[JIRA] (JENKINS-59758) hudson.model.UpdateSite.Plugin:getWarnings() using incorrect plugin version, resulting in no warnings found

12 views
Skip to first unread message

engstrom@mtu.net (JIRA)

unread,
Oct 11, 2019, 6:38:02 PM10/11/19
to jenkinsc...@googlegroups.com
Eric Engstrom created an issue
 
Jenkins / Bug JENKINS-59758
hudson.model.UpdateSite.Plugin:getWarnings() using incorrect plugin version, resulting in no warnings found
Issue Type: Bug Bug
Assignee: Unassigned
Components: core, update-sites-manager-plugin
Created: 2019-10-11 22:37
Environment: Jenkins 2.199 (and LTS / 2.190.1)
Labels: plugins jenkins update-center
Priority: Major Major
Reporter: Eric Engstrom

I believe I've found a bug in the way that hudson.model.UpdateSite.Plugin collects the warnings that may exist for a given plugin, as can be seen in this Groovy code sample:

Groovy Example 
    import jenkins.model.*
    import jenkins.security.*
    import hudson.security.*
    import static groovy.json.JsonOutput.*

    def instance = Jenkins.getInstance()
    def manager = instance.getPluginManager()
    def center = instance.getUpdateCenter()
    manager.doCheckUpdatesServer()

    updates = center.getUpdates().each {
    }.collectEntries {
      ([ (it.getInstalled().getShortName()) :
        [
          'class': it.getClass().toString(),
          'version': it.version,
          'hasWarnings': it.hasWarnings(),
        ]
      ])
    }
    println prettyPrint(toJson(updates))

When when run against my current setup, including at least one plugin with updates that ALSO has warnings, yields (pruned slightly, eliding some irrelevant plugins):

output 
    {
        "git-client": {
            "class": "class hudson.model.UpdateSite$Plugin",
            "version": "2.9.0",
            "hasWarnings": false
        },
        "script-security": {
            "class": "class hudson.model.UpdateSite$Plugin",
            "version": "1.66",
            "hasWarnings": false
        }
    }

However, perusing the code of hudson.model.UpdateSite, I manually walked the (applicable) warnings a different way:

Groovy Example (continued) 
    def wc = ExtensionList.lookupSingleton(UpdateSiteWarningsConfiguration.class)
    warnings = wc.getApplicableWarnings().collectEntries {
      ([ (it.component): [
         'class': it.getClass().toString(),
          'message': (it.message),
          'version' : (wc.getPlugin(it).getVersion()),
          'ignored': (wc.isIgnored(it)),
          'isPluginWarning' : (it.isPluginWarning(it.component)),
          'isRelevant': (it.isRelevant()),
          'isRelevantToVersion' : (it.isRelevantToVersion(wc.getPlugin(it).getVersionNumber())),
        ]
      ])
    }
    println prettyPrint(toJson(warnings))

Which yields (unpruned, as there is only one, currently):

output (continued) 
    {
        "script-security": {
            "class": "class hudson.model.UpdateSite$Warning",
            "message": "Sandbox bypass vulnerability",
            "version": "1.64",
            "ignored": false,
            "isPluginWarning": true,
            "isRelevant": true,
            "isRelevantToVersion": true
        }
    }

It seems to me the failure lies on line 1265 of UpdateSite.java, specifically:

UpdateSite.java, line 1265: 
    if (!warning.isRelevantToVersion(new VersionNumber(this.version))) {

and more specifically the call to this.version. Perhaps the version field is getting populated incorrectly, but assuming that it should be the latest available version (e.g. script-security version 1.66), instead of the current version (1.64), that seems wrong, at least for the purpose of detecting if the warnings are relevant.

Could the entire line be both fixed and simplified as well if replaced with:

possible fix (and simplification) 
    if (!warning.isRelevant()) {

However, I leave that to someone more familiar with the code base than am I.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

engstrom@mtu.net (JIRA)

unread,
Oct 11, 2019, 6:42:02 PM10/11/19
to jenkinsc...@googlegroups.com
Eric Engstrom updated an issue
Change By: Eric Engstrom
I believe I've found a bug in the way that {{hudson.model.UpdateSite.Plugin}} collects the warnings that may exist for a given plugin, as can be seen in this Groovy code sample:
{code:title=Groovy Example}

    import jenkins.model.*
    import jenkins.security.*
    import hudson.security.*
    import static groovy.json.JsonOutput.*

    def instance = Jenkins.getInstance()
    def manager = instance.getPluginManager()
    def center = instance.getUpdateCenter()
    manager.doCheckUpdatesServer()

    updates = center.getUpdates().
each {
    }. collectEntries {

      ([ (it.getInstalled().getShortName()) :
        [
          'class': it.getClass().toString(),
          'version': it.version,
          'hasWarnings': it.hasWarnings(),
        ]
      ])
    }
    println prettyPrint(toJson(updates))
{code}
When when run against my current setup, including at least one plugin with updates that ALSO has warnings, yields _(pruned slightly, eliding some irrelevant plugins)_:
{code:title=output}

    {
        "git-client": {
            "class": "class hudson.model.UpdateSite$Plugin",
            "version": "2.9.0",
            "hasWarnings": false
        },
        "script-security": {
            "class": "class hudson.model.UpdateSite$Plugin",
            "version": "1.66",
            "hasWarnings": false
        }
    }
{code}
However, perusing the code of {{hudson.model.UpdateSite}}, I manually walked the (applicable) warnings a different way:
{code:title=Groovy Example (continued)}

    def wc = ExtensionList.lookupSingleton(UpdateSiteWarningsConfiguration.class)
    warnings = wc.getApplicableWarnings().collectEntries {
      ([ (it.component): [
         'class': it.getClass().toString(),
          'message': (it.message),
          'version' : (wc.getPlugin(it).getVersion()),
          'ignored': (wc.isIgnored(it)),
          'isPluginWarning' : (it.isPluginWarning(it.component)),
          'isRelevant': (it.isRelevant()),
          'isRelevantToVersion' : (it.isRelevantToVersion(wc.getPlugin(it).getVersionNumber())),
        ]
      ])
    }
    println prettyPrint(toJson(warnings))
{code}

Which yields (unpruned, as there is only one, currently):
{code:title=output (continued)}

    {
        "script-security": {
            "class": "class hudson.model.UpdateSite$Warning",
            "message": "Sandbox bypass vulnerability",
            "version": "1.64",
            "ignored": false,
            "isPluginWarning": true,
            "isRelevant": true,
            "isRelevantToVersion": true
        }
    }
{code}
It seems to me the failure lies on [line 1265 of UpdateSite.java|https://github.com/jenkinsci/jenkins/blob/24d0cf90ab82f89aadd2b54c84c7fcab093b0d37/core/src/main/java/hudson/model/UpdateSite.java#L1265], specifically:
{code:title=UpdateSite.java, line 1265:}
    if (!warning.isRelevantToVersion(new VersionNumber(this.version))) {
{code}
and more specifically the call to {{this.version}}. Perhaps the {{version}} field is getting populated incorrectly, but assuming that it should be the latest available version (e.g. script-security version 1.66), instead of the current version (1.64), that seems wrong, at least for the purpose of detecting if the warnings are relevant.


Could the entire line be both fixed and simplified as well if replaced with:
{code:title=possible fix (and simplification)}
    if (!warning.isRelevant()) {
{code}

However, I leave that to someone more familiar with the code base than am I.

dbeck@cloudbees.com (JIRA)

unread,
Oct 12, 2019, 11:42:03 AM10/12/19
to jenkinsc...@googlegroups.com
Daniel Beck commented on Bug JENKINS-59758
 
Re: hudson.model.UpdateSite.Plugin:getWarnings() using incorrect plugin version, resulting in no warnings found

Eric Engstrom

Hi Erik, I'm the original author of this feature. There's a bunch of technical details in this report of you digging into the internals, but I do not understand what exactly the behavior is that you're seeing, and what you expect to see instead, and why. Could you provide these?

Thanks!

dbeck@cloudbees.com (JIRA)

unread,
Oct 12, 2019, 11:43:02 AM10/12/19
to jenkinsc...@googlegroups.com
Daniel Beck edited a comment on Bug JENKINS-59758
[~eengstrom]

Hi Erik Eric , I'm the original author of this feature. There's a bunch of technical details in this report of you digging into the internals, but I do not understand what exactly the behavior is that you're seeing, and what you expect to see instead, and why. Could you provide these?

Thanks!

dbeck@cloudbees.com (JIRA)

unread,
Oct 12, 2019, 11:43:02 AM10/12/19
to jenkinsc...@googlegroups.com
Daniel Beck updated an issue
 
Change By: Daniel Beck
Component/s: update-sites-manager-plugin

engstrom@mtu.net (JIRA)

unread,
Oct 12, 2019, 2:17:03 PM10/12/19
to jenkinsc...@googlegroups.com
Eric Engstrom commented on Bug JENKINS-59758
 
Re: hudson.model.UpdateSite.Plugin:getWarnings() using incorrect plugin version, resulting in no warnings found

Sorry - I thought the issue was more clear.

Essentially if you attempt to get any issued warnings for an instance of hudson.model.UpdateSite$Plugin, you will ALWAYS get an empty list ([]). I believe this to be the case because the version check on line 1250 is checking against the latest version, not the installed version.

My complex example code is only me trying to figure out why. If you happen to have an instance of Jenkins around with a plugin with a security warning, try the first block of groovy code.

Is that helpful? If not, I'll try again.

engstrom@mtu.net (JIRA)

unread,
Oct 12, 2019, 2:18:03 PM10/12/19
to jenkinsc...@googlegroups.com
Eric Engstrom edited a comment on Bug JENKINS-59758
Sorry - I thought the issue was more clear.

Essentially if you attempt to get any issued warnings for an instance of {{hudson.model.UpdateSite$Plugin}}, you will ALWAYS get an empty list ({{[]}}).  I believe this to be the case because the version check on line 1250 1265 is checking against the *latest* version, not the installed version.


My complex example code is only me trying to figure out why.  If you happen to have an instance of Jenkins around with a plugin with a security warning, try the first block of groovy code.
Is that helpful?  If not, I'll try again.

dbeck@cloudbees.com (JIRA)

unread,
Oct 12, 2019, 4:53:02 PM10/12/19
to jenkinsc...@googlegroups.com
Daniel Beck closed an issue as Not A Defect
 

Works as designed.
Change By: Daniel Beck
Status: Open Closed
Resolution: Not A Defect

dbeck@cloudbees.com (JIRA)

unread,
Oct 12, 2019, 4:53:03 PM10/12/19
to jenkinsc...@googlegroups.com
Daniel Beck commented on Bug JENKINS-59758
 
Re: hudson.model.UpdateSite.Plugin:getWarnings() using incorrect plugin version, resulting in no warnings found

Well, UpdateSite.Plugin is the plugin as it is being distributed by the update site. For the plugins you mention, published issues are already fixed in the releases currently being distributed as latest version. Therefore, no warnings apply to those releases.

The reason this API based on UpdateSite.Plugin exists will be apparent when you filter the "available plugins" lists by the string /security/ – there are many plugins being distributed with active security warnings, i.e. even if you're on the newest release, you're affected by a known public security issue. These are typically abandoned plugins.
Reply all
Reply to author
Forward
0 new messages