-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Workaround/replace/remove unmaintained Jenkins plugins #39
Comments
As I Jenkins contributor/user, I would say that 4 plugins are more or less fine. FileSystem SCM plugin is not fine for sure, but I am working on its facelift. Do you have any specific concerns about other plugins in the list? |
My personal biggest concern is simple-theme-plugin. Client-side Javascript and XSS threats are real and if you choose to use Java web UI at all you should try to be up to date at all costs. It's not only about server security but about user security. |
Sorry, missed the update
It is not realistic in Jenkins. It moves towards Javascript UIs. The Simple Theme plugin itself is not a security risk, a vulnerable theme would need to be explicitly configured. I would be rather aware about BlueOcean in such case. I will think whether it is possible to add feature flags to the packaging. |
FileSystem SCM will be updated in #40 |
Abandoned extremely old plugins are potential security and integration hazards.
If there's a possibility to do so, dependency on them should be removed or effort should be made to maintain them again.
List of the least maintained plugins used in LCCI as of 7.11.17:
filesystem_scm:
(WARNING!) Extremely old (6y since last release) plugin.
Tracks changes in the filesystem like it was an SCM repo.
Oleg Nenashev got control over plugin and currently tries to modernize it.
Github repo
saferestart:
(WARNING!!!) Extremely old plugin (5y since last release). Allows restarting Jenkins safely: it's waiting till all builds in progress finish before launching restart.
simple-theme-plugin:
(WARNING!!!) Extremely old plugin (5y since release).
Custom CSS styling and JS on the page.
(WARNING!!!) Potentially hazardous due to its nature and age.
description-setter:
(WARNING!) Old plugin (3y since last release).
Sets build description based on build logs.
log-parser:
(WARNING!) Old plugin (2y since release).
Parses Jenkins CI build logs and collects warnings and errors.
The text was updated successfully, but these errors were encountered: