Question regarding transitive plugin dependencies and security advisories

[Adam Kaplan]

Hi all,

January's security advisory had several vulnerabilities disclosed in plugins [1]. Some of these plugins are widely used and may be used as dependencies in other plugins. For example, my team maintains the openshift-login-plugin and we depend on Mailer, which was recently updated with a security fix.

What is the right thing to do if we observe that a released plugin includes another vulnerabile plugin as a dependency? Does this warrant a security issue?

Thanks,

Adam

[1] https://www.jenkins.io/security/advisory/2022-01-12/

--

Adam Kaplan

He/Him

Principal Software Engineer

Red Hat

100 E. Davie Street

adam....@redhat.com    T: 1-919-754-4843    

[James Nord]

Hi Adam

You don't have to do anything.

Mostly as a security release of a plugin should not break API compatability.

If someone installs your plugin then Jenkins will if the mailer plugin is not installed install the latest from the update center that it knows about 

You can choose to update the dependency in your pom to stop the GitHub security warning, but a release is not required.

In other words think of plugin dependencies as runtime lower limits, not hard dependencies.

/James

[Adam Kaplan]

Thanks, James. For the login plugin we have a pinned dependency in our pom.xml, so we plan on updating that so folks get a fixed version of Mailer if that isn't present on their Jenkins instance.

We also have a downstream distribution which pulls in 3rd party plugins, like blueocean. We noticed that this has a dependency tree which includes the Bitbucket branch plugin [1]. The current release predates the security fix and pins the branch plugin to 2.9.11, thus our current build doesn't get the patch. We can override plugin dependency versions on our side, but in an ideal world we would use a newer (fixed) version of blueocean.

How can we request a new build of the blueocean plugin?

[1] https://plugins.jenkins.io/cloudbees-bitbucket-branch-source/

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e48740b3-2343-4484-9825-e16bf5041010n%40googlegroups.com.

[jn...@cloudbees.com]

>  Thanks, James. For the login plugin we have a pinned dependency in our pom.xml, so we plan on updating that so folks get a fixed version of Mailer if that isn't present on their Jenkins instance.

you do not need to do that - they would get a fixed version of mailer if it was not installed on their Jenkins instance in any case.

> We also have a downstream distribution which pulls in 3rd party plugins, like blueocean. We noticed that this has a dependency tree which includes the Bitbucket branch plugin [1]. The current release predates the security fix and pins the branch plugin to 2.9.11, thus our current build doesn't get the patch. We can override plugin dependency versions on our side, but in an ideal world we would use a newer (fixed) version of blueocean.

> How can we request a new build of the blueocean plugin?

You can ask on the dev list - but as there is no issue in Blue Ocean and releasing it takes a non trivial amount of time, it is unlikely to happen (it is also only getting critical bug fixes, not general improvements as per https://groups.google.com/g/jenkinsci-users/c/xngZrSsXIjc/m/d606K7lHBgAJ ).

/James