Greetings,
We have a docker container with Jenkins version 2.302.2, which is used for CI/CD with Bitbucket. We read last month’s security post and would like to upgrade to a newer version to prevent some possible threats.
The problem is, last time we tried to upgrade our container to a newer version, there were some issues with some plugins and GlobalMatrixAuthorizationStrategy, so we had to return to the previous snapshot with version 2.302.2.
So, my question is, how should we proceed with the upgrade, should we update the plugins first and then the container? Should we make smaller upgrades between versions instead of just updating to the newest version?
Jenkins setup:
OS: Linux - 5.4.0-156-generic
Java: 11.0.12 - Eclipse Foundation (OpenJDK 64-Bit Server VM)
ace-editor:1.1
active-directory:2.25
analysis-model-api:10.5.2
ansicolor:1.0.0
ant:1.12
antisamy-markup-formatter:2.3
apache-httpcomponents-client-4-api:4.5.13-1.0
aqua-security-scanner:3.2.1
artifactory:3.13.2
authentication-tokens:1.4
authorize-project:1.4.0
basic-branch-build-strategies:1.3.2
bitbucket:1.1.29
bitbucket-filter-project-trait:1.0
blueocean:1.25.0
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.25.0
blueocean-commons:1.25.0
blueocean-config:1.25.0
blueocean-core-js:1.25.0
blueocean-dashboard:1.25.0
blueocean-display-url:2.4.1
blueocean-events:1.25.0
blueocean-git-pipeline:1.25.0
blueocean-github-pipeline:1.25.0
blueocean-i18n:1.25.0
blueocean-jira:1.25.0
blueocean-jwt:1.25.0
blueocean-personalization:1.25.0
blueocean-pipeline-api-impl:1.25.0
blueocean-pipeline-editor:1.25.0
blueocean-pipeline-scm-api:1.25.0
blueocean-rest:1.25.0
blueocean-rest-impl:1.25.0
blueocean-web:1.25.0
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bootstraped-multi-test-results-report:2.1.3
bouncycastle-api:2.25
branch-api:2.7.0
build-name-setter:2.2.0
build-timeout:1.20
built-on-column:1.1
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
clearcase:1.6.8
cloudbees-bitbucket-branch-source:2.9.11
cloudbees-folder:6.16
cobertura:1.16
code-coverage-api:2.0.2
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.8.1
configuration-as-code:1.54
configurationslicing:1.52
confluence-publisher:2.0.6
copyartifact:1.46.2
credentials:2.6.1
credentials-binding:1.27
cvs:2.19
dashboard-view:2.17
data-tables-api:1.11.3-1
delivery-pipeline-plugin:1.4.2
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
doktor:0.4.1
dtkit-api:3.0.0
durable-task:1.39
echarts-api:5.2.1-2
email-ext:2.84
emailext-template:1.2
embeddable-build-status:2.0.3
envinject:2.4.0
envinject-api:1.7
external-monitor-job:1.7
extra-columns:1.24
ez-templates:1.3.4
favorite:2.3.3
font-awesome-api:5.15.4-1
forensics-api:1.5.0
git:4.8.2
git-client:3.10.0
git-parameter:0.9.13
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
gitlab-plugin:1.5.22
gradle:1.37.1
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.27
ivy:2.1
jackson2-api:2.13.0-230.v59243c64b0a5
javadoc:1.6
jaxb:2.3.0.1
jdk-tool:1.5
jenkins-design-language:1.25.0
jenkins-multijob-plugin:1.36
jira:3.6
jira-steps:1.6.0
jjwt-api:0.11.2-9.c8b45b8bb173
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
junit-realtime-test-reporter:0.6
ldap:2.7
locale:1.4
localization-support:1.1
localization-zh-cn:1.0.24
lockable-resources:2.11
mailer:1.34
mapdb-api:1.0.9.0
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.14
mercurial:2.15
miniorange-saml-sp:1.0.5
mission-control-view:0.9.16
momentjs:1.1.1
msbuild:1.30
multi-branch-project-plugin:0.7
nodejs:1.4.1
okhttp-api:3.14.9
p4:1.11.6
pam-auth:1.6
parameterized-trigger:2.41
performance:3.20
pipeline-build-step:2.15
pipeline-github-lib:1.0
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.7
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
project-stats-plugin:0.4
publish-over:0.22
publish-over-ssh:1.22
pubsub-light:1.16
rebuild:1.32
repo:1.14.0
resource-disposer:0.16
role-strategy:3.2.0
run-condition:1.5
scala-junit-name-decoder:1.0
scm-api:2.6.5
scoverage:1.4.0
script-security:1.78
simple-theme-plugin:0.7
slack:2.48
snakeyaml-api:1.29.1
sse-gateway:1.24
ssh:2.6.1
ssh-agent:1.23
ssh-credentials:1.19
ssh-slaves:1.33.0
ssh-steps:2.0.0
sshd:3.1.0
structs:1.23
subversion:2.15.0
throttle-concurrents:2.4
timestamper:1.13
token-macro:266.v44a80cf277fd
translation:1.16
trilead-api:1.0.13
variant:1.4
veracode-jenkins-plugin:18.11.5.8
veracode-scan:21.9.16.0
warnings-ng:9.5.1
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.39
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39
xunit:3.0.4
Thanks for your help