Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48604

Jenkins 2.96 downgrades script-security plugin on core update

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Report from IRC:

      A user upgraded from 2.95 to 2.96 and Jenkins presented them with:

       There are dependency errors loading some plugins:
      
          Static Analysis Utilities v1.93
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline v2.5
              Pipeline: Input Step v2.8 failed to load. Fix this plugin first.
          Pipeline: Stage View Plugin v2.9
              Pipeline: REST API Plugin v2.9 failed to load. Fix this plugin first.
          Pipeline: Build Step v2.6
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Declarative v1.2.5
              Pipeline: Shared Groovy Libraries v2.9 failed to load. Fix this plugin first.
          GitHub Branch Source Plugin v2.3.1
              GitHub plugin v1.28.1 failed to load. Fix this plugin first.
          Extra Columns Plugin v1.18
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Dashboard View v2.9.11
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline: GitHub Groovy Libraries v1.0
              Pipeline: Shared Groovy Libraries v2.9 failed to load. Fix this plugin first.
          Matrix Project Plugin v1.12
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Pipeline: Multibranch v2.16
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Docker Pipeline v1.14
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins Git plugin v3.6.4
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Maven Integration plugin v3.0
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Static Analysis Collector Plug-in v1.52
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: Nodes and Processes v2.17
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Plot plugin v2.0.0
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Slack Notification Plugin v2.3
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Checkstyle Plug-in v3.49
              Static Analysis Utilities v1.93 failed to load. Fix this plugin first.
          Pipeline: Job v2.16
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Groovy Postbuild v2.3.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: Declarative Extension Points API v1.2.5
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          JUnit Plugin v1.23
              Script Security Plugin v1.18.1 is older than required. To fix, install v1.30 or later.
          GitHub plugin v1.28.1
              Jenkins Git plugin v3.6.4 failed to load. Fix this plugin first.
          Jenkins TAP Plugin v2.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline Graph Analysis Plugin v1.5
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins SLOCCount Plug-in v1.22
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins Violations plugin v0.7.11
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline: Shared Groovy Libraries v2.9
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Pipeline: Groovy v2.42
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Supporting APIs v2.16
              Script Security Plugin v1.18.1 is older than required. To fix, install v1.27 or later.
          HTML Publisher plugin v1.14
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          GitHub Organization Folder Plugin v1.6
              Pipeline: Multibranch v2.16 failed to load. Fix this plugin first.
          Jenkins Clover PHP plugin v0.5
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: REST API Plugin v2.9
              Pipeline: Job v2.16 failed to load. Fix this plugin first.
          Jenkins Workspace Cleanup Plugin v0.34
              Pipeline: Nodes and Processes v2.17 failed to load. Fix this plugin first.
          Token Macro Plugin v2.3
              Pipeline: Job v2.16 failed to load. Fix this plugin first.
          Pipeline: Input Step v2.8
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Declarative Agent API v1.1.1
              Pipeline: Declarative Extension Points API v1.2.5 failed to load. Fix this plugin first.
          Lockable Resources plugin v2.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
      
      Warnings have been published for the following currently installed components:
      
          Script Security Plugin 1.18.1:
              Unsafe entries in default whitelist
              Multiple sandbox bypasses
              Arbitrary file read vulnerability
              Groovy sandbox protection incomplete

      All errors can be traced to script-security 1.18.1, which, if that's the bundled version, points to the core upgrade downgrading the already installed plugin.

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Devin Nusbaum
            Path:
            test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java
            test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithDependency.zip
            http://jenkins-ci.org/commit/jenkins/5098524513883a48d07fd32d5a6f058d68adb8b8
            Log:
            Add failing test that reproduces JENKINS-48604

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Devin Nusbaum Path: test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithDependency.zip http://jenkins-ci.org/commit/jenkins/5098524513883a48d07fd32d5a6f058d68adb8b8 Log: Add failing test that reproduces JENKINS-48604
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/PluginManager.java
            test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java
            test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithNewerDependency.zip
            test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithOlderDependency.zip
            http://jenkins-ci.org/commit/jenkins/1dc2c6d5ff666d60a0eb54125ce7694986d1025b
            Log:
            Merge pull request #3201 from dwnusbaum/JENKINS-48604

            JENKINS-48604 Do not downgrade plugins that are dependencies of detached plugins when upgrading Jenkins

            Compare: https://github.com/jenkinsci/jenkins/compare/c32b6d807a56...1dc2c6d5ff66

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/PluginManager.java test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithNewerDependency.zip test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithOlderDependency.zip http://jenkins-ci.org/commit/jenkins/1dc2c6d5ff666d60a0eb54125ce7694986d1025b Log: Merge pull request #3201 from dwnusbaum/ JENKINS-48604 JENKINS-48604 Do not downgrade plugins that are dependencies of detached plugins when upgrading Jenkins Compare: https://github.com/jenkinsci/jenkins/compare/c32b6d807a56...1dc2c6d5ff66
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            content/_data/changelogs/weekly.yml
            http://jenkins-ci.org/commit/jenkins.io/4fc87f8612e89f4414ee080873fd812112a117c0
            Log:
            JENKINS-48604 Add changelog for 2.97

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/4fc87f8612e89f4414ee080873fd812112a117c0 Log: JENKINS-48604 Add changelog for 2.97
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            content/_data/changelogs/weekly.yml
            http://jenkins-ci.org/commit/jenkins.io/bd829be205fa90522a4de3db0a95500972ff2be7
            Log:
            Merge pull request #1286 from daniel-beck/changelog-2.97

            JENKINS-48604 Add changelog for 2.97

            Compare: https://github.com/jenkins-infra/jenkins.io/compare/bb41a6e7635e...bd829be205fa

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/bd829be205fa90522a4de3db0a95500972ff2be7 Log: Merge pull request #1286 from daniel-beck/changelog-2.97 JENKINS-48604 Add changelog for 2.97 Compare: https://github.com/jenkins-infra/jenkins.io/compare/bb41a6e7635e...bd829be205fa
            Hide
            danielbeck Daniel Beck added a comment -

            Resolved towards 2.97, which is currently being released.

            Show
            danielbeck Daniel Beck added a comment - Resolved towards 2.97, which is currently being released.

              People

              • Assignee:
                dnusbaum Devin Nusbaum
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                3 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: