Jenkins NON-GUI notification of core / plug-in vulnerabilities / warnings and updates

20 views
Skip to first unread message

Eric Engstrom

unread,
Sep 23, 2019, 11:53:56 AM9/23/19
to Jenkins Users

Jenkins is great at telling me when there are updates available for Jenkins's core or when there are security vulnerabilities in plug-ins. This it does with a "nice-fat-red" number of vulnerabilities on the top of the web page when I am logged in. And when one clicks on that, you get a nice synopsis such as:




(Yes, I've already updated my Jenkins instance to patch these issues, post screen-shot).


However, I cannot find any system setting or plug-in which will notify me (presumably via email) when there is a core or plug-in update which is available to mitigate a vulnerability, or even when there are ANY updates to apply.


I have used the CLI (via SSH) to find a way to list the plug-ins with updates available, as in this very hackish approach which relies on the formatting of the list-plugins command:


$ ssh -l USER -p PORT JENKINS.domain list-plugins | egrep '\([0-9.]+\)' | sort
ant                         Ant Plugin                      1.9 (1.10)
antisamy-markup-formatter   OWASP Markup Formatter Plugin   1.5 (1.6)
branch-api                  Branch API Plugin               2.5.3 (2.5.4)
...


But I have not found any way via the CLI to:

  • distinguish between security updates and general/feature updates
  • identify core updates

I've also looked at the jenkins log (/var/lib/jenkins/jenkins.log on Ubuntu) to no avail.


Specific question: Is there a setting (and I've looked extensively) or plug-in (or even CLI method) which will provide the warnings / vulnerabilities without being forced to login to Jenkins' web interface and look manually?


Yes, I'm subscribed to the "Security advisories" mailing list, and while it provides indications of core updates w.r.t. vulnerabilities, it's not as helpful for plug-ins - that is, not only would I have to look at all the plug-ins that are listed as being patched, but it doesn't, AFAICT, tell me when there are unpatched vulnerabilities.


General question: How should I go about ensuring that my Jenkins installation is automatically kept up-to-date, including all plug-ins? Ideally this would be with respect to security vulnerabilities only, leaving feature updates aside.

Daniel Beck

unread,
Sep 23, 2019, 12:08:58 PM9/23/19
to jenkins...@googlegroups.com
Jenkins uses the update center metadata to show applicable warnings. It would be a bit of a hack, and use internals not meant for public consumption, but you could do that, too. See the bottom of https://updates.jenkins.io/update-center.actual.json for the warning definitions. (No complaining if we change the format without prior warning etc.!)

On Mon, Sep 23, 2019 at 5:52 PM Eric Engstrom <eric.e...@gmail.com> wrote:

Yes, I'm subscribed to the "Security advisories" mailing list, and while it provides indications of core updates w.r.t. vulnerabilities, it's not as helpful for plug-ins - that is, not only would I have to look at all the plug-ins that are listed as being patched, but it doesn't, AFAICT, tell me when there are unpatched vulnerabilities.


Counterexample: https://groups.google.com/d/msg/jenkinsci-advisories/T3Zt01nhGao/kn_VhKasCgAJ (Aug 7 this year, second email in the "thread" -- Thanks Google!)

Eric Engstrom

unread,
Sep 23, 2019, 1:07:20 PM9/23/19
to jenkins...@googlegroups.com
Jenkins is great at telling me when there are updates available for
Jenkins's core or when there are security vulnerabilities in plug-ins.
This it does with a "nice-fat-red" number of vulnerabilities on the top
of the web page when I am logged in. And when one clicks on that, you
get a nice synopsis.

However, I cannot find any system setting or plug-in which will notify
me (presumably via email) when there is a core or plug-in update which
is available to mitigate a vulnerability, or even when there are ANY
updates to apply.

I have used the CLI (via SSH) to find a way to list the plug-ins with
updates available, as in this very hackish approach which relies on the
formatting of the list-plugins command:

$ ssh -l USER -p PORT JENKINS.domain list-plugins | egrep '\([0-9.]+\)'
| sort
ant Ant Plugin 1.9 (1.10)
antisamy-markup-formatter OWASP Markup Formatter Plugin 1.5 (1.6)
branch-api Branch API Plugin 2.5.3 (2.5.4)
...

But I have not found any way via the CLI to:

distinguish between security updates and general/feature updates
identify core updates I've also looked at the jenkins log
(/var/lib/jenkins/jenkins.log on Ubuntu) to no avail.

Specific question: Is there a setting (and I've looked extensively) or
plug-in (or even CLI method) which will provide the warnings /
vulnerabilities without being forced to login to Jenkins' web interface
and look manually?

Yes, I'm subscribed to the "Security advisories" mailing list, and while
it provides indications of core updates w.r.t. vulnerabilities, it's not
as helpful for plug-ins - that is, not only would I have to look at all
the plug-ins that are listed as being patched, but it doesn't, AFAICT,
tell me when there are unpatched vulnerabilities.

Eric Engstrom

unread,
Sep 24, 2019, 9:59:42 AM9/24/19
to Jenkins Users


On Monday, September 23, 2019 at 11:08:58 AM UTC-5, Daniel Beck wrote:
Jenkins uses the update center metadata to show applicable warnings. It would be a bit of a hack, and use internals not meant for public consumption, but you could do that, too. See the bottom of https://updates.jenkins.io/update-center.actual.json for the warning definitions. (No complaining if we change the format without prior warning etc.!)

The implication of this is that there is no current method to have jenkins send notifications (emails, or otherwise) on known vulnerabilities, core or plug-in.  Sounds like an opportunity for improvement, to which I'd be somewhat happy to help with development, but as a total jenkins _user_, I would need more pointers for development. The most obvious would be: is this something that should be in core or should it be yet-another-plug-in?  Or, I suppose, I could develop it as a groovy script that one could run as a jenkins job within jenkins itself.  

Thoughts?
 

On Mon, Sep 23, 2019 at 5:52 PM Eric Engstrom <eric.e...@gmail.com> wrote:

Yes, I'm subscribed to the "Security advisories" mailing list, and while it provides indications of core updates w.r.t. vulnerabilities, it's not as helpful for plug-ins - that is, not only would I have to look at all the plug-ins that are listed as being patched, but it doesn't, AFAICT, tell me when there are unpatched vulnerabilities.


Counterexample: https://groups.google.com/d/msg/jenkinsci-advisories/T3Zt01nhGao/kn_VhKasCgAJ (Aug 7 this year, second email in the "thread" -- Thanks Google!)

Proven wrong - thanks.  I'll pay more attention. 

Daniel Beck

unread,
Sep 24, 2019, 11:22:39 AM9/24/19
to jenkins...@googlegroups.com
Core cannot send emails, that's the mailer plugin. So if you need emails, it'd be in a (probably new) plugin.

Core however could log warnings; the main problem I see here is that there are no listeners/hooks to be notified when an update site is updated, so it's not quite trivial to log only once when a previously unseen warning shows up. Probably best done as a PeriodicWork while keeping a list of warnings logged since Jenkins started, to prevent duplicates?


--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/71abc41c-ad1a-4b0a-96b5-aff68b6aaad4%40googlegroups.com.


--

Daniel Beck
Senior Software Engineer
CloudBees, Inc.

CloudBees-Logo.png


James Nord

unread,
Oct 8, 2019, 5:10:55 PM10/8/19
to Jenkins Users
I think that cloudbees Jenkins health check can do this.

https://go.cloudbees.com/docs/plugins/cloudbees-jenkins-advisor/

Reply all
Reply to author
Forward
0 new messages