src/main/webapp/css/style.css
          http://jenkins-ci.org/commit/jenkins/c252a764024a94f018fe34dc58702885a48fff8f
          Log:
          JENKINS-40494 Process warnings from update sites (#2680)

          • [FIX JENKINS-40494] Process warnings from update sites
          • JENKINS-40494 Add warnings to available/update plugin manager tabs

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/model/UpdateSite.java core/src/main/java/jenkins/security/UpdateSiteWarningsConfiguration.java core/src/main/java/jenkins/security/UpdateSiteWarningsMonitor.java core/src/main/resources/hudson/PluginManager/table.jelly core/src/main/resources/hudson/PluginManager/table.properties core/src/main/resources/jenkins/security/Messages.properties core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.groovy core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.properties core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/help.html core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/style.css core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.groovy core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.properties test/src/test/java/hudson/model/UpdateSiteTest.java test/src/test/resources/plugins/warnings-update-center-malformed.json war/src/main/webapp/css/style.css http://jenkins-ci.org/commit/jenkins/c252a764024a94f018fe34dc58702885a48fff8f Log: JENKINS-40494 Process warnings from update sites (#2680) [FIX JENKINS-40494] Process warnings from update sites JENKINS-40494 Address review comments JENKINS-40494 Add warnings to available/update plugin manager tabs JENKINS-40494 Add tests JENKINS-40494 Address review feedback

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/model/UpdateSite.java
          core/src/main/java/jenkins/security/UpdateSiteWarningsConfiguration.java
          core/src/main/java/jenkins/security/UpdateSiteWarningsMonitor.java
          core/src/main/resources/hudson/PluginManager/table.jelly
          core/src/main/resources/hudson/PluginManager/table.properties
          core/src/main/resources/jenkins/security/Messages.properties
          core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.groovy
          core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.properties
          core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/help.html
          core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/style.css
          core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.groovy
          core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.properties
          test/src/test/java/hudson/model/UpdateSiteTest.java
          test/src/test/resources/plugins/warnings-update-center-malformed.json
          war/src/main/webapp/css/style.css
          http://jenkins-ci.org/commit/jenkins/7831263d4c6820c69129b98b6f8fe2aa32c4c872
          Log:
          JENKINS-40494 Process warnings from update sites (#2680)

          • [FIX JENKINS-40494] Process warnings from update sites
          • JENKINS-40494 Add warnings to available/update plugin manager tabs

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/model/UpdateSite.java core/src/main/java/jenkins/security/UpdateSiteWarningsConfiguration.java core/src/main/java/jenkins/security/UpdateSiteWarningsMonitor.java core/src/main/resources/hudson/PluginManager/table.jelly core/src/main/resources/hudson/PluginManager/table.properties core/src/main/resources/jenkins/security/Messages.properties core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.groovy core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.properties core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/help.html core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/style.css core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.groovy core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.properties test/src/test/java/hudson/model/UpdateSiteTest.java test/src/test/resources/plugins/warnings-update-center-malformed.json war/src/main/webapp/css/style.css http://jenkins-ci.org/commit/jenkins/7831263d4c6820c69129b98b6f8fe2aa32c4c872 Log: JENKINS-40494 Process warnings from update sites (#2680) [FIX JENKINS-40494] Process warnings from update sites JENKINS-40494 Address review comments JENKINS-40494 Add warnings to available/update plugin manager tabs JENKINS-40494 Add tests JENKINS-40494 Address review feedback

            danielbeck Daniel Beck
            danielbeck Daniel Beck
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: