Skip to content

Update plugins related to 2022-10-19 security advisory; add ionicons-api #1507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jglick merged 7 commits into from
Oct 26, 2022
Merged

Update plugins related to 2022-10-19 security advisory; add ionicons-api #1507

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0b47c1d
Add ionicons-api to BOM since workflow-cps requires it
dwnusbaum Oct 25, 2022
71139ef
Update plugins affected by SECURITY-2824
dwnusbaum Oct 25, 2022
e74c37b
Update plugins related to Pipeline input step vulnerabilities
dwnusbaum Oct 25, 2022
113b0f4
script-security must be frozen to a pre-SECURITY-2824 version on 2.33…
dwnusbaum Oct 25, 2022
1e8f8b6
Only depend on ionicons-api transitively in sample-plugin and modify …
dwnusbaum Oct 25, 2022
3845d2e
Lock pipeline-input-step to a pre-SECURITY-2880 version in 2.319.x fo…
dwnusbaum Oct 25, 2022
f2ca765
Merge branch 'master' into 2022-10-advisory
jglick Oct 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions bom-2.319.x/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,11 @@
<artifactId>metrics</artifactId>
<version>4.1.6.1-358.vf46b_95ea_d2b_3</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>pipeline-input-step</artifactId>
<version>451.vf1a_a_4f405289</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>saml</artifactId>
Expand Down
10 changes: 10 additions & 0 deletions bom-2.332.x/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,11 @@
<artifactId>jnr-posix-api</artifactId>
<version>3.1.7-3</version>
</dependency>
<dependency>
<groupId>io.jenkins.plugins</groupId>
<artifactId>pipeline-groovy-lib</artifactId>
<version>612.v84da_9c54906d</version>
</dependency>
<dependency>
<groupId>io.jenkins.plugins</groupId>
<artifactId>plugin-util-api</artifactId>
Expand Down Expand Up @@ -115,6 +120,11 @@
<artifactId>pipeline-stage-step</artifactId>
<version>293.v200037eefcd5</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>script-security</artifactId>
<version>1183.v774b_0b_0a_a_451</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>ssh-credentials</artifactId>
Expand Down
15 changes: 10 additions & 5 deletions bom-weekly/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,11 @@
<scm-api-plugin.version>621.vda_a_b_055e58f7</scm-api-plugin.version>
<subversion-plugin.version>2.16.0</subversion-plugin.version>
<workflow-api-plugin.version>1200.v8005c684b_a_c6</workflow-api-plugin.version>
<workflow-cps-plugin.version>2759.v87459c4eea_ca_</workflow-cps-plugin.version>
<workflow-cps-plugin.version>2803.v1a_f77ffcc773</workflow-cps-plugin.version>
<workflow-job-plugin.version>1236.vc3a_d1602f439</workflow-job-plugin.version>
<workflow-multibranch-plugin.version>716.vc692a_e52371b_</workflow-multibranch-plugin.version>
<workflow-step-api-plugin.version>639.v6eca_cd8c04a_a_</workflow-step-api-plugin.version>
<workflow-support-plugin.version>838.va_3a_087b_4055b</workflow-support-plugin.version>
<workflow-support-plugin.version>839.v35e2736cfd5c</workflow-support-plugin.version>
</properties>
<dependencyManagement>
<dependencies>
Expand Down Expand Up @@ -138,6 +138,11 @@
<artifactId>gitlab-branch-source</artifactId>
<version>640.v7101b_1c0def9</version>
</dependency>
<dependency>
<groupId>io.jenkins.plugins</groupId>
<artifactId>ionicons-api</artifactId>
<version>31.v4757b_6987003</version>
</dependency>
<dependency>
<groupId>io.jenkins.plugins</groupId>
<artifactId>jakarta-activation-api</artifactId>
Expand Down Expand Up @@ -191,7 +196,7 @@
<dependency>
<groupId>io.jenkins.plugins</groupId>
<artifactId>pipeline-groovy-lib</artifactId>
<version>612.v84da_9c54906d</version>
<version>613.v9c41a_160233f</version>
</dependency>
<dependency>
<groupId>io.jenkins.plugins</groupId>
Expand Down Expand Up @@ -453,7 +458,7 @@
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>pipeline-input-step</artifactId>
<version>451.vf1a_a_4f405289</version>
<version>456.vd8a_957db_5b_e9</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
Expand Down Expand Up @@ -499,7 +504,7 @@
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>script-security</artifactId>
<version>1183.v774b_0b_0a_a_451</version>
<version>1189.vb_a_b_7c8fd5fde</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
Expand Down
3 changes: 2 additions & 1 deletion sample-plugin/check.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ assert artifactMap['junit:junit'] == project.artifactMap['junit:junit']
def managedPluginDeps = managedDeps.collect {stripAllButGA(it)}.grep { ga ->
def art = artifactMap[ga]
if (art == null) {
if (ga.contains('.plugins')) { // TODO without an Artifact, we have no reliable way of checking whether it is actually a plugin
if (ga.contains('.plugins') // TODO without an Artifact, we have no reliable way of checking whether it is actually a plugin
&& !(ga == 'io.jenkins.plugins:ionicons-api' && settings.activeProfiles.any {it ==~ /^2[.](332|319)[.]x$/})) { // TODO: Remove once 2.332.x is no longer part of the BOM (or if MNG-5600 is fixed and we can exclude this dependency in the BOM for old LTS lines)
Copy link
Member

@jglick jglick Oct 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine for now. If we need to do this sort of thing regularly we should probably introduce a text file with a list of plugins limited to newer lines.

Copy link
Member

@jglick jglick Oct 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(And now I am curious whether we can do the same for example for instance-identity.)

Copy link
Member

@jglick jglick Oct 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or simply

Suggested change
&& !(ga == 'io.jenkins.plugins:ionicons-api' && settings.activeProfiles.any {it ==~ /^2[.](332|319)[.]x$/})) { // TODO: Remove once 2.332.x is no longer part of the BOM (or if MNG-5600 is fixed and we can exclude this dependency in the BOM for old LTS lines)
&& ga != 'io.jenkins.plugins:ionicons-api') { // TODO: Remove once 2.332.x is no longer part of the BOM (or if MNG-5600 is fixed and we can exclude this dependency in the BOM for old LTS lines)

Copy link
Member Author

@dwnusbaum dwnusbaum Oct 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I added this defensively before I realized that there was a transitive dependency on ionicons-api because I wanted to make sure that we still verified its inclusion in sample on the recent LTS lines. If you are confident that it will be a long-term dependency of various plugins used by sample, then simplifying this check is probably fine.

Copy link
Member

@jglick jglick Oct 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

confident that it will be a long-term dependency

Not really, but at some point we will drop 2.332.x and be able to delete this exemption as well, so I just thought we could simplify a bit. OTOH the check as written here does textually mention the old line names, making it more likely to appear in a text search when dropping old lines.

throw new org.apache.maven.plugin.MojoFailureException("Managed plugin dependency $ga not listed in test classpath of sample plugin")
} else {
println "Do not see managed dependency $ga"
Expand Down