Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59552

Detached plugins installed are those with security warnings


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • core
    • jenkins-2.198

      When running Jenkins with the official Docker container, some plugins will pull in detached plugins that have security vulnerabilities and also have newer versions available that could be used instead.

      To replicate, you can install https://plugins.jenkins.io/purge-build-queue-plugin# for example. This will pull in a vulnerable version of https://plugins.jenkins.io/pam-auth:

      jenkins_1  | INFO: Loading a detached plugin as a dependency: /var/jenkins_home/plugins/pam-auth.jpi
      jenkins_1  | WARNING: Created /var/jenkins_home/plugins/pam-auth/WEB-INF/lib/classes.jar; update plugin to a version created with a newer harness
      jenkins_1  | INFO: Took 0ms for Loading plugin PAM Authentication plugin v1.1 (pam-auth) by pool-6-thread-4
      jenkins_1  | INFO: Took 0ms for Initializing plugin pam-auth by pool-6-thread-1  

      According to jglick, this is a bug and not intended behavior

      This might be scoped to just running with Docker but it's the only place I'm able to test and replicate.

            danielbeck Daniel Beck
            awiddersheim Andrew Widdersheim
            0 Vote for this issue
            5 Start watching this issue