[JENKINS-59758] hudson.model.UpdateSite.Plugin:getWarnings() using incorrect plugin version, resulting in no warnings found

Type: Bug
Resolution: Not A Defect
Priority: Major
Component/s: core
Labels:
Environment:
Jenkins 2.199 (and LTS / 2.190.1)

Similar Issues:
Powered by SuggestiMate

Show

I believe I've found a bug in the way that hudson.model.UpdateSite.Plugin collects the warnings that may exist for a given plugin, as can be seen in this Groovy code sample:

Groovy Example

    import jenkins.model.*
    import jenkins.security.*
    import hudson.security.*
    import static groovy.json.JsonOutput.*

    def instance = Jenkins.getInstance()
    def manager = instance.getPluginManager()
    def center = instance.getUpdateCenter()
    manager.doCheckUpdatesServer()

    updates = center.getUpdates().collectEntries {
      ([ (it.getInstalled().getShortName()) :
        [
          'class': it.getClass().toString(),
          'version': it.version,
          'hasWarnings': it.hasWarnings(),
        ]
      ])
    }
    println prettyPrint(toJson(updates))

When when run against my current setup, including at least one plugin with updates that ALSO has warnings, yields (pruned slightly, eliding some irrelevant plugins):

output

    {
        "git-client": {
            "class": "class hudson.model.UpdateSite$Plugin",
            "version": "2.9.0",
            "hasWarnings": false
        },
        "script-security": {
            "class": "class hudson.model.UpdateSite$Plugin",
            "version": "1.66",
            "hasWarnings": false
        }
    }

However, perusing the code of hudson.model.UpdateSite, I manually walked the (applicable) warnings a different way:

Groovy Example (continued)

    def wc = ExtensionList.lookupSingleton(UpdateSiteWarningsConfiguration.class)
    warnings = wc.getApplicableWarnings().collectEntries {
      ([ (it.component): [
         'class': it.getClass().toString(),
          'message': (it.message),
          'version' : (wc.getPlugin(it).getVersion()),
          'ignored': (wc.isIgnored(it)),
          'isPluginWarning' : (it.isPluginWarning(it.component)),
          'isRelevant': (it.isRelevant()),
          'isRelevantToVersion' : (it.isRelevantToVersion(wc.getPlugin(it).getVersionNumber())),
        ]
      ])
    }
    println prettyPrint(toJson(warnings))

Which yields (unpruned, as there is only one, currently):

output (continued)

    {
        "script-security": {
            "class": "class hudson.model.UpdateSite$Warning",
            "message": "Sandbox bypass vulnerability",
            "version": "1.64",
            "ignored": false,
            "isPluginWarning": true,
            "isRelevant": true,
            "isRelevantToVersion": true
        }
    }

It seems to me the failure lies on line 1265 of UpdateSite.java, specifically:

UpdateSite.java, line 1265:

    if (!warning.isRelevantToVersion(new VersionNumber(this.version))) {

and more specifically the call to this.version. Perhaps the version field is getting populated incorrectly, but assuming that it should be the latest available version (e.g. script-security version 1.66), instead of the current version (1.64), that seems wrong, at least for the purpose of detecting if the warnings are relevant.

Could the entire line be both fixed and simplified as well if replaced with:

possible fix (and simplification)

    if (!warning.isRelevant()) {

However, I leave that to someone more familiar with the code base than am I.

Daniel Beck added a comment - 2019-10-12 15:41 - edited

eengstrom

Hi Eric, I'm the original author of this feature. There's a bunch of technical details in this report of you digging into the internals, but I do not understand what exactly the behavior is that you're seeing, and what you expect to see instead, and why. Could you provide these?

Thanks!

Daniel Beck added a comment - 2019-10-12 15:41 - edited eengstrom Hi Eric, I'm the original author of this feature. There's a bunch of technical details in this report of you digging into the internals, but I do not understand what exactly the behavior is that you're seeing, and what you expect to see instead, and why. Could you provide these? Thanks!

Eric Engstrom added a comment - 2019-10-12 18:16 - edited

Sorry - I thought the issue was more clear.

Essentially if you attempt to get any issued warnings for an instance of hudson.model.UpdateSite$Plugin, you will ALWAYS get an empty list ([]). I believe this to be the case because the version check on line 1265 is checking against the latest version, not the installed version.

My complex example code is only me trying to figure out why. If you happen to have an instance of Jenkins around with a plugin with a security warning, try the first block of groovy code.

Is that helpful? If not, I'll try again.

Eric Engstrom added a comment - 2019-10-12 18:16 - edited Sorry - I thought the issue was more clear. Essentially if you attempt to get any issued warnings for an instance of hudson.model.UpdateSite$Plugin , you will ALWAYS get an empty list ( [] ). I believe this to be the case because the version check on line 1265 is checking against the latest version, not the installed version. My complex example code is only me trying to figure out why. If you happen to have an instance of Jenkins around with a plugin with a security warning, try the first block of groovy code. Is that helpful? If not, I'll try again.

Daniel Beck added a comment - 2019-10-12 20:52

Well, UpdateSite.Plugin is the plugin as it is being distributed by the update site. For the plugins you mention, published issues are already fixed in the releases currently being distributed as latest version. Therefore, no warnings apply to those releases.

The reason this API based on UpdateSite.Plugin exists will be apparent when you filter the "available plugins" lists by the string /security/ – there are many plugins being distributed with active security warnings, i.e. even if you're on the newest release, you're affected by a known public security issue. These are typically abandoned plugins.

Daniel Beck added a comment - 2019-10-12 20:52 Well, UpdateSite.Plugin is the plugin as it is being distributed by the update site. For the plugins you mention, published issues are already fixed in the releases currently being distributed as latest version. Therefore, no warnings apply to those releases. The reason this API based on UpdateSite.Plugin exists will be apparent when you filter the "available plugins" lists by the string /security/ – there are many plugins being distributed with active security warnings, i.e. even if you're on the newest release, you're affected by a known public security issue. These are typically abandoned plugins.

Daniel Beck added a comment - 2019-10-12 20:52

Works as designed.

Daniel Beck added a comment - 2019-10-12 20:52 Works as designed.

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2019-10-12 15:41, Edited by Daniel Beck - 2019-10-12 15:42

Expand comment: Daniel Beck added a comment - 2019-10-12 15:41, Edited by Daniel Beck - 2019-10-12 15:42

Collapse comment: Eric Engstrom added a comment - 2019-10-12 18:16, Edited by Eric Engstrom - 2019-10-12 18:17

Expand comment: Eric Engstrom added a comment - 2019-10-12 18:16, Edited by Eric Engstrom - 2019-10-12 18:17

Collapse comment: Daniel Beck added a comment - 2019-10-12 20:52

Expand comment: Daniel Beck added a comment - 2019-10-12 20:52

Collapse comment: Daniel Beck added a comment - 2019-10-12 20:52

Expand comment: Daniel Beck added a comment - 2019-10-12 20:52

People

Dates