Handling Vulnerabilities in Plugins
This site is the new docs site currently being tested. For the actual docs in use please go to https://www.jenkins.io/doc. |
We strive to fix all security vulnerabilities in Jenkins and plugins in a timely manner. However, the structure of the Jenkins project, which gives plugin maintainers a lot of autonomy, and the number and diversity of plugins make this impossible to guarantee.
Announcing Unresolved Vulnerabilities
In case of a plugin vulnerability, we try to contact the plugin maintainer(s) to inform them of it. If they decline (or otherwise fail) to fix the vulnerability, or don’t respond in a timely manner, and the security team doesn’t have the capacity to fix it, we follow the process outlined below in the interest of our users:
-
Publish a security advisory about the plugin, describing the nature of the vulnerability, but noting that there is no fix (other than no longer using the plugin). If there are workarounds, explain them.
-
In some cases of particularly severe vulnerabilities, stop publishing the vulnerable plugin on the Jenkins update sites.
-
Add metadata to update sites to inform administrators on the Jenkins UI about vulnerable plugins they have installed.
-
Display security warnings on the plugins site.
This allows Jenkins administrators to make an informed decision about their continued use of plugins with unresolved security vulnerabilities.
Following Up Later
Some maintainers end up fixing security vulnerabilities after we have announced it as unresolved in their plugin. This can be any time between hours and years after publication.
In those cases, security advisories will not be amended, as the information provided was correct at the time of publication. Additionally, the security advisory will be clear that the lack of a fix is only known "as of publication of this advisory".
We will update the security warnings metadata that is shown to administrators in Jenkins and on the plugins site. Maintainers can inform us through Jira or email about a fix or file a pull request updating the warnings metadata themselves. Once we confirm the fix is correct and complete, we will update the published warnings metadata. This will remove the active security warning from the plugin entry on the plugins site and from the plugin manager directly in Jenkins.
Suspended Plugins
Distribution of the following plugins was suspended in conjunction with the publication of a security advisory announcing unresolved security issues. The Jenkins security team believes that most use cases would be negatively impacted by these security vulnerabilities and it is better for the Jenkins ecosystem to no longer distribute these plugins in their current form to prevent harm to users. This typically is the case when plugins have particularly severe security vulnerabilities, deliberately bypass or disable protection mechanisms, or offer little benefit to users anyway.
-
360 FireLine (
fileline
): SECURITY-2866 -
Adaptive DSL (
AdaptivePlugin
): SECURITY-457 -
Autocomplete Parameter (
autocomplete-parameter
): multiple vulnerabilities announced on 2022-05-17 -
Build Flow (
build-flow-plugin
): SECURITY-293 -
CAS protocol version 1 (
cas1
): SECURITY-491 -
Config Rotator (
config-rotator
): SECURITY-2842 -
Copy To Slave (
copy-to-slave
): SECURITY-545 -
CryptoMove (
cryptomove
): SECURITY-1635 -
CVS Tagging (
cvs-tag
): SECURITY-459 -
Debian Package Builder (
debian-package-builder
): SECURITY-2546 -
DotCi (
DotCi
): SECURITY-1737 -
Dynamic Parameter (
dynamicparameter
): SECURITY-462 -
ElasticBox Jenkins Kubernetes CI/CD (
kubernetes-ci
): SECURITY-1738 -
Grails (
grails
): SECURITY-458 -
GroovyAxis (
groovyaxis
): SECURITY-460 -
JS Games (
jsgames
): SECURITY-1905 -
Kubernetes Continuous Deploy (
kubernetes-cd
): SECURITY-2448 -
Kubernetes :: Pipeline :: Arquillian Steps (
kubernetes-pipeline-arquillian-steps
): SECURITY-920 (2) -
Kubernetes :: Pipeline :: Kubernetes Steps (
kubernetes-pipeline-steps
): SECURITY-920 (1) -
Literate (
literate
): SECURITY-1750 -
Mashup Portlets (
mashup-portlets-plugin
): SECURITY-2813 -
Nerrvana (
nerrvana
): SECURITY-2097 -
Persona (
persona
): SECURITY-2046 -
Pipeline: Classpath Step (
pipeline-classpath
): SECURITY-336 -
Pipeline: Phoenix AutoTest (
phoenix-autotest
): multiple vulnerabilities announced on 2022-03-29 -
Puppet Enterprise Pipeline (
puppet-enterprise-pipeline
): SECURITY-918 -
Reactor (
reactor
): SECURITY-487 -
remote-jobs-view-plugin
: SECURITY-2956 -
Script SCM (
scriptscm
): SECURITY-461 -
scripttrigger
: SECURITY-456 -
Simple Travis Pipeline Runner (
simple-travis-runner
): SECURITY-922 -
Chef Sinatra (
sinatra-chef-builder
): SECURITY-1377 -
ScreenRecorder (
screenrecorder
): SECURITY-2864 -
Speaks! (
speaks
): SECURITY-623 -
Storable Configs (
storable-configs-plugin
): SECURITY-1969, multiple vulnerabilities announced on 2020-09-16 -
Subversion Tagging (
svn-tag
): SECURITY-298 -
tcl
: SECURITY-379 -
Team Views (
team-views
): multiple vulnerabilities announced on 2022-02-15 -
XFramium Builder (
xframium
): SECURITY-2863
Unless the security issue is inherent to what the plugin does while not making this the sole purpose of the plugin, the Jenkins security team welcomes efforts to fix the vulnerabilities and have plugin distribution restored.
In addition to plugins suspended for security reasons, the following plugins that require suspended plugins to run are also suspended, as they would not be installable:
-
Build Automation Management Tool (
build-configurator
) depends oncopy-to-slave
-
build-flow-extensions-plugin
depends onbuild-flow-plugin
-
build-flow-test-aggregator
depends onbuild-flow-plugin
-
build-flow-toolbox-plugin
depends onbuild-flow-plugin
-
DotCi DockerPublish (
DotCi-DockerPublish
) depends onDotCi
-
DotCi Fig template (
DotCi-Fig-template
) depends onDotCi-InstallPackages
-
DotCi InstallPackages (
DotCi-InstallPackages
) depends onDotCi
-
DotCiInstallPackages (
DotCiInstallPackages
) depends onDotCi
-
External Resource Dispatcher (
externalresource-dispatcher
) depends onbuild-flow-plugin
-
Kubernetes :: Pipeline :: Aggregator (
kubernetes-pipeline-aggregator
) depends onkubernetes-pipeline-arquillian-steps
andkubernetes-pipeline-steps
-
lsf-cloud
depends oncopy-to-slave
-
SGE Cloud Plugin (
sge-cloud-plugin
) depends oncopy-to-slave
-
XTrigger (
xtrigger
) depends onscripttrigger