Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48604

Jenkins 2.96 downgrades script-security plugin on core update

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Report from IRC:

      A user upgraded from 2.95 to 2.96 and Jenkins presented them with:

       There are dependency errors loading some plugins:
      
          Static Analysis Utilities v1.93
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline v2.5
              Pipeline: Input Step v2.8 failed to load. Fix this plugin first.
          Pipeline: Stage View Plugin v2.9
              Pipeline: REST API Plugin v2.9 failed to load. Fix this plugin first.
          Pipeline: Build Step v2.6
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Declarative v1.2.5
              Pipeline: Shared Groovy Libraries v2.9 failed to load. Fix this plugin first.
          GitHub Branch Source Plugin v2.3.1
              GitHub plugin v1.28.1 failed to load. Fix this plugin first.
          Extra Columns Plugin v1.18
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Dashboard View v2.9.11
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline: GitHub Groovy Libraries v1.0
              Pipeline: Shared Groovy Libraries v2.9 failed to load. Fix this plugin first.
          Matrix Project Plugin v1.12
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Pipeline: Multibranch v2.16
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Docker Pipeline v1.14
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins Git plugin v3.6.4
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Maven Integration plugin v3.0
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Static Analysis Collector Plug-in v1.52
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: Nodes and Processes v2.17
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Plot plugin v2.0.0
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Slack Notification Plugin v2.3
              JUnit Plugin v1.23 failed to load. Fix this plugin first.
          Checkstyle Plug-in v3.49
              Static Analysis Utilities v1.93 failed to load. Fix this plugin first.
          Pipeline: Job v2.16
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Groovy Postbuild v2.3.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: Declarative Extension Points API v1.2.5
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          JUnit Plugin v1.23
              Script Security Plugin v1.18.1 is older than required. To fix, install v1.30 or later.
          GitHub plugin v1.28.1
              Jenkins Git plugin v3.6.4 failed to load. Fix this plugin first.
          Jenkins TAP Plugin v2.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline Graph Analysis Plugin v1.5
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins SLOCCount Plug-in v1.22
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Jenkins Violations plugin v0.7.11
              Maven Integration plugin v3.0 failed to load. Fix this plugin first.
          Pipeline: Shared Groovy Libraries v2.9
              Pipeline: Groovy v2.42 failed to load. Fix this plugin first.
          Pipeline: Groovy v2.42
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Supporting APIs v2.16
              Script Security Plugin v1.18.1 is older than required. To fix, install v1.27 or later.
          HTML Publisher plugin v1.14
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          GitHub Organization Folder Plugin v1.6
              Pipeline: Multibranch v2.16 failed to load. Fix this plugin first.
          Jenkins Clover PHP plugin v0.5
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
          Pipeline: REST API Plugin v2.9
              Pipeline: Job v2.16 failed to load. Fix this plugin first.
          Jenkins Workspace Cleanup Plugin v0.34
              Pipeline: Nodes and Processes v2.17 failed to load. Fix this plugin first.
          Token Macro Plugin v2.3
              Pipeline: Job v2.16 failed to load. Fix this plugin first.
          Pipeline: Input Step v2.8
              Pipeline: Supporting APIs v2.16 failed to load. Fix this plugin first.
          Pipeline: Declarative Agent API v1.1.1
              Pipeline: Declarative Extension Points API v1.2.5 failed to load. Fix this plugin first.
          Lockable Resources plugin v2.1
              Matrix Project Plugin v1.12 failed to load. Fix this plugin first.
      
      Warnings have been published for the following currently installed components:
      
          Script Security Plugin 1.18.1:
              Unsafe entries in default whitelist
              Multiple sandbox bypasses
              Arbitrary file read vulnerability
              Groovy sandbox protection incomplete

      All errors can be traced to script-security 1.18.1, which, if that's the bundled version, points to the core upgrade downgrading the already installed plugin.

        Attachments

          Issue Links

            Activity

            danielbeck Daniel Beck created issue -
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Labels regression
            dnusbaum Devin Nusbaum made changes -
            Assignee Devin Nusbaum [ dnusbaum ]
            dnusbaum Devin Nusbaum made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            dnusbaum Devin Nusbaum made changes -
            Link This issue relates to JENKINS-48365 [ JENKINS-48365 ]
            bbieling Bas Bieling made changes -
            Attachment jenkins.log [ 40722 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            site/generate.sh
            http://jenkins-ci.org/commit/backend-update-center2/bfcd215213fdbdb8f6eb7ebda2d4dd389d76564d
            Log:
            JENKINS-48604 Attempt to blacklist 2.96

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: site/generate.sh http://jenkins-ci.org/commit/backend-update-center2/bfcd215213fdbdb8f6eb7ebda2d4dd389d76564d Log: JENKINS-48604 Attempt to blacklist 2.96
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            site/generate.sh
            http://jenkins-ci.org/commit/backend-update-center2/5e93cb3fb625ce20c10b649c2acbf16ccf797d1a
            Log:
            Merge pull request #176 from daniel-beck/restrict-2.96

            JENKINS-48604 Attempt to blacklist 2.96

            Compare: https://github.com/jenkins-infra/backend-update-center2/compare/df8538b0c823...5e93cb3fb625

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: site/generate.sh http://jenkins-ci.org/commit/backend-update-center2/5e93cb3fb625ce20c10b649c2acbf16ccf797d1a Log: Merge pull request #176 from daniel-beck/restrict-2.96 JENKINS-48604 Attempt to blacklist 2.96 Compare: https://github.com/jenkins-infra/backend-update-center2/compare/df8538b0c823...5e93cb3fb625
            danielbeck Daniel Beck made changes -
            Link This issue is blocking JENKINS-48365 [ JENKINS-48365 ]
            danielbeck Daniel Beck made changes -
            Labels regression lts-candidate regression
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            content/_data/changelogs/weekly.yml
            http://jenkins-ci.org/commit/jenkins.io/6aa53520c8e1c17e03226cba0de9d589645a0954
            Log:
            JENKINS-48604 Add warning

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/6aa53520c8e1c17e03226cba0de9d589645a0954 Log: JENKINS-48604 Add warning
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            content/_data/changelogs/weekly.yml
            http://jenkins-ci.org/commit/jenkins.io/9f1c409b8c2f099d6fac38b895f72b7ab8fc10a3
            Log:
            JENKINS-48604 More specific warning

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/9f1c409b8c2f099d6fac38b895f72b7ab8fc10a3 Log: JENKINS-48604 More specific warning
            dnusbaum Devin Nusbaum made changes -
            Link This issue relates to JENKINS-48614 [ JENKINS-48614 ]
            dnusbaum Devin Nusbaum made changes -
            Link This issue relates to JENKINS-48615 [ JENKINS-48615 ]
            Hide
            ebrandell Elliott Brandell added a comment - - edited

            Probably not the official way to fix the issue, but I was able to resolve this by doing the following:

            • Grabbed the identifier and stopped the running docker container:
              docker ps
              docker stop <id>
              
            • Executed the following (your volume/mount might be located elsewhere...):
              ./install_jenkins_plugin.sh -d /home/ubuntu/jenkins/plugins/ script-security@latest
              
            • Started my docker master container again and the problem was resolved
            Show
            ebrandell Elliott Brandell added a comment - - edited Probably not the official way to fix the issue, but I was able to resolve this by doing the following: Downloaded the script located here for installing plugins: https://gist.github.com/ebrandell/f009bb1dc7462c95bd62d0beec929862 If the above doesn't work, you can also try the steps outlined here: https://github.com/jenkinsci/docker#preinstalling-plugins From the home directory of my jenkins master server: chmod +X ./install_jenkins_plugin.sh Grabbed the identifier and stopped the running docker container: docker ps docker stop <id> Executed the following (your volume/mount might be located elsewhere...): ./install_jenkins_plugin.sh -d /home/ubuntu/jenkins/plugins/ script-security@latest Started my docker master container again and the problem was resolved
            dnusbaum Devin Nusbaum made changes -
            Link This issue relates to JENKINS-48637 [ JENKINS-48637 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Devin Nusbaum
            Path:
            test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java
            test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithDependency.zip
            http://jenkins-ci.org/commit/jenkins/5098524513883a48d07fd32d5a6f058d68adb8b8
            Log:
            Add failing test that reproduces JENKINS-48604

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Devin Nusbaum Path: test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithDependency.zip http://jenkins-ci.org/commit/jenkins/5098524513883a48d07fd32d5a6f058d68adb8b8 Log: Add failing test that reproduces JENKINS-48604
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/PluginManager.java
            test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java
            test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithNewerDependency.zip
            test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithOlderDependency.zip
            http://jenkins-ci.org/commit/jenkins/1dc2c6d5ff666d60a0eb54125ce7694986d1025b
            Log:
            Merge pull request #3201 from dwnusbaum/JENKINS-48604

            JENKINS-48604 Do not downgrade plugins that are dependencies of detached plugins when upgrading Jenkins

            Compare: https://github.com/jenkinsci/jenkins/compare/c32b6d807a56...1dc2c6d5ff66

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/PluginManager.java test/src/test/java/jenkins/install/LoadDetachedPluginsTest.java test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithNewerDependency.zip test/src/test/resources/jenkins/install/LoadDetachedPluginsTest/upgradeFromJenkins2WithOlderDependency.zip http://jenkins-ci.org/commit/jenkins/1dc2c6d5ff666d60a0eb54125ce7694986d1025b Log: Merge pull request #3201 from dwnusbaum/ JENKINS-48604 JENKINS-48604 Do not downgrade plugins that are dependencies of detached plugins when upgrading Jenkins Compare: https://github.com/jenkinsci/jenkins/compare/c32b6d807a56...1dc2c6d5ff66
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            content/_data/changelogs/weekly.yml
            http://jenkins-ci.org/commit/jenkins.io/4fc87f8612e89f4414ee080873fd812112a117c0
            Log:
            JENKINS-48604 Add changelog for 2.97

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/4fc87f8612e89f4414ee080873fd812112a117c0 Log: JENKINS-48604 Add changelog for 2.97
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            content/_data/changelogs/weekly.yml
            http://jenkins-ci.org/commit/jenkins.io/bd829be205fa90522a4de3db0a95500972ff2be7
            Log:
            Merge pull request #1286 from daniel-beck/changelog-2.97

            JENKINS-48604 Add changelog for 2.97

            Compare: https://github.com/jenkins-infra/jenkins.io/compare/bb41a6e7635e...bd829be205fa

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: content/_data/changelogs/weekly.yml http://jenkins-ci.org/commit/jenkins.io/bd829be205fa90522a4de3db0a95500972ff2be7 Log: Merge pull request #1286 from daniel-beck/changelog-2.97 JENKINS-48604 Add changelog for 2.97 Compare: https://github.com/jenkins-infra/jenkins.io/compare/bb41a6e7635e...bd829be205fa
            Hide
            danielbeck Daniel Beck added a comment -

            Resolved towards 2.97, which is currently being released.

            Show
            danielbeck Daniel Beck added a comment - Resolved towards 2.97, which is currently being released.
            danielbeck Daniel Beck made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            olivergondza Oliver Gond┼ża made changes -
            Labels lts-candidate regression 2.89.3-fixed regression
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal OSS-2623 (Web Link)" [ 19742 ]
            andresrc Andres Rodriguez made changes -
            Link This issue relates to JENKINS-48899 [ JENKINS-48899 ]
            abayer Andrew Bayer made changes -
            Link This issue is duplicated by JENKINS-49390 [ JENKINS-49390 ]
            abayer Andrew Bayer made changes -
            Link This issue is duplicated by JENKINS-49390 [ JENKINS-49390 ]

              People

              • Assignee:
                dnusbaum Devin Nusbaum
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                3 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: