Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48604

Jenkins 2.96 downgrades script-security plugin on core update

      Report from IRC:

      A user upgraded from 2.95 to 2.96 and Jenkins presented them with:

       There are dependency errors loading some plugins:
      
          Static Analysis Utilities v1.93
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline v2.5
              Pipeline: Input Step v2.8 failed to load. Fix this plugin first.
          Pipeline: Stage View Plugin v2.9
              Pipeline: REST API Plugin v2.9 failed to load. Fix this plugin first.
          Pipeline: Build Step v2.6
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Declarative v1.2.5
              Pipeline: Shared Groovy Libraries v2.9 failed to load. Fix this plugin first.
          GitHub Branch Source Plugin v2.3.1
              GitHub plugin v1.28.1 failed to load. Fix this plugin first.
          Extra Columns Plugin v1.18
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Dashboard View v2.9.11
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline: GitHub Groovy Libraries v1.0
              Pipeline: Shared Groovy Libraries v2.9 failed to load. Fix this plugin first.
          Matrix Project Plugin v1.12
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Pipeline: Multibranch v2.16
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Docker Pipeline v1.14
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins Git plugin v3.6.4
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Maven Integration plugin v3.0
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Static Analysis Collector Plug-in v1.52
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: Nodes and Processes v2.17
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Plot plugin v2.0.0
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Slack Notification Plugin v2.3
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Checkstyle Plug-in v3.49
              Static Analysis Utilities v1.93 failed to load. Fix this plugin first.
          Pipeline: Job v2.16
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Groovy Postbuild v2.3.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: Declarative Extension Points API v1.2.5
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          JUnit Plugin v1.23
              Script Security Plugin v1.18.1 is older than required. To fix, install v1.30 or later.
          GitHub plugin v1.28.1
              Jenkins Git plugin v3.6.4 failed to load. Fix this plugin first.
          Jenkins TAP Plugin v2.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline Graph Analysis Plugin v1.5
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins SLOCCount Plug-in v1.22
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins Violations plugin v0.7.11
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline: Shared Groovy Libraries v2.9
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Pipeline: Groovy v2.42
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Supporting APIs v2.16
              Script Security Plugin v1.18.1 is older than required. To fix, install v1.27 or later.
          HTML Publisher plugin v1.14
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          GitHub Organization Folder Plugin v1.6
              Pipeline: Multibranch v2.16 failed to load. Fix this plugin first.
          Jenkins Clover PHP plugin v0.5
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: REST API Plugin v2.9
              Pipeline: Job v2.16 failed to load. Fix this plugin first.
          Jenkins Workspace Cleanup Plugin v0.34
              Pipeline: Nodes and Processes v2.17 failed to load. Fix this plugin first.
          Token Macro Plugin v2.3
              Pipeline: Job v2.16 failed to load. Fix this plugin first.
          Pipeline: Input Step v2.8
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Declarative Agent API v1.1.1
              Pipeline: Declarative Extension Points API v1.2.5 failed to load. Fix this plugin first.
          Lockable Resources plugin v2.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
      
      Warnings have been published for the following currently installed components:
      
          Script Security Plugin 1.18.1:
              Unsafe entries in default whitelist
              Multiple sandbox bypasses
              Arbitrary file read vulnerability
              Groovy sandbox protection incomplete

      All errors can be traced to script-security 1.18.1, which, if that's the bundled version, points to the core upgrade downgrading the already installed plugin.

          [JENKINS-48604] Jenkins 2.96 downgrades script-security plugin on core update

          Code changed in jenkins
          User: Daniel Beck
          Path:
          site/generate.sh
          http://jenkins-ci.org/commit/backend-update-center2/bfcd215213fdbdb8f6eb7ebda2d4dd389d76564d
          Log:
          JENKINS-48604 Attempt to blacklist 2.96

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: site/generate.sh http://jenkins-ci.org/commit/backend-update-center2/bfcd215213fdbdb8f6eb7ebda2d4dd389d76564d Log: JENKINS-48604 Attempt to blacklist 2.96

          Code changed in jenkins
          User: Daniel Beck
          Path:
          site/generate.sh
          http://jenkins-ci.org/commit/backend-update-center2/5e93cb3fb625ce20c10b649c2acbf16ccf797d1a
          Log:
          Merge pull request #176 from daniel-beck/restrict-2.96

          JENKINS-48604 Attempt to blacklist 2.96

          Compare: https://github.com/jenkins-infra/backend-update-center2/compare/df8538b0c823...5e93cb3fb625

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: site/generate.sh http://jenkins-ci.org/commit/backend-update-center2/5e93cb3fb625ce20c10b649c2acbf16ccf797d1a Log: Merge pull request #176 from daniel-beck/restrict-2.96 JENKINS-48604 Attempt to blacklist 2.96 Compare: https://github.com/jenkins-infra/backend-update-center2/compare/df8538b0c823...5e93cb3fb625

          Code changed in jenkins
          User: Daniel Beck
          Path:
          content/_data/changelogs/weekly.yml
          http://jenkins-ci.org/commit/jenkins.io/6aa53520c8e1c17e03226cba0de9d589645a0954
          Log:
          JENKINS-48604 Add warning

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/6aa53520c8e1c17e03226cba0de9d589645a0954 Log: JENKINS-48604 Add warning

          Code changed in jenkins
          User: Daniel Beck
          Path:
          content/_data/changelogs/weekly.yml
          http://jenkins-ci.org/commit/jenkins.io/9f1c409b8c2f099d6fac38b895f72b7ab8fc10a3
          Log:
          JENKINS-48604 More specific warning

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/9f1c409b8c2f099d6fac38b895f72b7ab8fc10a3 Log: JENKINS-48604 More specific warning

          Elliott Brandell added a comment - - edited

          Probably not the official way to fix the issue, but I was able to resolve this by doing the following:

          • Grabbed the identifier and stopped the running docker container:
            docker ps
            docker stop <id>
            
          • Executed the following (your volume/mount might be located elsewhere...):
            ./install_jenkins_plugin.sh -d /home/ubuntu/jenkins/plugins/ script-security@latest
            
          • Started my docker master container again and the problem was resolved

          Elliott Brandell added a comment - - edited Probably not the official way to fix the issue, but I was able to resolve this by doing the following: Downloaded the script located here for installing plugins: https://gist.github.com/ebrandell/f009bb1dc7462c95bd62d0beec929862 If the above doesn't work, you can also try the steps outlined here: https://github.com/jenkinsci/docker#preinstalling-plugins From the home directory of my jenkins master server: chmod +X ./install_jenkins_plugin.sh Grabbed the identifier and stopped the running docker container: docker ps docker stop <id> Executed the following (your volume/mount might be located elsewhere...): ./install_jenkins_plugin.sh -d /home/ubuntu/jenkins/plugins/ script-security@latest Started my docker master container again and the problem was resolved

          Code changed in jenkins
          User: Devin Nusbaum
          Path:
          test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java
          test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithDependency.zip
          http://jenkins-ci.org/commit/jenkins/5098524513883a48d07fd32d5a6f058d68adb8b8
          Log:
          Add failing test that reproduces JENKINS-48604

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Devin Nusbaum Path: test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithDependency.zip http://jenkins-ci.org/commit/jenkins/5098524513883a48d07fd32d5a6f058d68adb8b8 Log: Add failing test that reproduces JENKINS-48604

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/PluginManager.java
          test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java
          test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithNewerDependency.zip
          test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithOlderDependency.zip
          http://jenkins-ci.org/commit/jenkins/1dc2c6d5ff666d60a0eb54125ce7694986d1025b
          Log:
          Merge pull request #3201 from dwnusbaum/JENKINS-48604

          JENKINS-48604 Do not downgrade plugins that are dependencies of detached plugins when upgrading Jenkins

          Compare: https://github.com/jenkinsci/jenkins/compare/c32b6d807a56...1dc2c6d5ff66

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/PluginManager.java test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithNewerDependency.zip test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithOlderDependency.zip http://jenkins-ci.org/commit/jenkins/1dc2c6d5ff666d60a0eb54125ce7694986d1025b Log: Merge pull request #3201 from dwnusbaum/ JENKINS-48604 JENKINS-48604 Do not downgrade plugins that are dependencies of detached plugins when upgrading Jenkins Compare: https://github.com/jenkinsci/jenkins/compare/c32b6d807a56...1dc2c6d5ff66

          Code changed in jenkins
          User: Daniel Beck
          Path:
          content/_data/changelogs/weekly.yml
          http://jenkins-ci.org/commit/jenkins.io/4fc87f8612e89f4414ee080873fd812112a117c0
          Log:
          JENKINS-48604 Add changelog for 2.97

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/4fc87f8612e89f4414ee080873fd812112a117c0 Log: JENKINS-48604 Add changelog for 2.97

          Code changed in jenkins
          User: Daniel Beck
          Path:
          content/_data/changelogs/weekly.yml
          http://jenkins-ci.org/commit/jenkins.io/bd829be205fa90522a4de3db0a95500972ff2be7
          Log:
          Merge pull request #1286 from daniel-beck/changelog-2.97

          JENKINS-48604 Add changelog for 2.97

          Compare: https://github.com/jenkins-infra/jenkins.io/compare/bb41a6e7635e...bd829be205fa

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/bd829be205fa90522a4de3db0a95500972ff2be7 Log: Merge pull request #1286 from daniel-beck/changelog-2.97 JENKINS-48604 Add changelog for 2.97 Compare: https://github.com/jenkins-infra/jenkins.io/compare/bb41a6e7635e...bd829be205fa

          Daniel Beck added a comment -

          Resolved towards 2.97, which is currently being released.

          Daniel Beck added a comment - Resolved towards 2.97, which is currently being released.

            dnusbaum Devin Nusbaum
            danielbeck Daniel Beck
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: