Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Finding Security Violation and operational Risks #270

Closed
dietmarpradler opened this issue Jul 26, 2023 · 6 comments
Closed

Finding Security Violation and operational Risks #270

dietmarpradler opened this issue Jul 26, 2023 · 6 comments

Comments

@dietmarpradler
Copy link

Hello,
we are using the Jenkins plugin generic-webhook-trigger-plugin provided by you in version 1.86.4.
Through a security scan with JFrog-XRAY we have encountered security vulnerabilities and operational risks.
The current security policy of our company prohibits the use of plugins with vulnerabilities.
I ask to fix the vulnerabilities and operational risks in this plugin.
Thank you very much for your support.

Best regards
Dietmar Pradler
@dietmarpradler
Copy link
Author

see attachement for JFrog-Xray Scan:
Maven_org.jenkins-ci.plugins_generic-webhook-trigger_version-1.86.4_v001113_2023-07-26 (1).zip

@tomasbjerre
Copy link
Contributor

Maven_eb69295_Violations_Export.pdf
Maven_eb69295_Security_Export.pdf
Maven_eb69295_Operational_risk_Export.pdf

tomasbjerre added a commit that referenced this issue Jul 26, 2023
@tomasbjerre
fix: stepping dependencies (refs #270)
031542f
tomasbjerre added a commit that referenced this issue Jul 26, 2023
@tomasbjerre
fix: stepping dependencies (refs #270)
43d959b
@tomasbjerre
Copy link
Contributor

I updated dependencies and they are now:

[INFO] org.jenkins-ci.plugins:generic-webhook-trigger:hpi:1.86.5-SNAPSHOT
[INFO] +- org.jenkins-ci.plugins:plain-credentials:jar:1.8:compile
[INFO] +- com.jayway.jsonpath:json-path:jar:2.8.0:compile
[INFO] |  \- net.minidev:json-smart:jar:2.4.10:runtime
[INFO] |     \- net.minidev:accessors-smart:jar:2.4.9:runtime
[INFO] +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- com.google.code.gson:gson:jar:2.10.1:compile
[INFO] +- org.jenkins-ci.plugins:structs:jar:1.24:compile
[INFO] +- org.jenkins-ci.plugins:credentials:jar:2.6.2:compile
[INFO] |  \- org.antlr:antlr4-runtime:jar:4.9.2:compile
[INFO] +- com.github.jgonian:commons-ip-math:jar:1.32:compile
[INFO] +- com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:20220608.1:compile
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:2.2:test
[INFO] +- org.assertj:assertj-core:jar:3.24.2:test
[INFO] |  \- net.bytebuddy:byte-buddy:jar:1.12.21:test
[INFO] +- org.mockito:mockito-core:jar:5.4.0:test
[INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.14.5:test
[INFO] |  \- org.objenesis:objenesis:jar:3.3:test
[INFO] +- io.cucumber:cucumber-java:jar:7.13.0:test
[INFO] |  +- io.cucumber:cucumber-core:jar:7.13.0:test
[INFO] |  |  +- io.cucumber:cucumber-gherkin:jar:7.13.0:test
[INFO] |  |  +- io.cucumber:cucumber-gherkin-messages:jar:7.13.0:test
[INFO] |  |  |  \- io.cucumber:gherkin:jar:26.2.0:test
[INFO] |  |  +- io.cucumber:messages:jar:22.0.0:test
[INFO] |  |  +- io.cucumber:tag-expressions:jar:5.0.1:test
[INFO] |  |  +- io.cucumber:cucumber-expressions:jar:16.1.2:test
[INFO] |  |  +- io.cucumber:datatable:jar:7.13.0:test
[INFO] |  |  +- io.cucumber:cucumber-plugin:jar:7.13.0:test
[INFO] |  |  +- io.cucumber:docstring:jar:7.13.0:test
[INFO] |  |  +- io.cucumber:html-formatter:jar:20.3.1:test
[INFO] |  |  +- io.cucumber:junit-xml-formatter:jar:0.2.0:test
[INFO] |  |  \- io.cucumber:ci-environment:jar:9.2.0:test
[INFO] |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] +- io.cucumber:cucumber-junit:jar:7.13.0:test
[INFO] +- org.jenkins-ci.main:jenkins-core:jar:2.361.4:provided
[INFO] |  +- org.jenkins-ci.main:cli:jar:2.361.4:provided
[INFO] |  +- org.jenkins-ci.main:remoting:jar:3044.vb_940a_a_e4f72e:provided
[INFO] |  +- antlr:antlr:jar:2.7.7:provided
[INFO] |  +- args4j:args4j:jar:2.33:provided
[INFO] |  +- com.github.spotbugs:spotbugs-annotations:jar:4.7.1:provided
[INFO] |  +- com.google.guava:guava:jar:31.1-jre:provided
[INFO] |  |  +- com.google.guava:failureaccess:jar:1.0.1:provided
[INFO] |  |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:provided
[INFO] |  |  \- com.google.code.findbugs:jsr305:jar:3.0.1:provided
[INFO] |  +- com.google.inject:guice:jar:5.0.1:provided
[INFO] |  |  \- javax.inject:javax.inject:jar:1:provided
[INFO] |  +- com.infradna.tool:bridge-method-annotation:jar:1.23:provided
[INFO] |  +- com.jcraft:jzlib:jar:1.1.3-kohsuke-1:provided
[INFO] |  +- com.sun.solaris:embedded_su4j:jar:1.1:provided
[INFO] |  +- com.sun.xml.txw2:txw2:jar:20110809:provided
[INFO] |  |  \- relaxngDatatype:relaxngDatatype:jar:20020414:provided
[INFO] |  +- com.thoughtworks.xstream:xstream:jar:1.4.19:provided
[INFO] |  |  \- io.github.x-stream:mxparser:jar:1.2.2:provided
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.4:provided
[INFO] |  +- commons-codec:commons-codec:jar:1.15:provided
[INFO] |  +- commons-collections:commons-collections:jar:3.2.2:provided
[INFO] |  +- commons-fileupload:commons-fileupload:jar:1.4:provided
[INFO] |  +- commons-httpclient:commons-httpclient:jar:3.1-jenkins-3:provided
[INFO] |  +- commons-io:commons-io:jar:2.11.0:provided
[INFO] |  +- commons-jelly:commons-jelly-tags-fmt:jar:1.0:provided
[INFO] |  +- commons-jelly:commons-jelly-tags-xml:jar:1.1:provided
[INFO] |  +- commons-lang:commons-lang:jar:2.6:provided
[INFO] |  +- io.jenkins.stapler:jenkins-stapler-support:jar:1.1:provided
[INFO] |  +- jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:jar:1.2.7:provided
[INFO] |  +- jaxen:jaxen:jar:1.2.0:provided
[INFO] |  +- jline:jline:jar:2.14.6:provided
[INFO] |  +- net.java.dev.jna:jna:jar:5.12.1:provided
[INFO] |  +- net.java.sezpoz:sezpoz:jar:1.13:provided
[INFO] |  +- net.jcip:jcip-annotations:jar:1.0:provided
[INFO] |  +- net.sf.kxml:kxml2:jar:2.3.0:provided
[INFO] |  +- org.apache.ant:ant:jar:1.10.12:provided
[INFO] |  |  \- org.apache.ant:ant-launcher:jar:1.10.12:provided
[INFO] |  +- org.apache.commons:commons-compress:jar:1.21:provided
[INFO] |  +- org.codehaus.groovy:groovy-all:jar:2.4.21:provided
[INFO] |  +- org.connectbot.jbcrypt:jbcrypt:jar:1.0.0:provided
[INFO] |  +- org.fusesource.jansi:jansi:jar:1.11:provided
[INFO] |  +- org.jenkins-ci:annotation-indexer:jar:1.16:provided
[INFO] |  +- org.jenkins-ci:commons-jexl:jar:1.1-jenkins-20111212:provided
[INFO] |  +- org.jenkins-ci:crypto-util:jar:1.7:provided
[INFO] |  +- org.jenkins-ci:memory-monitor:jar:1.11:provided
[INFO] |  +- org.jenkins-ci:symbol-annotation:jar:1.23:provided
[INFO] |  +- org.jenkins-ci:task-reactor:jar:1.7:provided
[INFO] |  +- org.jenkins-ci:version-number:jar:1.10:provided
[INFO] |  +- org.jenkins-ci.main:websocket-spi:jar:2.361.4:provided
[INFO] |  +- org.jfree:jfreechart:jar:1.0.19:provided
[INFO] |  |  \- org.jfree:jcommon:jar:1.0.23:provided
[INFO] |  +- org.jvnet.hudson:commons-jelly-tags-define:jar:1.0.1-hudson-20071021:provided
[INFO] |  +- org.jvnet.localizer:localizer:jar:1.31:provided
[INFO] |  +- org.jvnet.robust-http-client:robust-http-client:jar:1.2:provided
[INFO] |  +- org.jvnet.winp:winp:jar:1.28:provided
[INFO] |  +- org.kohsuke:access-modifier-annotation:jar:1.27:provided
[INFO] |  +- org.kohsuke:windows-package-checker:jar:1.2:provided
[INFO] |  +- org.kohsuke.jinterop:j-interop:jar:2.0.8-kohsuke-1:provided
[INFO] |  |  \- org.kohsuke.jinterop:j-interopdeps:jar:2.0.8-kohsuke-1:provided
[INFO] |  |     \- org.samba.jcifs:jcifs:jar:1.3.18-kohsuke-1:provided
[INFO] |  +- org.kohsuke.stapler:json-lib:jar:2.4-jenkins-3:provided
[INFO] |  |  \- net.sf.ezmorph:ezmorph:jar:1.0.6:provided
[INFO] |  +- org.kohsuke.stapler:stapler:jar:1711.1713.vc400cfb_5597a_:provided
[INFO] |  |  +- commons-discovery:commons-discovery:jar:0.5:provided
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:provided
[INFO] |  |  +- javax.annotation:javax.annotation-api:jar:1.3.2:provided
[INFO] |  |  \- org.jvnet:tiger-types:jar:2.2:provided
[INFO] |  +- org.kohsuke.stapler:stapler-adjunct-codemirror:jar:1.3:provided
[INFO] |  +- org.kohsuke.stapler:stapler-adjunct-timeline:jar:1.5:provided
[INFO] |  +- org.kohsuke.stapler:stapler-groovy:jar:1711.1713.vc400cfb_5597a_:provided
[INFO] |  |  \- org.kohsuke.stapler:stapler-jelly:jar:1711.1713.vc400cfb_5597a_:provided
[INFO] |  |     +- org.dom4j:dom4j:jar:2.1.3:provided
[INFO] |  |     \- org.jenkins-ci:commons-jelly:jar:1.1-jenkins-20220630:provided
[INFO] |  +- org.ow2.asm:asm:jar:9.3:runtime
[INFO] |  +- org.ow2.asm:asm-analysis:jar:9.3:provided
[INFO] |  +- org.ow2.asm:asm-commons:jar:9.3:provided
[INFO] |  +- org.ow2.asm:asm-tree:jar:9.3:provided
[INFO] |  +- org.ow2.asm:asm-util:jar:9.3:provided
[INFO] |  +- org.slf4j:jcl-over-slf4j:jar:1.7.36:provided
[INFO] |  +- org.slf4j:log4j-over-slf4j:jar:1.7.36:provided
[INFO] |  +- org.springframework.security:spring-security-web:jar:5.7.2:provided
[INFO] |  |  +- org.springframework.security:spring-security-core:jar:5.7.2:provided
[INFO] |  |  |  \- org.springframework.security:spring-security-crypto:jar:5.7.2:provided
[INFO] |  |  +- org.springframework:spring-core:jar:5.3.22:provided
[INFO] |  |  +- org.springframework:spring-aop:jar:5.3.22:provided
[INFO] |  |  +- org.springframework:spring-beans:jar:5.3.22:provided
[INFO] |  |  +- org.springframework:spring-context:jar:5.3.22:provided
[INFO] |  |  +- org.springframework:spring-expression:jar:5.3.22:provided
[INFO] |  |  \- org.springframework:spring-web:jar:5.3.22:provided
[INFO] |  \- xpp3:xpp3:jar:1.1.4c:provided
[INFO] +- org.jenkins-ci.main:jenkins-war:executable-war:2.361.4:test
[INFO] |  +- org.jenkins-ci.main:websocket-jetty10:jar:2.361.4:test
[INFO] |  |  \- org.kohsuke.metainf-services:metainf-services:jar:1.9:test
[INFO] |  +- org.jenkins-ci.main:websocket-jetty9:jar:2.361.4:test
[INFO] |  \- org.slf4j:slf4j-jdk14:jar:1.7.36:test
[INFO] +- jakarta.servlet:jakarta.servlet-api:jar:4.0.4:provided
[INFO] +- commons-logging:commons-logging:jar:1.2:provided
[INFO] +- org.jenkins-ci.main:jenkins-test-harness:jar:2034.v41c9cb_349299:test
[INFO] |  +- io.jenkins.lib:support-log-formatter:jar:1.2:test
[INFO] |  +- org.eclipse.jetty:jetty-security:jar:10.0.15:test
[INFO] |  |  \- org.eclipse.jetty:jetty-server:jar:10.0.15:test
[INFO] |  |     +- org.eclipse.jetty:jetty-http:jar:10.0.15:test
[INFO] |  |     \- org.eclipse.jetty:jetty-io:jar:10.0.15:test
[INFO] |  +- org.eclipse.jetty:jetty-webapp:jar:10.0.15:test
[INFO] |  |  +- org.eclipse.jetty:jetty-servlet:jar:10.0.15:test
[INFO] |  |  \- org.eclipse.jetty:jetty-xml:jar:10.0.15:test
[INFO] |  |     \- org.eclipse.jetty:jetty-util:jar:10.0.15:test
[INFO] |  +- org.eclipse.jetty.websocket:websocket-jetty-server:jar:10.0.15:test
[INFO] |  |  +- org.eclipse.jetty.websocket:websocket-jetty-api:jar:10.0.15:test
[INFO] |  |  +- org.eclipse.jetty.websocket:websocket-jetty-common:jar:10.0.15:test
[INFO] |  |  |  \- org.eclipse.jetty.websocket:websocket-core-common:jar:10.0.15:test
[INFO] |  |  +- org.eclipse.jetty.websocket:websocket-servlet:jar:10.0.15:test
[INFO] |  |  |  \- org.eclipse.jetty.websocket:websocket-core-server:jar:10.0.15:test
[INFO] |  |  \- org.eclipse.jetty.toolchain:jetty-servlet-api:jar:4.0.6:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.jenkins-ci.main:jenkins-test-harness-htmlunit:jar:147.va_2415a_7c06a_0:test
[INFO] |  +- org.junit.jupiter:junit-jupiter-api:jar:5.9.3:test
[INFO] |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  \- org.junit.platform:junit-platform-commons:jar:1.9.3:test
[INFO] |  +- org.netbeans.modules:org-netbeans-insane:jar:RELEASE180:test
[INFO] |  +- org.openjdk.jmh:jmh-core:jar:1.36:test
[INFO] |  |  +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test
[INFO] |  |  \- org.apache.commons:commons-math3:jar:3.2:test
[INFO] |  \- org.openjdk.jmh:jmh-generator-annprocess:jar:1.36:test
[INFO] +- org.jenkins-ci:test-annotations:jar:1.4:test
[INFO] +- org.junit.jupiter:junit-jupiter:jar:5.9.3:test
[INFO] |  +- org.junit.jupiter:junit-jupiter-params:jar:5.9.3:test
[INFO] |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.9.3:test
[INFO] \- org.junit.vintage:junit-vintage-engine:jar:5.9.3:test
[INFO]    \- org.junit.platform:junit-platform-engine:jar:1.9.3:test

tomasbjerre added a commit that referenced this issue Jul 26, 2023
@tomasbjerre
fix: stepping dependencies (refs #270)
302ed3a
@tomasbjerre
Copy link
Contributor

Cannot fix com.github.jgonian:commons-ip-math:jar:1.32 because that is the latest version. But the other findings should be fixed now.

Seems to be a problem with the Jenkins Maven repository, I'll release it when it works again.

@tomasbjerre tomasbjerre mentioned this issue Jul 27, 2023
Closed
@tomasbjerre
Copy link
Contributor

1.86.5 released with updated dependencies.

@dietmarpradler
Copy link
Author

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomasbjerre @dietmarpradler