Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48604

Jenkins 2.96 downgrades script-security plugin on core update

    Details

    • Similar Issues:

      Description

      Report from IRC:

      A user upgraded from 2.95 to 2.96 and Jenkins presented them with:

       There are dependency errors loading some plugins:
      
          Static Analysis Utilities v1.93
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline v2.5
              Pipeline: Input Step v2.8 failed to load. Fix this plugin first.
          Pipeline: Stage View Plugin v2.9
              Pipeline: REST API Plugin v2.9 failed to load. Fix this plugin first.
          Pipeline: Build Step v2.6
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Declarative v1.2.5
              Pipeline: Shared Groovy Libraries v2.9 failed to load. Fix this plugin first.
          GitHub Branch Source Plugin v2.3.1
              GitHub plugin v1.28.1 failed to load. Fix this plugin first.
          Extra Columns Plugin v1.18
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Dashboard View v2.9.11
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline: GitHub Groovy Libraries v1.0
              Pipeline: Shared Groovy Libraries v2.9 failed to load. Fix this plugin first.
          Matrix Project Plugin v1.12
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Pipeline: Multibranch v2.16
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Docker Pipeline v1.14
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins Git plugin v3.6.4
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Maven Integration plugin v3.0
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Static Analysis Collector Plug-in v1.52
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: Nodes and Processes v2.17
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Plot plugin v2.0.0
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Slack Notification Plugin v2.3
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Checkstyle Plug-in v3.49
              Static Analysis Utilities v1.93 failed to load. Fix this plugin first.
          Pipeline: Job v2.16
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Groovy Postbuild v2.3.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: Declarative Extension Points API v1.2.5
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          JUnit Plugin v1.23
              Script Security Plugin v1.18.1 is older than required. To fix, install v1.30 or later.
          GitHub plugin v1.28.1
              Jenkins Git plugin v3.6.4 failed to load. Fix this plugin first.
          Jenkins TAP Plugin v2.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline Graph Analysis Plugin v1.5
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins SLOCCount Plug-in v1.22
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins Violations plugin v0.7.11
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline: Shared Groovy Libraries v2.9
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Pipeline: Groovy v2.42
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Supporting APIs v2.16
              Script Security Plugin v1.18.1 is older than required. To fix, install v1.27 or later.
          HTML Publisher plugin v1.14
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          GitHub Organization Folder Plugin v1.6
              Pipeline: Multibranch v2.16 failed to load. Fix this plugin first.
          Jenkins Clover PHP plugin v0.5
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: REST API Plugin v2.9
              Pipeline: Job v2.16 failed to load. Fix this plugin first.
          Jenkins Workspace Cleanup Plugin v0.34
              Pipeline: Nodes and Processes v2.17 failed to load. Fix this plugin first.
          Token Macro Plugin v2.3
              Pipeline: Job v2.16 failed to load. Fix this plugin first.
          Pipeline: Input Step v2.8
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Declarative Agent API v1.1.1
              Pipeline: Declarative Extension Points API v1.2.5 failed to load. Fix this plugin first.
          Lockable Resources plugin v2.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
      
      Warnings have been published for the following currently installed components:
      
          Script Security Plugin 1.18.1:
              Unsafe entries in default whitelist
              Multiple sandbox bypasses
              Arbitrary file read vulnerability
              Groovy sandbox protection incomplete

      All errors can be traced to script-security 1.18.1, which, if that's the bundled version, points to the core upgrade downgrading the already installed plugin.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                dnusbaum Devin Nusbaum
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                3 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: