Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59758

hudson.model.UpdateSite.Plugin:getWarnings() using incorrect plugin version, resulting in no warnings found

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Major Major
    • core
    • Jenkins 2.199 (and LTS / 2.190.1)

      I believe I've found a bug in the way that hudson.model.UpdateSite.Plugin collects the warnings that may exist for a given plugin, as can be seen in this Groovy code sample:

      Groovy Example
          import jenkins.model.*
    import jenkins.security.*
    import hudson.security.*
    import static groovy.json.JsonOutput.*

    def instance = Jenkins.getInstance()
    def manager = instance.getPluginManager()
    def center = instance.getUpdateCenter()
    manager.doCheckUpdatesServer()

    updates = center.getUpdates().collectEntries {
      ([ (it.getInstalled().getShortName()) :
        [
          'class': it.getClass().toString(),
          'version': it.version,
          'hasWarnings': it.hasWarnings(),
        ]
      ])
    }
    println prettyPrint(toJson(updates))

      When when run against my current setup, including at least one plugin with updates that ALSO has warnings, yields (pruned slightly, eliding some irrelevant plugins):

      output
          {
        "git-client": {
            "class": "class hudson.model.UpdateSite$Plugin",
            "version": "2.9.0",
            "hasWarnings": false
        },
        "script-security": {
            "class": "class hudson.model.UpdateSite$Plugin",
            "version": "1.66",
            "hasWarnings": false
        }
    }

      However, perusing the code of hudson.model.UpdateSite, I manually walked the (applicable) warnings a different way:

      Groovy Example (continued)
          def wc = ExtensionList.lookupSingleton(UpdateSiteWarningsConfiguration.class)
    warnings = wc.getApplicableWarnings().collectEntries {
      ([ (it.component): [
         'class': it.getClass().toString(),
          'message': (it.message),
          'version' : (wc.getPlugin(it).getVersion()),
          'ignored': (wc.isIgnored(it)),
          'isPluginWarning' : (it.isPluginWarning(it.component)),
          'isRelevant': (it.isRelevant()),
          'isRelevantToVersion' : (it.isRelevantToVersion(wc.getPlugin(it).getVersionNumber())),
        ]
      ])
    }
    println prettyPrint(toJson(warnings))

      Which yields (unpruned, as there is only one, currently):

      output (continued)
          {
        "script-security": {
            "class": "class hudson.model.UpdateSite$Warning",
            "message": "Sandbox bypass vulnerability",
            "version": "1.64",
            "ignored": false,
            "isPluginWarning": true,
            "isRelevant": true,
            "isRelevantToVersion": true
        }
    }

      It seems to me the failure lies on line 1265 of UpdateSite.java, specifically:

      UpdateSite.java, line 1265:
          if (!warning.isRelevantToVersion(new VersionNumber(this.version))) {

      and more specifically the call to this.version. Perhaps the version field is getting populated incorrectly, but assuming that it should be the latest available version (e.g. script-security version 1.66), instead of the current version (1.64), that seems wrong, at least for the purpose of detecting if the warnings are relevant.

      Could the entire line be both fixed and simplified as well if replaced with:

      possible fix (and simplification)
          if (!warning.isRelevant()) {

      However, I leave that to someone more familiar with the code base than am I.

            Unassigned Unassigned
            eengstrom Eric Engstrom
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: