2.440.3 Jenkins using an inbound-agent container image that is being flagged by container scans

We’re currently running Jenkins 2.440.3 in Docker. When it kicks off an agent and pulls the inbound-agent image, it is pulling “inbound-agent:3206.vb_15dcf73f6a_9-2”.

This image (inbound-agent:3206.vb_15dcf73f6a_9-2) is coming up in our Prisma scans with vulnerabilities that are well beyond our allowed aging ( > 90 days ).

I see there are many later images of inbound-agent in Dockerhub, but I have no idea how to control which version our Jenkins pulls. As of today 2.440.3 is the latest LTS… and we’ll upgrade to the next LTS in a week or so when it’s released, but in general the question is this - is the version of inbound-agent that gets pulled hardcoded/tied to the the version of jenkins, or can it be modifed to use a newer one?

We run Jenkins under Kubernetes, but I do not know about how it works under Docker itself.

The way we control the agent image is under manage/cloud/kubernetes/template admin page. There we have our default template as such:

    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
  shareProcessNamespace: true
      - name: attempts
        value: "5"
  - name: "jnlp"
    image: "jenkins/inbound-agent:3206.vb_15dcf73f6a_9-11-alpine-jdk21"
        cpu: 0.1
        cpu: 1
        memory: 425Mi

We further tune the memory and CPU limits on a per pipeline basis through a custom jenkins library which is called during an init stage.

If you use the Docker Plugin (we do not) the documentation is here: Docker

It looks like you should be able to customize the agent container under the clouds docker admin UI.

Tags are listed here: Docker

3206.vb_15dcf73f6a_9-2 is from 4 months ago

3206.vb_15dcf73f6a_9-11-alpine-jdk21 is from 7 days ago.

I do recommend that you keep the jdk version consistent between the controller and the agents. While java marshaling is ‘supposed’ to be transparent, it can introduce hard to troubleshoot bugs.

The version of inbound agent that is pulled is not tied to the Jenkins version. You control it from your local configuration. Find that configuration and you can increase the version of that container image to the most recent version.