Misleading banner on Jenkins plugin page?

[noelslice]

This is no longer an issue since version 1.40.0? Should that red banner be updated so it doesn't say the current version is affected?

Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk.

[mbarbero]

The banner is still accurate because, while new builds made with version >= 1.40.0 are not affected by the vulnerability, any builds started with earlier versions stays at risk. See https://www.jenkins.io/security/advisory/2018-03-26/#SECURITY-261 and https://github.com/jenkins-infra/update-center2/blob/master/resources/warnings.json#L1820

This banner can't go away until a newer version of plugin actually implement a clean up task that will execute something similar to https://github.com/jenkinsci-cert/SECURITY-261 at startup.

[noelslice]

Interesting. Thanks for clarifying. This makes sense.

[okainov]

while new builds made with version >= 1.40.0 are not affected by the vulnerability, any builds started with earlier versions stays at risk

I think this has to be clarified in the banner. Because current wording strongly discourages any new users to install and use this plugin.

[mbarbero]

while new builds made with version >= 1.40.0 are not affected by the vulnerability, any builds started with earlier versions stays at risk

I think this has to be clarified in the banner. Because current wording strongly discourages any new users to install and use this plugin.

Agreed. Unfortunately, I think the banner and the message is generated automatically as long as the current version matches the pattern https://github.com/jenkins-infra/update-center2/blob/master/resources/warnings.json#L1820

[noelslice]

Seconding @okainov. It took some convincing folks on my end that the plugin was actually safe to use and no longer was affected by the issue.

[daniel-beck]

Came across this issue and filed https://github.com/jenkins-infra/update-center2/pull/486

If the content the Jenkins security team puts out is misleading, confusing, or even outright wrong, please let us know! We try our best to provide accurate information, but sometimes we get it wrong, or what was a reasonable workaround to a limitation we encountered at the time isn't anymore, years later.