search

jenkinsci / allure-plugin

Allure Jenkins Plugin
https://plugins.jenkins.io/allure-jenkins-plugin/
Other
84 stars 63 forks source link

Version 2.30.2 is dependent on Log4j #311

Closed niveshvashist closed 1 year ago

niveshvashist commented 2 years ago

Jenkins and plugins versions report

We have a master-agent setup of Jenkins. When we generate the Allure report for a project the Log4j jar is downloaded on the agent machine automatically. Our security tool fails the tests on the Jenkins agent machine as there is log4j-1.2.17.jar on the following path: /home/ubuntu/tools/ru.yandex.qatools.allure.jenkins.tools.AllureCommandlineInstallation/allure/lib/ The version 2.30.1 says that the dependency is removed. Still there is log4j jar downloaded. ``` ```

What Operating System are you using (both controller, and any agents involved in the problem)?

ubuntu 20.04

Reproduction steps

  1. Install Allure 2.30.2 on the Jenkins master.
  2. Run angular tests and create Allure report from pipeline.
  3. log4j-1.2.17.jar is automatically downloaded on the following path on the agent machine: /home/ubuntu/tools/ru.yandex.qatools.allure.jenkins.tools.AllureCommandlineInstallation/allure/lib/

Expected Results

Log4j jar should not get downloaded

Actual Results

Log4j jar getting downloaded

Anything else?

No response

niveshvashist commented 2 years ago

Hi, Since this is related to security this is a bit high on priority thing. Can you provide a resolution soon?

fv-ian commented 2 years ago

Can we get some feedback on this one? This is driving to not being allowed to use this due to the security concern.

niveshvashist commented 2 years ago

@fv-ian Do I need to provide more details?

niveshvashist commented 2 years ago

On Jenkins master, after running the below command in the pipeline: "script { allure([ includeProperties: false, jdk: '', properties: [], reportBuildPolicy: 'ALWAYS', results: [[path: 'target/allure-results']] ]) }"

log4j jar is generated at the following location on node machine (kindly refer the image): /home/ubuntu/tools/ru.yandex.qatools.allure.jenkins.tools.AllureCommandlineInstallation/allure/lib

image

jimtut commented 2 years ago

Why do you think it's a security concern? Lots of apps use log4j, it's kind of a standard. Log4j itself is not a security problem, only certain versions. According to https://logging.apache.org/log4j/2.x/security.html, the version shown above (1.2.17) is not impacted by that well-known log4j vulnerability.

iguyking commented 2 years ago

This is still an issue as 1.2.17 has a pretty high impact score.

https://www.cvedetails.com/cve/CVE-2019-17571/

niveshvashist commented 1 year ago

Hi @iguyking and @jimtut,

Just wanted to check if there is any update on this issue? I further found that Allure plugin is essentially dependent on the log4j-1.2.17 jar. I manually deleted the jar and tried generating the report. The plugin gave error "java.lang.NoClassDefFoundError: org/apache/log4j/Level". Replacing the jar fixed the issue. May I have any intimation/timeline regarding:

We have to decide our reporting tool accordingly. Thanks, Nivesh

vbragin commented 1 year ago

Hello @niveshvashist

The problem you describe is not corresponding to allure-plugin for jenkins. The path you provide: /home/ubuntu/tools/ru.yandex.qatools.allure.jenkins.tools.AllureCommandlineInstallation/allure/lib corresponds to allure-commandline tool you are using for report generation.

Please use the last version like 2.21.0. As I know there is no log4g there anymore. Anyway ask in https://github.com/allure-framework/allure2 about it.