Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40494

Administrative monitor for installed unsafe plugins

      (Given the nature of this feature I'd really like to have it in LTS ASAP, therefore marking this as Bug so it shows up on the candidates list)

      As announced on the developers mailing list, we will start releasing security advisories about unmaintained plugins with security vulnerabilities without a fix if necessary:
      https://groups.google.com/d/msg/jenkinsci-dev/NaAqqChOVmY/BvA_TuzjAQAJ

      These plugins need to be marked as 'unsafe' in Jenkins.

      • backend-update-center2 needs to be extended (perhaps as separate Downloadable?)
      • Core needs to be extended to
        • consume the new metadata
        • show warnings in appropriate places (admin monitor for installed plugins, plugin manager for updates and available/installed plugins)

          [JENKINS-40494] Administrative monitor for installed unsafe plugins

          Daniel Beck created issue -

          Jesse Glick added a comment -

          I suppose you could create a separate Downloadable but I see no particular advantage to that. Would seem easier to add a new top-level section to update-center.json and thus to UpdateSite.Data. I would suggest something like:

          "pluginWarnings": [
            {
              "name": "do-anything-you-like",
              "message": "This plugin allows all users to do anything they like and so it is not safe to install."
            },
            {
              "name": "acme-builder",
              "version": "1.2",
              "Versions 1.2 and older of this plugin are known to initiate meltdowns in the Acme reactor core. Please update to 1.3 or above right away."
            }
          ]
          

          Since I happen to know that you have access to a vendor plugin which provides customized update sites, I would encourage you to prototype delivering comparable metadata from that plugin, or work with someone who could do such a prototype.

          Jesse Glick added a comment - I suppose you could create a separate Downloadable but I see no particular advantage to that. Would seem easier to add a new top-level section to update-center.json and thus to UpdateSite.Data . I would suggest something like: "pluginWarnings" : [ { "name" : " do -anything-you-like" , "message" : "This plugin allows all users to do anything they like and so it is not safe to install." }, { "name" : "acme-builder" , "version" : "1.2" , "Versions 1.2 and older of this plugin are known to initiate meltdowns in the Acme reactor core. Please update to 1.3 or above right away." } ] Since I happen to know that you have access to a vendor plugin which provides customized update sites, I would encourage you to prototype delivering comparable metadata from that plugin, or work with someone who could do such a prototype.

          Daniel Beck added a comment -

          Using UpdateSite this way would introduce weirdness related to multiple update sites. Not sure I'm a fan of that. Investigating…

          Daniel Beck added a comment - Using UpdateSite this way would introduce weirdness related to multiple update sites. Not sure I'm a fan of that. Investigating…

          Daniel Beck added a comment -

          Daniel Beck added a comment - Work in progress PR: https://github.com/jenkinsci/jenkins/pull/2680
          Daniel Beck made changes -
          Remote Link New: This issue links to "PR 2680 (Web Link)" [ 15162 ]
          Daniel Beck made changes -
          Link New: This issue is related to INFRA-1022 [ INFRA-1022 ]
          Daniel Beck made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Daniel Beck made changes -
          Link New: This issue is related to WEBSITE-277 [ WEBSITE-277 ]
          Daniel Beck made changes -
          Rank New: Ranked higher
          Daniel Beck made changes -
          Rank New: Ranked higher

            danielbeck Daniel Beck
            danielbeck Daniel Beck
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: