-
Bug
-
Resolution: Not A Defect
-
Minor
-
None
-
Jenkins v2.401.3 from docker container
Hi,
I'm trying to build a custom ( a few additional plugins ) container image from the one published on Github. A requirement that I have is that the container + application passes a security scan ( using trivy in this case ), meaning there should not be any fixed security issues in either.
While scanning the jenkins.war file the below CVEs are reported:
- CVE-2023-2976
- CVE-2023-20862
- CVE-2016-1000027
I understand these are all related to dependencies and don't need to be fixed by the Jenkins team, I'm just wondering if it's something you are aware of and that will be fixed in a future release or if it's something not relevant to Jenkins at all.
(Apologies if there's something very wrong in this, it's my first issue)
Welcome to the Jenkins project.
The vulnerability scanner is reporting possible issues in dependencies merely by the existence of a specific version of a dependency. The "Reporting security vulnerabilities" page says
Jenkins core regularly updates its dependencies. Recent Guava upgrades in core have included 32.0.1 to 32.1.1 in 2.413, 32.0.0 to 32.0.1 in 2.410, 31.1 to 32.0.0 in 2.407. Recent Spring security framework upgrades have included 5.8.4 to 5.8.5 in 2.417, 5.8.2 to 5.8.3 in 2.402, and 5.8.1 to 5.8.2 in 2.393
Since the Jenkins security team has not published vulnerabilities for any of those issues, I'm confident that Jenkins is not vulnerable. If you have found an exploitable vulnerability from one of those dependencies, please follow the security vulnerability reporting process by submitting an issue to the SECURITY project