Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56057

UpdateSiteWarningsConfiguration should be confirgurable via JCasC

    • 2.333

      By using JCasC I have the plugins versions under my control.

      So I don't want to disable the security warnings manually every time I create/configure a new Jenkins instance via JCasC.
      It should be possible to configure it via JCasC.

      The JCasC configuration could be look like this:

      security:
        updateSiteWarningsConfiguration:
          ignoredWarnings:
            - 'SECURITY-248'
      

      First try to patch UpdateSiteWarningsConfiguration (using @DataBoundSetter see [JCasC Requirements - guide for plugin maintainers](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/REQUIREMENTS.md) ) has failed.
      So any hint would be welcome.

          [JENKINS-56057] UpdateSiteWarningsConfiguration should be confirgurable via JCasC

          Uwe Hanisch added a comment -

          Nevertheless:
          All what I can configure via GUI should also be possible via JCasC.
          (if there is an XML config file beneath ~jenkins/ it should be possible to set it via JCasC)

          Uwe Hanisch added a comment - Nevertheless: All what I can configure via GUI should also be possible via JCasC. (if there is an XML config file beneath ~jenkins/ it should be possible to set it via JCasC)

          It would be great to be able to suppress certain warnings via JSasC.

          Simon Wydooghe added a comment - It would be great to be able to suppress certain warnings via JSasC.

          I would like to see this feature as well

          Daniel Estermann added a comment - I would like to see this feature as well

          Any update?

          Manuel Morejon added a comment - Any update?

          max allan added a comment -

          Your annual reminder that this issue still needs fixing!

          Jenkins says there are no attributes available still (I think that is what it says)

          Caused by: io.jenkins.plugins.casc.ConfiguratorException: Invalid configuration elements for type class jenkins.security.UpdateSiteWarningsConfiguration : ignoredWarnings.
          Available attributes :
          at io.jenkins.plugins.casc.BaseConfigurator.handleUnknown(BaseConfigurator.java:375)
          at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:364)

          max allan added a comment - Your annual reminder that this issue still needs fixing! Jenkins says there are no attributes available still (I think that is what it says) Caused by: io.jenkins.plugins.casc.ConfiguratorException: Invalid configuration elements for type class jenkins.security.UpdateSiteWarningsConfiguration : ignoredWarnings. Available attributes : at io.jenkins.plugins.casc.BaseConfigurator.handleUnknown(BaseConfigurator.java:375) at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:364)

          Daniel Beck added a comment -

          Your annual reminder that this issue still needs fixing!

          Patches welcome: https://www.jenkins.io/participate/code/ + https://github.com/jenkinsci/jenkins/blob/master/CONTRIBUTING.md

          Daniel Beck added a comment - Your annual reminder that this issue still needs fixing! Patches welcome: https://www.jenkins.io/participate/code/ + https://github.com/jenkinsci/jenkins/blob/master/CONTRIBUTING.md

          Tim Jacomb added a comment -

          wfollonier / danielbeck could we disable the https://github.com/jenkins-infra/update-center2/blob/master/resources/warnings.json#L1564 SECURITY-248 warning now?

          I've filed a PR for this feature but I don't think that warning should be active anymore

          Tim Jacomb added a comment - wfollonier / danielbeck could we disable the https://github.com/jenkins-infra/update-center2/blob/master/resources/warnings.json#L1564 SECURITY-248 warning now? I've filed a PR for this feature but I don't think that warning should be active anymore

          Wadeck Follonier added a comment - timja (+ danielbeck ) => https://github.com/jenkins-infra/update-center2/pull/564

          max allan added a comment -

          Removing a single warning does not address the wider use case of disabling warnings selectively from CASC.
          Security-248 was an example of such a warning people may want to disable.

          We deploy Jenkins from a (private) repo with some known vulnerabilities (due to breaking changes the fix includes). The vulns they expose do not matter to us because we have things like matrix auth and no network access for anyone but authorised users etc.... But the users often see warnings and get scared. We have tested that their deployment is not at risk of the thing in the warning, but we cannot prevent people from seeing it and raising unnecessary tickets.

          I can remove that warning by making changes in the UI, but not via CASC. Everything else in their deployment is configured with CASC. (Most are "read-only" deployments because everything is in the CASC, if they want to change anything they go to git not Jenkins UI.)

          I'd love to make a patch for fixing it to work from CASC, but it's way above my skill level in Java!
          The class jenkins.security.UpdateSiteWarningsConfiguration already exists, you just can't do anything useful with it from CASC!

          max allan added a comment - Removing a single warning does not address the wider use case of disabling warnings selectively from CASC. Security-248 was an example of such a warning people may want to disable. We deploy Jenkins from a (private) repo with some known vulnerabilities (due to breaking changes the fix includes). The vulns they expose do not matter to us because we have things like matrix auth and no network access for anyone but authorised users etc.... But the users often see warnings and get scared. We have tested that their deployment is not at risk of the thing in the warning, but we cannot prevent people from seeing it and raising unnecessary tickets. I can remove that warning by making changes in the UI, but not via CASC. Everything else in their deployment is configured with CASC. (Most are "read-only" deployments because everything is in the CASC, if they want to change anything they go to git not Jenkins UI.) I'd love to make a patch for fixing it to work from CASC, but it's way above my skill level in Java! The class jenkins.security.UpdateSiteWarningsConfiguration already exists, you just can't do anything useful with it from CASC!

          Tim Jacomb added a comment -

          the fix was merged to master, https://github.com/jenkinsci/jenkins/pull/6203

          Tim Jacomb added a comment - the fix was merged to master, https://github.com/jenkinsci/jenkins/pull/6203

            timja Tim Jacomb
            uhanisch Uwe Hanisch
            Votes:
            13 Vote for this issue
            Watchers:
            19 Start watching this issue

              Created:
              Updated:
              Resolved: