Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59758

hudson.model.UpdateSite.Plugin:getWarnings() using incorrect plugin version, resulting in no warnings found

    Details

    • Similar Issues:

      Description

      I believe I've found a bug in the way that hudson.model.UpdateSite.Plugin collects the warnings that may exist for a given plugin, as can be seen in this Groovy code sample:

      Groovy Example
          import jenkins.model.*
          import jenkins.security.*
          import hudson.security.*
          import static groovy.json.JsonOutput.*
      
          def instance = Jenkins.getInstance()
          def manager = instance.getPluginManager()
          def center = instance.getUpdateCenter()
          manager.doCheckUpdatesServer()
      
          updates = center.getUpdates().collectEntries {
            ([ (it.getInstalled().getShortName()) :
              [
                'class': it.getClass().toString(),
                'version': it.version,
                'hasWarnings': it.hasWarnings(),
              ]
            ])
          }
          println prettyPrint(toJson(updates))
      

      When when run against my current setup, including at least one plugin with updates that ALSO has warnings, yields (pruned slightly, eliding some irrelevant plugins):

      output
          {
              "git-client": {
                  "class": "class hudson.model.UpdateSite$Plugin",
                  "version": "2.9.0",
                  "hasWarnings": false
              },
              "script-security": {
                  "class": "class hudson.model.UpdateSite$Plugin",
                  "version": "1.66",
                  "hasWarnings": false
              }
          }
      

      However, perusing the code of hudson.model.UpdateSite, I manually walked the (applicable) warnings a different way:

      Groovy Example (continued)
          def wc = ExtensionList.lookupSingleton(UpdateSiteWarningsConfiguration.class)
          warnings = wc.getApplicableWarnings().collectEntries {
            ([ (it.component): [
               'class': it.getClass().toString(),
                'message': (it.message),
                'version' : (wc.getPlugin(it).getVersion()),
                'ignored': (wc.isIgnored(it)),
                'isPluginWarning' : (it.isPluginWarning(it.component)),
                'isRelevant': (it.isRelevant()),
                'isRelevantToVersion' : (it.isRelevantToVersion(wc.getPlugin(it).getVersionNumber())),
              ]
            ])
          }
          println prettyPrint(toJson(warnings))
      

      Which yields (unpruned, as there is only one, currently):

      output (continued)
          {
              "script-security": {
                  "class": "class hudson.model.UpdateSite$Warning",
                  "message": "Sandbox bypass vulnerability",
                  "version": "1.64",
                  "ignored": false,
                  "isPluginWarning": true,
                  "isRelevant": true,
                  "isRelevantToVersion": true
              }
          }
      

      It seems to me the failure lies on line 1265 of UpdateSite.java, specifically:

      UpdateSite.java, line 1265:
          if (!warning.isRelevantToVersion(new VersionNumber(this.version))) {
      

      and more specifically the call to this.version. Perhaps the version field is getting populated incorrectly, but assuming that it should be the latest available version (e.g. script-security version 1.66), instead of the current version (1.64), that seems wrong, at least for the purpose of detecting if the warnings are relevant.

      Could the entire line be both fixed and simplified as well if replaced with:

      possible fix (and simplification)
          if (!warning.isRelevant()) {
      

      However, I leave that to someone more familiar with the code base than am I.

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment - - edited

          Eric Engstrom

          Hi Eric, I'm the original author of this feature. There's a bunch of technical details in this report of you digging into the internals, but I do not understand what exactly the behavior is that you're seeing, and what you expect to see instead, and why. Could you provide these?

          Thanks!

          Show
          danielbeck Daniel Beck added a comment - - edited Eric Engstrom Hi Eric, I'm the original author of this feature. There's a bunch of technical details in this report of you digging into the internals, but I do not understand what exactly the behavior is that you're seeing, and what you expect to see instead, and why. Could you provide these? Thanks!
          Hide
          eengstrom Eric Engstrom added a comment - - edited

          Sorry - I thought the issue was more clear.

          Essentially if you attempt to get any issued warnings for an instance of hudson.model.UpdateSite$Plugin, you will ALWAYS get an empty list ([]). I believe this to be the case because the version check on line 1265 is checking against the latest version, not the installed version.

          My complex example code is only me trying to figure out why. If you happen to have an instance of Jenkins around with a plugin with a security warning, try the first block of groovy code.

          Is that helpful? If not, I'll try again.

          Show
          eengstrom Eric Engstrom added a comment - - edited Sorry - I thought the issue was more clear. Essentially if you attempt to get any issued warnings for an instance of hudson.model.UpdateSite$Plugin , you will ALWAYS get an empty list ( [] ). I believe this to be the case because the version check on line 1265 is checking against the latest version, not the installed version. My complex example code is only me trying to figure out why. If you happen to have an instance of Jenkins around with a plugin with a security warning, try the first block of groovy code. Is that helpful? If not, I'll try again.
          Hide
          danielbeck Daniel Beck added a comment -

          Well, UpdateSite.Plugin is the plugin as it is being distributed by the update site. For the plugins you mention, published issues are already fixed in the releases currently being distributed as latest version. Therefore, no warnings apply to those releases.

          The reason this API based on UpdateSite.Plugin exists will be apparent when you filter the "available plugins" lists by the string /security/ – there are many plugins being distributed with active security warnings, i.e. even if you're on the newest release, you're affected by a known public security issue. These are typically abandoned plugins.

          Show
          danielbeck Daniel Beck added a comment - Well, UpdateSite.Plugin is the plugin as it is being distributed by the update site. For the plugins you mention, published issues are already fixed in the releases currently being distributed as latest version. Therefore, no warnings apply to those releases. The reason this API based on  UpdateSite.Plugin exists will be apparent when you filter the "available plugins" lists by the string /security/ – there are many plugins being distributed with active security warnings, i.e. even if you're on the newest release, you're affected by a known public security issue. These are typically abandoned plugins.
          Hide
          danielbeck Daniel Beck added a comment -

          Works as designed.

          Show
          danielbeck Daniel Beck added a comment - Works as designed.

            People

            • Assignee:
              Unassigned
              Reporter:
              eengstrom Eric Engstrom
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: