JMeter Performance plugin having XXE vulnerability

[Arun Suresh]

JMeter performance plugin is listed with vulnerability: https://plugins.jenkins.io/performance/
So currently its not safe to use this plugin(https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2394).

Can you please help us to fix this issue. Currently I'm facing issue that I don't find any other alternative plugin also to use since this plugin currently have this vulnerability.
Due to this vulnerability, currently security guidelines is not allowing us to use this plugin. Will be extremely helpful if you can support us here.
Thank you

[Mark Waite]

The current maintainers were informed of the vulnerability before it was published without a fix.  They did not have the capacity to fix it.  I assume they still do not have the capacity to fix it.

You are welcome to adopt the plugin and fix the issue.  It would be a good way for your employer to get the fix they need and a good way for them to contribute to the Jenkins community.  The "Contributing to Open Source" workshop from DevOps World 2021 provides a series of steps that you could take to prepare to adopt the performance plugin.  There is a five part video series linked in that document that introduces the concepts and illustrates the tasks to consider as you adopt a plugin.

As another alternative, you could push the JMeter results to a different location (a web server somewhere inside your company) and guide people to read the results from that web server.

Mark Waite

[Arun Suresh]

Thanks for the feedback and suggestions.