Upgrade jQuery dependency

jenkinsci / xray-connector-plugin

Xray Test Management Connector for Jenkins

https://plugins.jenkins.io/xray-connector/

MIT License

16 stars 13 forks source link

Upgrade jQuery dependency #65

Open jensdotbruggeman opened 2 years ago

jensdotbruggeman commented 2 years ago

What feature do you want to see added?

Our internal security scan reveals that our Jenkins instance contains a jQuery vulnerability. This jQuery dependency was installed by installation of "XRay Connector plugin".

org.jenkins-ci.plugins jquery 1.12.4-0

Can this dependency be upgraded or removed?

Thank you for your assistance

Jens

Upstream changes

No response

diwannikhil commented 2 years ago

Hi @jensdotbruggeman,

Thank you for raising this issue!

We do acknowledge and start investigating on it. I further request you to share few details:

Which scan did you perform, can you share scan result or specific error for jQuery?
There are set of vulnerabilities mentioned in latest release of the jenkins ci jquery plugin, can you please cross check if it's one of reported issues?

Here is the release link where you can find list of vulnerabilities with each plugin release: https://mvnrepository.com/artifact/org.jenkins-ci.plugins/jquery?repo=jenkins-releases https://mvnrepository.com/artifact/org.jenkins-ci.plugins/jquery/1.12.4-1 (for latest)

Thanks again for sharing!

Regards, Nikhil Diwan

jensdotbruggeman commented 2 years ago

hi @diwannikhil ,

Thank you for your feedback.

We received an external audit on our tools and it pointed out that our Jenkins instance is serving an old version of jQuery jQuery 1.12.4 3.6.0 vulnerable

As the version of jQuery is (very) old, it contains a number of known vulnerabilities.

Is the dependency of jQuery absolutely required? Or can the dependency be upgraded?

Best regards, Jens

diwannikhil commented 2 years ago

Hi @jensdotbruggeman,

Yes, jQuery dependency is required for this plugin.

We have got this issue in our tasks list. We will be upgrading jQuery to latest 3.x version, since it is a major upgrade to jQuery3, so it will also require thorough testing.

We will keep everyone posted here about further update on this issue. Thanks again!

Regards, Nikhil Diwan

joaocfernandes commented 1 year ago

Hello @diwannikhil ,

Thanks for your update. Our scans also detect that Xray is the only plugin (from our set) depending on Jquery plugin ( which is not updated for 3 years now).

Best regards, João Fernandes

jensdotbruggeman commented 1 year ago

Any news on this update? Our IT Security requests to upgrade this dependency.

cniweb commented 2 months ago

Hi @diwannikhil, any news on this update? Our IT Security requests to upgrade this dependency.

cniweb commented 2 months ago

You can use jQuery 3.x: https://docs.cloudbees.com/docs/cloudbees-ci-kb/latest/client-and-managed-controllers/ci-2-277-1-2-jquery-3-5-x-upgrade