• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • job-dsl-plugin
    • None

      The job-dsl-plugin relies on spock-core which relies on ant which is affected by CVE-2020-11979.

      https://nvd.nist.gov/vuln/detail/CVE-2020-11979

      https://github.com/jenkinsci/job-dsl-plugin/blob/e6d655dd5b2874f56af8bf4b99a4d622b752bb98/pom.xml#L54C8-L56C42

       

      According to the reporting guidelines, "Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities."

      Given that ant is a build tool used to build jars which are then published for consumption, I have no way of knowing if some arbitrary code was injected through temporary files as part of the build process that produces the jars for the job-dsl-plugin.

       

          [JENKINS-73463] job-dsl-plugin affected by CVE-2020-11979

          Mark Waite added a comment -

          Thanks for the report jericop. The Job DSL plugin is up for adoption. That means the current maintainer does not have time to work on it. If you'd like a fix for this dependency update, you should consider adopting the Job DSL plugin. Since your organization is using the plugin, it would help your organization to have an active maintainer of the Job DSL plugn.

          The Jenkins developer mailing list provides help for new maintainers as they adopt plugins and improve them.

          Mark Waite added a comment - Thanks for the report jericop . The Job DSL plugin is up for adoption. That means the current maintainer does not have time to work on it. If you'd like a fix for this dependency update, you should consider adopting the Job DSL plugin. Since your organization is using the plugin, it would help your organization to have an active maintainer of the Job DSL plugn. The Jenkins developer mailing list provides help for new maintainers as they adopt plugins and improve them.

          Jerico Pena added a comment -

          Hi markewaite, Thanks for the response. I sent an email to jenkinsci-dev@googlegroups.com on 7/22, but I haven't heard back yet. I assume that is the correct email address? No worries if responses a slow during the summer. I completely understand.

          Jerico Pena added a comment - Hi markewaite , Thanks for the response. I sent an email to jenkinsci-dev@googlegroups.com on 7/22, but I haven't heard back yet. I assume that is the correct email address? No worries if responses a slow during the summer. I completely understand.

          Mark Waite added a comment -

          jericop I don't see your request in that Google Group. Could you send it again?

          Mark Waite added a comment - jericop I don't see your request in that Google Group. Could you send it again?

          Jerico Pena added a comment -

          I just tried again and got the following response. I must have missed this the first time.

          Delivery Status Notification (Failure)

           
          We're writing to let you know that the group you tried to contact (jenkinsci-dev) may not exist, or you may not have permission to post messages to the group. A few more details on why you weren't able to post:

           * You might have spelled or formatted the group name incorrectly.
           * The owner of the group may have removed this group.
           * You may need to join the group before receiving permission to post.
           * This group may not be open to posting.

          Jerico Pena added a comment - I just tried again and got the following response. I must have missed this the first time. Delivery Status Notification (Failure)   We're writing to let you know that the group you tried to contact (jenkinsci-dev) may not exist, or you may not have permission to post messages to the group. A few more details on why you weren't able to post:  * You might have spelled or formatted the group name incorrectly.  * The owner of the group may have removed this group.  * You may need to join the group before receiving permission to post.  * This group may not be open to posting.

          Mark Waite added a comment -

          https://groups.google.com/g/jenkinsci-dev is the location that I visit.

          Mark Waite added a comment - https://groups.google.com/g/jenkinsci-dev is the location that I visit.

          Jerico Pena added a comment -

          I get the following error when I try to go that page. I'm logged in as the same google user that I used to post to the job-dsl-plugin google group.

           

          500. That’s an error.

          There was an error. Please try again later. That’s all we know.

          Jerico Pena added a comment - I get the following error when I try to go that page. I'm logged in as the same google user that I used to post to the job-dsl-plugin google group.   500. That’s an error. There was an error. Please try again later. That’s all we know.

          Jerico Pena added a comment -

          It looks like the group is now accessible and I was able to join and create a post which is pending review/approval. Thanks for your help.

          Jerico Pena added a comment - It looks like the group is now accessible and I was able to join and create a post which is pending review/approval. Thanks for your help.

          Mark Waite added a comment -

          Post has been approved and is available on the mailing list archive

          Mark Waite added a comment - Post has been approved and is available on the mailing list archive

            jamietanna Jamie Tanna
            jericop Jerico Pena
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: