Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68408

Deprecated or vulnerable plugins offered before non-deprecated and non-vulnerable plugins

    XMLWordPrintable

Details

    Description

      Steps to reproduce

      • Install the latest Jenkins weekly (at the time of this writing, 2.346).
      • Go through the setup wizard, installing all suggested plugins.
      • Install some of the plugins on the first page of available plugins. I installed Blue Ocean, Maven Integration, Docker Pipeline, Subversion, Config File Provider, jnr-posix API, Role-Based Authentication Strategy, Publish Over SSH, Jira, Pipeline Utility Steps, Copy Artifact, Rebuilder, Slack Notification, AnsiColor, Job DSL, and Amazon Web Services SDK.
      • Go to the plugin manager and look at the available plugins.

      Expected results

      Non-deprecated plugins are offered before deprecated plugins.

      Actual results

      Pipeline: Declarative Agent API and Icon Shim (which are both deprecated) and Extended Choice Parameter (which has security vulnerabilities) are offered before non-deprecated plugins without security vulnerabilities. This seems bad, as the order in which plugins are presented to users is an implicit sign of endorsement. We should not be implicitly endorsing deprecated or vulnerable plugins by offering them to users before non-deprecated and non-vulnerable plugins.

      Attachments

        Activity

          There are no comments yet on this issue.

          People

            Unassigned Unassigned
            basil Basil Crow
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: