Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Workaround/replace/remove unmaintained Jenkins plugins #39

Open
Houkime opened this issue Nov 7, 2017 · 4 comments
Open

Workaround/replace/remove unmaintained Jenkins plugins #39

Houkime opened this issue Nov 7, 2017 · 4 comments

Comments

@Houkime
Copy link
Contributor

Houkime commented Nov 7, 2017

Abandoned extremely old plugins are potential security and integration hazards.
If there's a possibility to do so, dependency on them should be removed or effort should be made to maintain them again.

List of the least maintained plugins used in LCCI as of 7.11.17:

filesystem_scm:
(WARNING!) Extremely old (6y since last release) plugin.
Tracks changes in the filesystem like it was an SCM repo.
Oleg Nenashev got control over plugin and currently tries to modernize it.
Github repo

saferestart:
(WARNING!!!) Extremely old plugin (5y since last release). Allows restarting Jenkins safely: it's waiting till all builds in progress finish before launching restart.

simple-theme-plugin:
(WARNING!!!) Extremely old plugin (5y since release).
Custom CSS styling and JS on the page.
(WARNING!!!) Potentially hazardous due to its nature and age.

description-setter:
(WARNING!) Old plugin (3y since last release).
Sets build description based on build logs.

log-parser:
(WARNING!) Old plugin (2y since release).
Parses Jenkins CI build logs and collects warnings and errors.

@oleg-nenashev
Copy link
Member

As I Jenkins contributor/user, I would say that 4 plugins are more or less fine. FileSystem SCM plugin is not fine for sure, but I am working on its facelift.

Do you have any specific concerns about other plugins in the list?

@Houkime
Copy link
Contributor Author

Houkime commented Nov 7, 2017

My personal biggest concern is simple-theme-plugin. Client-side Javascript and XSS threats are real and if you choose to use Java web UI at all you should try to be up to date at all costs. It's not only about server security but about user security.
If it is realistical I would recommend to exclude client-side JS completely. Maybe I'm bit paranoid because I tried to make tor services one day but still.

@oleg-nenashev
Copy link
Member

Sorry, missed the update

If it is realistical I would recommend to exclude client-side JS completely. Maybe I'm bit paranoid because I tried to make tor services one day but still.

It is not realistic in Jenkins. It moves towards Javascript UIs. The Simple Theme plugin itself is not a security risk, a vulnerable theme would need to be explicitly configured. I would be rather aware about BlueOcean in such case.

I will think whether it is possible to add feature flags to the packaging.

@oleg-nenashev
Copy link
Member

FileSystem SCM will be updated in #40

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants