Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update script-security plugin dependency to the latest version to fix security issues #10

Merged
merged 1 commit into from
Nov 28, 2019
Merged

Update script-security plugin dependency to the latest version to fix security issues #10

merged 1 commit into from
Nov 28, 2019

Conversation

angry-cellophane
Copy link

@oleg-nenashev oleg-nenashev changed the title Update script-security plugin to the latest version to fix security issues Update script-security plugin dependency to the latest version to fix security issues Nov 28, 2019
oleg-nenashev
oleg-nenashev approved these changes Nov 28, 2019
View reviewed changes
Copy link
Member

@oleg-nenashev oleg-nenashev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not really change anything, because plugins are managed on the Jenkins level, and we expect it to be updated there. This version basically defines the minimum required version of the plugin. I do not see any harm in updating it, so approving it

@jglick
Copy link
Member

jglick commented Nov 28, 2019

Yeah makes no actual difference. Better to use https://github.com/jenkinsci/bom in general, though in this case there is just one dep so it hardly matters.

@oleg-nenashev
Copy link
Member

I will merge it anyway, we expect users to use recent versions, so it makes sense to at least run tests with it

@oleg-nenashev oleg-nenashev merged commit e37e47d into jenkinsci:master Nov 28, 2019
@angry-cellophane
Copy link
Author

Thank you for quick response. I completely agree with everything you said.

The reason for me to raise this PR was slightly different and "enterprise-ish".
I work in an organization which cares about security probably more than on average. So in order to use this plugin I need to get it uploaded to an internal maven repo, and get the plugin scanned for vulnerabilities before. Even though I can use a newer version of script-sandbox (and I should) in jenkins, scan reports show security vulnerabilities in dependencies that makes my life harder as I need to explain why these vulnerabilities are not relevant for this plugin and it can be used internally. It's much easier to get it in the firm if the plugin has no known issues.

I'm not trying to start a discussion about best ways to scan libraries, and different ways to configure maven/gradle and java classpath, just wanted to share what was the reason behind this PR.

Appreciate your help and quick response.

@jglick
Copy link
Member

jglick commented Dec 2, 2019

scan reports show security vulnerabilities in dependencies

Try to configure your scanner to only show vulnerabilities in bundled dependencies, i.e., those physically present in the artifact—which this is not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oleg-nenashev oleg-nenashev oleg-nenashev approved these changes

Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@angry-cellophane @jglick @oleg-nenashev