Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71766

War file scan reports fixed issues in dependencies

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Minor Minor
    • core
    • None
    • Jenkins v2.401.3 from docker container

      Hi, 

      I'm trying to build a custom ( a few additional plugins ) container image from the one published on Github. A requirement that I have is that the container + application passes a security scan ( using trivy in this case ), meaning there should not be any fixed security issues in either. 

      While scanning the jenkins.war file the below CVEs are reported:

      • CVE-2023-2976
      • CVE-2023-20862
      • CVE-2016-1000027

      I understand these are all related to dependencies and don't need to be fixed by the Jenkins team, I'm just wondering if it's something you are aware of and that will be fixed in a future release or if it's something not relevant to Jenkins at all. 

      (Apologies if there's something very wrong in this, it's my first issue)

          [JENKINS-71766] War file scan reports fixed issues in dependencies

          Mark Waite added a comment -

          Welcome to the Jenkins project.

          The vulnerability scanner is reporting possible issues in dependencies merely by the existence of a specific version of a dependency. The "Reporting security vulnerabilities" page says

          Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we inform maintainers about the need to update their dependencies, and may track progress in the SECURITY Jira project, no security advisory will be published for these.

          Jenkins core regularly updates its dependencies. Recent Guava upgrades in core have included 32.0.1 to 32.1.1 in 2.413, 32.0.0 to 32.0.1 in 2.410, 31.1 to 32.0.0 in 2.407. Recent Spring security framework upgrades have included 5.8.4 to 5.8.5 in 2.417, 5.8.2 to 5.8.3 in 2.402, and 5.8.1 to 5.8.2 in 2.393

          Since the Jenkins security team has not published vulnerabilities for any of those issues, I'm confident that Jenkins is not vulnerable. If you have found an exploitable vulnerability from one of those dependencies, please follow the security vulnerability reporting process by submitting an issue to the SECURITY project

          Mark Waite added a comment - Welcome to the Jenkins project. The vulnerability scanner is reporting possible issues in dependencies merely by the existence of a specific version of a dependency. The "Reporting security vulnerabilities" page says Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we inform maintainers about the need to update their dependencies, and may track progress in the SECURITY Jira project, no security advisory will be published for these. Jenkins core regularly updates its dependencies. Recent Guava upgrades in core have included 32.0.1 to 32.1.1 in 2.413, 32.0.0 to 32.0.1 in 2.410, 31.1 to 32.0.0 in 2.407. Recent Spring security framework upgrades have included 5.8.4 to 5.8.5 in 2.417, 5.8.2 to 5.8.3 in 2.402, and 5.8.1 to 5.8.2 in 2.393 Since the Jenkins security team has not published vulnerabilities for any of those issues, I'm confident that Jenkins is not vulnerable. If you have found an exploitable vulnerability from one of those dependencies, please follow the security vulnerability reporting process by submitting an issue to the SECURITY project

          Tom added a comment -

          Can someone give me an answer if there is any plan to update org.springframework:spring-web to version 6.0.0? This is related to the Critial CVE: CVE-2016-1000027

          Tom added a comment - Can someone give me an answer if there is any plan to update org.springframework:spring-web to version 6.0.0? This is related to the Critial CVE: CVE-2016-1000027

          Mark Waite added a comment -

          tomz there is no current plan to update Spring framework to version 6. The Spring framework 6.0.0 announcement blog post notes that

          Spring Framework 6.0 comes with a Java 17+ baseline and a move to Jakarta EE 9+ (in the jakarta namespace), with a focus on the recently released Jakarta EE 10 APIs such as Servlet 6.0 and JPA 3.1.

          Since Spring Framework 6 uses a Java 17 baseline, the Jenkins project can't use it until Jenkins requires Java 17 or newer. Based on the draft of the 2+2+2 Java Support Plan, Jenkins won't require Java 17 until September or October 2024.

          Since Spring Framework 6.0 requires a move to Jakarta EE 9+ (in the jakarta namespace), it will probably be even longer to make the transition from Spring Framework 5.3.x to Spring Framework 6. The move to Jakarta EE 9+ (in the jakarta namespace) looks like a very large change for the Jenkins project. The timeline for that change is not known.

          Refer to my early comment on why I believe that vulnerability reported by a scanner is not a Jenkins vulnerability.

          Mark Waite added a comment - tomz there is no current plan to update Spring framework to version 6. The Spring framework 6.0.0 announcement blog post notes that Spring Framework 6.0 comes with a Java 17+ baseline and a move to Jakarta EE 9+ (in the jakarta namespace), with a focus on the recently released Jakarta EE 10 APIs such as Servlet 6.0 and JPA 3.1. Since Spring Framework 6 uses a Java 17 baseline, the Jenkins project can't use it until Jenkins requires Java 17 or newer. Based on the draft of the 2+2+2 Java Support Plan , Jenkins won't require Java 17 until September or October 2024. Since Spring Framework 6.0 requires a move to Jakarta EE 9+ (in the jakarta namespace), it will probably be even longer to make the transition from Spring Framework 5.3.x to Spring Framework 6. The move to Jakarta EE 9+ (in the jakarta namespace) looks like a very large change for the Jenkins project. The timeline for that change is not known. Refer to my early comment on why I believe that vulnerability reported by a scanner is not a Jenkins vulnerability.

          Tom added a comment -

          markewaite Thanks for the explaination. It helps me a lot to understand the effort which is needed to implement it and why this isn't done until now!

          Tom added a comment - markewaite Thanks for the explaination. It helps me a lot to understand the effort which is needed to implement it and why this isn't done until now!

            Unassigned Unassigned
            shaps Andrea
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: