Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40494

Administrative monitor for installed unsafe plugins

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      (Given the nature of this feature I'd really like to have it in LTS ASAP, therefore marking this as Bug so it shows up on the candidates list)

      As announced on the developers mailing list, we will start releasing security advisories about unmaintained plugins with security vulnerabilities without a fix if necessary:
      https://groups.google.com/d/msg/jenkinsci-dev/NaAqqChOVmY/BvA_TuzjAQAJ

      These plugins need to be marked as 'unsafe' in Jenkins.

      • backend-update-center2 needs to be extended (perhaps as separate Downloadable?)
      • Core needs to be extended to
        • consume the new metadata
        • show warnings in appropriate places (admin monitor for installed plugins, plugin manager for updates and available/installed plugins)

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            I suppose you could create a separate Downloadable but I see no particular advantage to that. Would seem easier to add a new top-level section to update-center.json and thus to UpdateSite.Data. I would suggest something like:

            "pluginWarnings": [
              {
                "name": "do-anything-you-like",
                "message": "This plugin allows all users to do anything they like and so it is not safe to install."
              },
              {
                "name": "acme-builder",
                "version": "1.2",
                "Versions 1.2 and older of this plugin are known to initiate meltdowns in the Acme reactor core. Please update to 1.3 or above right away."
              }
            ]
            

            Since I happen to know that you have access to a vendor plugin which provides customized update sites, I would encourage you to prototype delivering comparable metadata from that plugin, or work with someone who could do such a prototype.

            Show
            jglick Jesse Glick added a comment - I suppose you could create a separate Downloadable but I see no particular advantage to that. Would seem easier to add a new top-level section to update-center.json and thus to UpdateSite.Data . I would suggest something like: "pluginWarnings" : [ { "name" : " do -anything-you-like" , "message" : "This plugin allows all users to do anything they like and so it is not safe to install." }, { "name" : "acme-builder" , "version" : "1.2" , "Versions 1.2 and older of this plugin are known to initiate meltdowns in the Acme reactor core. Please update to 1.3 or above right away." } ] Since I happen to know that you have access to a vendor plugin which provides customized update sites, I would encourage you to prototype delivering comparable metadata from that plugin, or work with someone who could do such a prototype.
            Hide
            danielbeck Daniel Beck added a comment -

            Using UpdateSite this way would introduce weirdness related to multiple update sites. Not sure I'm a fan of that. Investigating…

            Show
            danielbeck Daniel Beck added a comment - Using UpdateSite this way would introduce weirdness related to multiple update sites. Not sure I'm a fan of that. Investigating…
            Hide
            danielbeck Daniel Beck added a comment -
            Show
            danielbeck Daniel Beck added a comment - Work in progress PR: https://github.com/jenkinsci/jenkins/pull/2680
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/model/UpdateSite.java
            core/src/main/java/jenkins/security/UpdateSiteWarningsConfiguration.java
            core/src/main/java/jenkins/security/UpdateSiteWarningsMonitor.java
            core/src/main/resources/hudson/PluginManager/table.jelly
            core/src/main/resources/hudson/PluginManager/table.properties
            core/src/main/resources/jenkins/security/Messages.properties
            core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.groovy
            core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.properties
            core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/help.html
            core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/style.css
            core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.groovy
            core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.properties
            test/src/test/java/hudson/model/UpdateSiteTest.java
            test/src/test/resources/plugins/warnings-update-center-malformed.json
            war/src/main/webapp/css/style.css
            http://jenkins-ci.org/commit/jenkins/c252a764024a94f018fe34dc58702885a48fff8f
            Log:
            JENKINS-40494 Process warnings from update sites (#2680)

            • [FIX JENKINS-40494] Process warnings from update sites
            • JENKINS-40494 Add warnings to available/update plugin manager tabs
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/model/UpdateSite.java core/src/main/java/jenkins/security/UpdateSiteWarningsConfiguration.java core/src/main/java/jenkins/security/UpdateSiteWarningsMonitor.java core/src/main/resources/hudson/PluginManager/table.jelly core/src/main/resources/hudson/PluginManager/table.properties core/src/main/resources/jenkins/security/Messages.properties core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.groovy core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.properties core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/help.html core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/style.css core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.groovy core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.properties test/src/test/java/hudson/model/UpdateSiteTest.java test/src/test/resources/plugins/warnings-update-center-malformed.json war/src/main/webapp/css/style.css http://jenkins-ci.org/commit/jenkins/c252a764024a94f018fe34dc58702885a48fff8f Log: JENKINS-40494 Process warnings from update sites (#2680) [FIX JENKINS-40494] Process warnings from update sites JENKINS-40494 Address review comments JENKINS-40494 Add warnings to available/update plugin manager tabs JENKINS-40494 Add tests JENKINS-40494 Address review feedback
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/model/UpdateSite.java
            core/src/main/java/jenkins/security/UpdateSiteWarningsConfiguration.java
            core/src/main/java/jenkins/security/UpdateSiteWarningsMonitor.java
            core/src/main/resources/hudson/PluginManager/table.jelly
            core/src/main/resources/hudson/PluginManager/table.properties
            core/src/main/resources/jenkins/security/Messages.properties
            core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.groovy
            core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.properties
            core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/help.html
            core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/style.css
            core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.groovy
            core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.properties
            test/src/test/java/hudson/model/UpdateSiteTest.java
            test/src/test/resources/plugins/warnings-update-center-malformed.json
            war/src/main/webapp/css/style.css
            http://jenkins-ci.org/commit/jenkins/7831263d4c6820c69129b98b6f8fe2aa32c4c872
            Log:
            JENKINS-40494 Process warnings from update sites (#2680)

            • [FIX JENKINS-40494] Process warnings from update sites
            • JENKINS-40494 Add warnings to available/update plugin manager tabs
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/model/UpdateSite.java core/src/main/java/jenkins/security/UpdateSiteWarningsConfiguration.java core/src/main/java/jenkins/security/UpdateSiteWarningsMonitor.java core/src/main/resources/hudson/PluginManager/table.jelly core/src/main/resources/hudson/PluginManager/table.properties core/src/main/resources/jenkins/security/Messages.properties core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.groovy core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/config.properties core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/help.html core/src/main/resources/jenkins/security/UpdateSiteWarningsConfiguration/style.css core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.groovy core/src/main/resources/jenkins/security/UpdateSiteWarningsMonitor/message.properties test/src/test/java/hudson/model/UpdateSiteTest.java test/src/test/resources/plugins/warnings-update-center-malformed.json war/src/main/webapp/css/style.css http://jenkins-ci.org/commit/jenkins/7831263d4c6820c69129b98b6f8fe2aa32c4c872 Log: JENKINS-40494 Process warnings from update sites (#2680) [FIX JENKINS-40494] Process warnings from update sites JENKINS-40494 Address review comments JENKINS-40494 Add warnings to available/update plugin manager tabs JENKINS-40494 Add tests JENKINS-40494 Address review feedback

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: