'Active Choices (uno-choice) Plugin should be updated to version 1.5.1 or newer. As this plugin depends on Scriptler, whose distribution has been suspended, you need to download this plugin from the Jenkins project Maven repository and upload it to Jenkins.
'
Active Choices was updated back in 2016 (v1.5.1) to use the Script Security plugin to execute Groovy scripts in a secure way. However, there is a dependency on Scriptler which has not received the required security updates and is also on the suspended list. This dependency also makes the use of Active Choices a security risk.
As a result, the Jenkins security team has placed Active Choices on the list of plugin that will be suspended from distribution from the update center (they can still be installed manually from the Maven repository).
Special kudos to Bruno for being proactively working with the Jenkins security team to insure that Active Choices was one of the first Groovy plugins to use the Jenkins Script Security recommendations.
Lionel Orellana
unread,
Jun 13, 2017, 7:30:30 PM6/13/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to BioUno Users
Hi,
Is there any update on this? What's the plan going forward?
Cheers
Bruno P. Kinoshita
unread,
Jun 13, 2017, 7:38:19 PM6/13/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to biouno...@googlegroups.com
HI Lionel,
Last time I checked, scriptler-plugin was still blacklisted. Haven't checked again so far (busy at $work this week), but once the security bugs are fixed in scriptler-plugin, we should be able to simply update our dependencies in pom.xml, run some testing, and release it again to the Jenkins update center.
From: Lionel Orellana <lion...@gmail.com> To: BioUno Users <biouno...@googlegroups.com> Sent: Wednesday, 14 June 2017 11:30 AM Subject: Re: [ANNOUNCE] Jenkins Security and Active Choices
--
You received this message because you are subscribed to the Google Groups "BioUno Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to biouno-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Lionel Orellana
unread,
Jun 14, 2017, 6:36:24 AM6/14/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to BioUno Users, brunod...@yahoo.com.br
Thanks Bruno. I installed from the update centre but it's not a good look with all the warnings. Good to hear it's an easy fix at your end.