Im part of a security team in my organisation. We have a project running whereby we are trying to get an idea as to the security status of Jenkins instances across the Org. We have written some documentation to make available to Jenkins instance owners with details on how best they can secure their Jenkins instances. As part of this process, we are making some scripts available (shell and Powershell) that Jenkins owners can use to run on their Jenkins servers and it will check various different security settings from various files eg. /var/lib/jenkins/config.xml and “recommend” settings changes they should make in Global Security within Jenkins itself.
We also wanted to focus on possible vulnerable plugin versions that may be installed on Jenkins instances. We were hoping that when the script was run, it would check if there were any plugins that have security warnings against them - similar to the red warning that is available in Plugin Manager;
“Warning: The currently installed plugin version may not be safe to use. Please review the following security notices:”
However we don’t seem to be able to locate a file per-say where this data might be stored for consumption by our script. Is this data available locally - or where is Plugin Manager pulling this data from? We can report out to the user what the installed version of a plugin is vs the latest version available - but I feel it would be very important to report out to them if a plugin version has a vulnerability (CVE) against it and advise them to upgrade to the latest/later version.
So the question is - does Plugin Manager assign a red vulnerability warning to an installed plugin version based on data using a local resource and where might that resource be so that it is consumable by a shell or Powershell script? If it is not local - then an explanation as to how it gets live vulnerability data would be cool!
The vulnerability warning feature was a really cool addition…id just like to be able to tap into it for my own ends if possible!