Bundle publish-over-ssh plugin.

This plugin has been delisted citing unresolved security issues[1].

* Stored XSS vulnerability requiring Overall/Administer permissions. [CVE-2022-23110](https://nvd.nist.gov/vuln/detail/CVE-2022-23110)
* CSRF vulnerability. [CVE-2022-23111](https://nvd.nist.gov/vuln/detail/CVE-2022-23111)
* Missing permission check allowing connection tests to be performed using only Overall/Read permissions. [CVE-2022-23112](https://nvd.nist.gov/vuln/detail/CVE-2022-23112)
* Path traversal vulnerability requiring Item/Configure permissions. [CVE-2022-23113](https://nvd.nist.gov/vuln/detail/CVE-2022-23113)
* Password stored in plain text by Publish Over SSH Plugin. [CVE-2022-23114](https://nvd.nist.gov/vuln/detail/CVE-2022-23114)

Many of these problems require administrator permissions to leverage but
some of them are exploitable without. To mitigate this I plan to block
these requests at the nginx reverse proxy layer.

[1]: https://www.jenkins.io/security/advisory/2022-01-12/

attributes/plugins.rb

@@ -82,7 +82,7 @@
   "pollscm" => "1.3.1",
   "popper-api" => "1.16.1-2",
   "publish-over" => "0.22",
-  "publish-over-ssh" => "1.22",
+  #"publish-over-ssh" => "1.22",
   "purge-build-queue-plugin" => "1.0",
   "rebuild" => "1.31",
   "run-condition" => "1.2",

recipes/jenkins.rb

@@ -46,6 +46,15 @@
     notifies :restart, 'service[jenkins]', :delayed
   end
 end
+# Install bundled publish-over-ssh plugin which was delisted from the Jenkins plugin server
+cookbook_file '/tmp/publish-over-ssh.hpi' do
+  source 'publish-over-ssh.hpi'
+  owner 'jenkins'
+  mode '0600'
+end
+jenkins_plugin 'publish-over-ssh' do
+  source 'file:///tmp/publish-over-ssh.hpi'
+end
 # Install plugins required to run ros_buildfarm.
 node['ros_buildfarm']['jenkins']['plugins'].each do |plugin, ver|
   jenkins_plugin plugin do