ghprb-plugin icon indicating copy to clipboard operation
ghprb-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Misleading banner on Jenkins plugin page?

Open noelslice opened this issue 4 years ago • 6 comments

Screenshot from 2020-12-14 11-30-23

This is no longer an issue since version 1.40.0? Should that red banner be updated so it doesn't say the current version is affected?

Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk.

noelslice avatar Dec 14 '20 16:12 noelslice

The banner is still accurate because, while new builds made with version >= 1.40.0 are not affected by the vulnerability, any builds started with earlier versions stays at risk. See https://www.jenkins.io/security/advisory/2018-03-26/#SECURITY-261 and https://github.com/jenkins-infra/update-center2/blob/master/resources/warnings.json#L1820

This banner can't go away until a newer version of plugin actually implement a clean up task that will execute something similar to https://github.com/jenkinsci-cert/SECURITY-261 at startup.

mbarbero avatar Jan 22 '21 13:01 mbarbero

Interesting. Thanks for clarifying. This makes sense.

noelslice avatar Jan 22 '21 14:01 noelslice

while new builds made with version >= 1.40.0 are not affected by the vulnerability, any builds started with earlier versions stays at risk

I think this has to be clarified in the banner. Because current wording strongly discourages any new users to install and use this plugin.

okainov avatar Feb 11 '21 10:02 okainov

while new builds made with version >= 1.40.0 are not affected by the vulnerability, any builds started with earlier versions stays at risk

I think this has to be clarified in the banner. Because current wording strongly discourages any new users to install and use this plugin.

Agreed. Unfortunately, I think the banner and the message is generated automatically as long as the current version matches the pattern https://github.com/jenkins-infra/update-center2/blob/master/resources/warnings.json#L1820

mbarbero avatar Feb 11 '21 13:02 mbarbero

Seconding @okainov. It took some convincing folks on my end that the plugin was actually safe to use and no longer was affected by the issue.

noelslice avatar Feb 12 '21 17:02 noelslice

Came across this issue and filed https://github.com/jenkins-infra/update-center2/pull/486

If the content the Jenkins security team puts out is misleading, confusing, or even outright wrong, please let us know! We try our best to provide accurate information, but sometimes we get it wrong, or what was a reasonable workaround to a limitation we encountered at the time isn't anymore, years later.

daniel-beck avatar Feb 25 '21 07:02 daniel-beck