I was on Jenkins version 2.176 using the standalone war.
I then got security vulnerability alert for plugins here: https://jenkins.io/security/advisory/2020-03-09/
I then decided to update Jenkins so I downloaded and started Jenkins with the latest version: Jenkins ver. 2.224
I then updated all the plugins and took restart.
However, under monitors, I see two notifications.
The first notification says:
"You have data stored in an older format and/or unreadable data."
The second notification says:
"Warnings have been published for the following currently installed
components."
Build Pipeline Plugin 1.5.8 Stored XSS vulnerability Environment
Injector Plugin 2.3.0 Exposure of sensitive build variables stored by
EnvInject 1.90 and earlier
Under the plugin update tab I don't find any plugins listed for updates !!
Can you please suggest how can I overcome both these issues?
There are no new versions of the vulnerable Plugins available as of today.
The XSS Vulnerability for the Build Pipeline Plugin is only exploitable on Jenkins releases older than 2.146 or 2.138.2
For the Environment Injector Plugin Vulnerability:
To prevent the further exposure of sensitive build variables, we
recommend that you take the following steps if you are affected by
this:
Disable the visualization of Injected Environment variables in the
global configuration. After this change the data will be accessible
only to those ones who have access to raw build.xml files. This is a
reversible action that can be applied immediately, and can be reverted
once you’ve purged the data on disk (below).
Remove the sensitive data
from disk by manually removing corresponding entries from
injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files
in old build directories.
Rotate all secrets that have potentially
been exposed
from the Security Advisory 2018-02-26
Related
Fore some reasons I have to use Jenkins 2.32 and I need to install some plugins there. Machine with it has no internet, so I only can upload plugin file to install it from file.
So, the problem is there any easy way to obtain required plugin for required Jenkins version with all it's dependencies?
p.s.
I can't update Jenkins - it's out of my power.
p.p.s.
I find only way to download old versions of plugin, but by this way I can't check dependencies and required jenkins version before loading.
I had such an environment before.
Warning: it's an annoying process.
Because there was no internet, we uploaded all plugins manually, i.e. looking at the plugin page (e.g. https://plugins.jenkins.io/git/) and then downloading from the archive (e.g. https://updates.jenkins.io/download/plugins/git) the .hpi file. As you have to use a relatively old version of Jenkins you may want to check the changelog of the plugin, if you have to use an older version.
In addition on each plugin page the dependencies are listed and you have to repeat the above steps for each dependency.
The only good thing is that usually Jenkins gives you hints, which dependencies are missing after you uploaded a plugin.
You can probably extract the information out of the plugin-versions.json in the Jenkins Update Center.
For more information about the layout of update center, see this document.
You may also find my previous response on jenkins failed to install plugins - docker image (with groovy scripts) helpful
Last time I've upgraded Stash Pullrequest Builder Plugin to version 1.9 and after that any triggered build has empty parameter list (parameter variables like ${pullRequestId} specified in documentation are not available: https://github.com/jenkinsci/stash-pullrequest-builder-plugin/blob/master/README.md). Now I've tried version 1.10 and have the same issue. With version 1.8 everything is working fine.
1.8:
1.9 / 1.10:
I am using Jenkins in version 2.180 and Git Plugin in version 3.10.0
Maybe some of you experienced the same issue? I would be appreciated for any help.
Jenkins was changed in version 2.3 to disallow adding parameters to a build if they are not declared in the project configuration. The motivation was to prevent a security issue when a project controlled by an attacker invokes another project with arbitrary parameters. Since the parameters are seen as environment variables by the build scripts, the attacker could make the build load an untrusted library. Since its possible for different projects to be controlled by different users and run with different privileges, such behavior would allow the attacker to exploit permissions of a project he or she is not allowed to configure. The issue is known as SECURITY-170.
Stash Pull Request Builder was adding 10 parameters to the build to provide information about the pull request being built. Following the SECURITY-170 implementation, the plugin was changed in version 1.7.0 to pass those values as environment variables as well. Those environment variables are recorded to the build history. They can be viewed if Build Environment Plugin is installed.
Starting with version 1.9, Stash Pull Request Builder plugin removed the old mechanism of passing pull request data through parameters, as it was causing a large number of warnings in the Jenkins log.
The plugin's README.md file has just been updated to use the term "environment variables" to avoid confusion.
If you really need parameters, you can define them for the project. Starting with the next version of the plugin (presumably 1.11), the configured parameters will be populated with the same values that are available through the environment variables.
I added the Marathon plugin to Jenkins through the Jenkins management Web UI. It showed up as a list of available plugins to install. I also downloaded the HPI and added the plugin manually. In both cases, the Marathon option doesn't show up in my pipeline config. I'm following the steps here: https://dcos.io/docs/1.7/usage/tutorials/jenkins/#building-a-docker-image-and-deploying-it-to-marathon
Use version mesosphere/jenkins:3.0.1-2.32.2 in combination with persisting your Jenkins data on NFS. Installation and updates of plugins works for me with this combination.
You should consider missing functionality in older versions of Jenkins in DC/OS as described in this thread: https://github.com/mesosphere/dcos-jenkins-service/issues/105
Do you use a NFS share to persist your Jenkins data? In my experience you can not use DC/OS Jenkins properly without persisting Jenkins' data.
I have a large fleet of Jenkins instances running in a cluster, all having the LDAP plugin version 1.6 (Jenkins version 1.611). I want to fleet-upgrade the LDAP plugin version to 1.7 (to incorporate environment variables in my plugin configuration). How do I achieve this without manually uploading 1.7 version through UI for each Jenkins instance?
I tried writing a script which basically performs these operations for each Jenkins instance:
Replace the existing .jpi/.hpi file in $JENKINS_HOME/plugins for ldap plugin with the correct .hpi file (of the 1.7 version)
Edit config.xml under $JENKINS_HOME which has the version number
Safe restart Jenkins
It works fine till step 2 but as soon as I perform safe restart, Jenkins magically puts in the original .jpi/.hpi file (the 1.6 version file) back inside $JENKINS_HOME/plugins. Jenkins instance has the 1.6 plugin version again in the UI. Is there a better way to perform fleet plugin upgrades in general? I want to mention that I want the 1.7 plugin version, not the latest
How do I fix this? I even tried using curl (mentioned at https://stackoverflow.com/a/20848745/1746529) but didn't help.
Got a working answer on Google groups.
"As you are on 1.x create an empty ldap.jpi.pinned file as a sibling and that marker will instruct Jenkins not to replace with the bundled plugin."
Came across the documentation for it as well - https://wiki.jenkins-ci.org/display/JENKINS/Pinned+Plugins
I've set up Jenkins as a service on my Windows 7 developer PC in order to provide rational arguments to why we should use Jenkins and not Bamboo in the company.
I've installed the 'Analysis Collector Plugin': https://wiki.jenkins-ci.org/display/JENKINS/Analysis+Collector+Plugin, but Jenkins ignores my configuration of the trend graph:
After I save the config, it still displays the default graph with the default settings:
I know the graph settings are stored as cookies, which is why I use the URL http://127.0.0.1:8080 instead of http://localhost:8080, but still I can't get it to display the right graph.
Jenkins v1.538
Static Analysis Collector Plug-in v1.38
This issue has since been resolved in later versions of the Static Analysis Plugin. Please download and install the latest version 1.51 and upon restart the issue should be resolved.
There is an interdependency of this plugin with the Static Code Analysis Plugin, so you will need to update that plugin to the latest version as well.
Lastly, and most importantly, you will need to (and should anyway) update Jenkins from version 1.538 to a more recent version to remain compatible with the newest version of the Analysis Collector Plugin. For this reason (as well as many others), I highly reccomend the latest version of Jenkins as well, which at the time of writing this is 2.63.