Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59552

Detached plugins installed are those with security warnings

    XMLWordPrintable

    Details

    • Similar Issues:
    • Released As:
      jenkins-2.198

      Description

      When running Jenkins with the official Docker container, some plugins will pull in detached plugins that have security vulnerabilities and also have newer versions available that could be used instead.

      To replicate, you can install https://plugins.jenkins.io/purge-build-queue-plugin# for example. This will pull in a vulnerable version of https://plugins.jenkins.io/pam-auth:

      jenkins_1  | INFO: Loading a detached plugin as a dependency: /var/jenkins_home/plugins/pam-auth.jpi
      jenkins_1  | WARNING: Created /var/jenkins_home/plugins/pam-auth/WEB-INF/lib/classes.jar; update plugin to a version created with a newer harness
      jenkins_1  | INFO: Took 0ms for Loading plugin PAM Authentication plugin v1.1 (pam-auth) by pool-6-thread-4
      jenkins_1  | INFO: Took 0ms for Initializing plugin pam-auth by pool-6-thread-1  

      According to Jesse Glick, this is a bug and not intended behavior

      This might be scoped to just running with Docker but it's the only place I'm able to test and replicate.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Andrew Widdersheim Sorry about the lack of responses, I was busy. Happy to take this, unless you want to?

            Show
            danielbeck Daniel Beck added a comment - Andrew Widdersheim Sorry about the lack of responses, I was busy. Happy to take this, unless you want to?
            Hide
            awiddersheim Andrew Widdersheim added a comment -

            Go for it. I'm busy too.

            Show
            awiddersheim Andrew Widdersheim added a comment - Go for it. I'm busy too.
            Hide
            danielbeck Daniel Beck added a comment -

            Should be in 2.198.

            Show
            danielbeck Daniel Beck added a comment - Should be in 2.198.

              People

              Assignee:
              danielbeck Daniel Beck
              Reporter:
              awiddersheim Andrew Widdersheim
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: