opensearch-build icon indicating copy to clipboard operation
opensearch-build copied to clipboard

Published 20 hours ago • verified publisher icon opensearch-project

Possible CVE fixes by Jenkins core upgrade

Open jordarlu opened this issue 1 year ago • 6 comments

Is your feature request related to a problem? Please describe

This is a consolidated issue to aggregate all CVEs that could be resolved by next Jenkins core upgrade The list could be updated accordingly...

https://github.com/opensearch-project/opensearch-build/issues/3338 - spring-expression-5.3.24.jar https://github.com/opensearch-project/opensearch-build/issues/3396 - spring-expression-5.3.24.jar https://github.com/opensearch-project/opensearch-build/issues/3672 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/3673 - guava-31.1-jre.jar https://github.com/opensearch-project/opensearch-build/issues/3832 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/4082 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/4081 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/4080 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/4078 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/4077 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/4406 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/4404 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/4589 - jenkins-core-2.387.1.jar https://github.com/opensearch-project/opensearch-build/issues/4630 - jenkins-core-2.387.1.jar

Describe the solution you'd like

Next Jenkins core upgrade https://www.jenkins.io/changelog/

Determine the breaking changes with respect to jenkins as well as all its plugins in use. See https://github.com/opensearch-project/opensearch-ci/issues/333 for details on upgrade cycle.

Describe alternatives you've considered

No response

Acceptance Criteria

  • Jenkins should retain all previous data
  • Jenkins should be upgraded to a newer version
  • Upgrade jenkis core version in all build.gradle files to resolve the CVEs
  • Track new CVEs related to new upgraded version

jordarlu avatar Jul 12 '23 17:07 jordarlu

@peterzhuamazon @gaiksaya

jordarlu avatar Jul 12 '23 17:07 jordarlu

Thanks Jeff.

peterzhuamazon avatar Jul 12 '23 18:07 peterzhuamazon

Updating the possible CVE fixes list in case description by upgrading the Jenkins Core to the latest version.

jordarlu avatar Aug 30 '23 21:08 jordarlu

Need to also upgrade the Jenkins with monitoring plugin:

  • https://github.com/opensearch-project/opensearch-ci/issues/346#issuecomment-1719906561

peterzhuamazon avatar Sep 18 '23 17:09 peterzhuamazon

Plan to add monitoring plugin in the week of 25th-Sept. cc: @peterzhuamazon @prudhvigodithi

rishabh6788 avatar Sep 18 '23 18:09 rishabh6788

list has been updated

jordarlu avatar Oct 19 '23 23:10 jordarlu