I've set up Jenkins as a service on my Windows 7 developer PC in order to provide rational arguments to why we should use Jenkins and not Bamboo in the company.
I've installed the 'Analysis Collector Plugin': https://wiki.jenkins-ci.org/display/JENKINS/Analysis+Collector+Plugin, but Jenkins ignores my configuration of the trend graph:
After I save the config, it still displays the default graph with the default settings:
I know the graph settings are stored as cookies, which is why I use the URL http://127.0.0.1:8080 instead of http://localhost:8080, but still I can't get it to display the right graph.
Jenkins v1.538
Static Analysis Collector Plug-in v1.38
This issue has since been resolved in later versions of the Static Analysis Plugin. Please download and install the latest version 1.51 and upon restart the issue should be resolved.
There is an interdependency of this plugin with the Static Code Analysis Plugin, so you will need to update that plugin to the latest version as well.
Lastly, and most importantly, you will need to (and should anyway) update Jenkins from version 1.538 to a more recent version to remain compatible with the newest version of the Analysis Collector Plugin. For this reason (as well as many others), I highly reccomend the latest version of Jenkins as well, which at the time of writing this is 2.63.
Related
I was working on jenkins and working fine but i don't know what happened Jenkins shows following errors and no jobs are visible to me after that:
I am new in jenkins please help me to solve this.
As I understand the problem it could happened in cause of downgrading jenkins version or updating plugins "Pipeline: Node and Processes".
You need to restore previous jenkins version or downgrade plugin.
Additionally you can configure jenkins to get plugins' versions which fit your jenkins version in "Manage Jenkins" -> "Manage plugins" -> "Advanced" -> "Update site" and set the version you are currently using (for example https://updates.jenkins.io/stable-2.176/update-center.json)
Jenkins plugins are dependent on Jenkins LTS versions in use. Best way is while installing the Jenkins take latest (but stable) version of plugins.
Since you are using 1.176 version and trying to upgrade the plugins, the latest plugins do not support the older version of Jenkins (since Jenkins follow Parallel incremental development).
You can resolve the problem in 2 ways.
1. Downgrade the plugins and keep the LTS Jenkins version as it is. (not preferred solution since you will not be able to use latest functionality of the plugins and using old plugins is not secured).
Downgrade of plugins will also be suggested by Manage Jenkins --> Manage Plugins --> Installed
2. Upgrade Jenkins version (LTS 2.24x.x)
It is time taking option, but if you are heavely using jenkins for your work it is more suggested to upgrade the version. Besides new plugins have more secured and vast functionalities.
You can check the Changelog and can decided which version is good for you.
Take a reference of Upgrading Jenkins link.
To understand plugins and Jenkins LTS version dependency, use Jenkins wiki(Confluence Page).
e.g. Pipeline:Node and Processes plugin wiki indicates that for version 2.29 you need to have Jenkins version 1.150.1 or higher.
Note: Latest Jenkins version supports HTTPS instead of HTTP URL for advanced proxy options under Manager Jenkins.
I was on Jenkins version 2.176 using the standalone war.
I then got security vulnerability alert for plugins here: https://jenkins.io/security/advisory/2020-03-09/
I then decided to update Jenkins so I downloaded and started Jenkins with the latest version: Jenkins ver. 2.224
I then updated all the plugins and took restart.
However, under monitors, I see two notifications.
The first notification says:
"You have data stored in an older format and/or unreadable data."
The second notification says:
"Warnings have been published for the following currently installed
components."
Build Pipeline Plugin 1.5.8 Stored XSS vulnerability Environment
Injector Plugin 2.3.0 Exposure of sensitive build variables stored by
EnvInject 1.90 and earlier
Under the plugin update tab I don't find any plugins listed for updates !!
Can you please suggest how can I overcome both these issues?
There are no new versions of the vulnerable Plugins available as of today.
The XSS Vulnerability for the Build Pipeline Plugin is only exploitable on Jenkins releases older than 2.146 or 2.138.2
For the Environment Injector Plugin Vulnerability:
To prevent the further exposure of sensitive build variables, we
recommend that you take the following steps if you are affected by
this:
Disable the visualization of Injected Environment variables in the
global configuration. After this change the data will be accessible
only to those ones who have access to raw build.xml files. This is a
reversible action that can be applied immediately, and can be reverted
once you’ve purged the data on disk (below).
Remove the sensitive data
from disk by manually removing corresponding entries from
injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files
in old build directories.
Rotate all secrets that have potentially
been exposed
from the Security Advisory 2018-02-26
Last time I've upgraded Stash Pullrequest Builder Plugin to version 1.9 and after that any triggered build has empty parameter list (parameter variables like ${pullRequestId} specified in documentation are not available: https://github.com/jenkinsci/stash-pullrequest-builder-plugin/blob/master/README.md). Now I've tried version 1.10 and have the same issue. With version 1.8 everything is working fine.
1.8:
1.9 / 1.10:
I am using Jenkins in version 2.180 and Git Plugin in version 3.10.0
Maybe some of you experienced the same issue? I would be appreciated for any help.
Jenkins was changed in version 2.3 to disallow adding parameters to a build if they are not declared in the project configuration. The motivation was to prevent a security issue when a project controlled by an attacker invokes another project with arbitrary parameters. Since the parameters are seen as environment variables by the build scripts, the attacker could make the build load an untrusted library. Since its possible for different projects to be controlled by different users and run with different privileges, such behavior would allow the attacker to exploit permissions of a project he or she is not allowed to configure. The issue is known as SECURITY-170.
Stash Pull Request Builder was adding 10 parameters to the build to provide information about the pull request being built. Following the SECURITY-170 implementation, the plugin was changed in version 1.7.0 to pass those values as environment variables as well. Those environment variables are recorded to the build history. They can be viewed if Build Environment Plugin is installed.
Starting with version 1.9, Stash Pull Request Builder plugin removed the old mechanism of passing pull request data through parameters, as it was causing a large number of warnings in the Jenkins log.
The plugin's README.md file has just been updated to use the term "environment variables" to avoid confusion.
If you really need parameters, you can define them for the project. Starting with the next version of the plugin (presumably 1.11), the configured parameters will be populated with the same values that are available through the environment variables.
When upgrading Jenkins via replacement WAR file when we go into Jenkins all is showing correctly as the new updated version. However, The Windows Control Panel "Programs & Features" Still shows as the original version which was fully installed.
is there a way this can be updated (registry) as I'm concerned that an future scans of our system for old software will still flag this up.
This has turned out to not be an issue as the health checking software does not look at this.
I have a large fleet of Jenkins instances running in a cluster, all having the LDAP plugin version 1.6 (Jenkins version 1.611). I want to fleet-upgrade the LDAP plugin version to 1.7 (to incorporate environment variables in my plugin configuration). How do I achieve this without manually uploading 1.7 version through UI for each Jenkins instance?
I tried writing a script which basically performs these operations for each Jenkins instance:
Replace the existing .jpi/.hpi file in $JENKINS_HOME/plugins for ldap plugin with the correct .hpi file (of the 1.7 version)
Edit config.xml under $JENKINS_HOME which has the version number
Safe restart Jenkins
It works fine till step 2 but as soon as I perform safe restart, Jenkins magically puts in the original .jpi/.hpi file (the 1.6 version file) back inside $JENKINS_HOME/plugins. Jenkins instance has the 1.6 plugin version again in the UI. Is there a better way to perform fleet plugin upgrades in general? I want to mention that I want the 1.7 plugin version, not the latest
How do I fix this? I even tried using curl (mentioned at https://stackoverflow.com/a/20848745/1746529) but didn't help.
Got a working answer on Google groups.
"As you are on 1.x create an empty ldap.jpi.pinned file as a sibling and that marker will instruct Jenkins not to replace with the bundled plugin."
Came across the documentation for it as well - https://wiki.jenkins-ci.org/display/JENKINS/Pinned+Plugins