Jenkins Plugins Security Warnings


Im part of a security team in my organisation. We have a project running whereby we are trying to get an idea as to the security status of Jenkins instances across the Org. We have written some documentation to make available to Jenkins instance owners with details on how best they can secure their Jenkins instances. As part of this process, we are making some scripts available (shell and Powershell) that Jenkins owners can use to run on their Jenkins servers and it will check various different security settings from various files eg. /var/lib/jenkins/config.xml and “recommend” settings changes they should make in Global Security within Jenkins itself.
We also wanted to focus on possible vulnerable plugin versions that may be installed on Jenkins instances. We were hoping that when the script was run, it would check if there were any plugins that have security warnings against them - similar to the red warning that is available in Plugin Manager;

“Warning: The currently installed plugin version may not be safe to use. Please review the following security notices:”

However we don’t seem to be able to locate a file per-say where this data might be stored for consumption by our script. Is this data available locally - or where is Plugin Manager pulling this data from? We can report out to the user what the installed version of a plugin is vs the latest version available - but I feel it would be very important to report out to them if a plugin version has a vulnerability (CVE) against it and advise them to upgrade to the latest/later version.

So the question is - does Plugin Manager assign a red vulnerability warning to an installed plugin version based on data using a local resource and where might that resource be so that it is consumable by a shell or Powershell script? If it is not local - then an explanation as to how it gets live vulnerability data would be cool!
The vulnerability warning feature was a really cool addition…id just like to be able to tap into it for my own ends if possible!

Much appreciated,


update-center2/warnings.json at f8239fbee0e506cbd069f8cc9fb62bac299b4777 · jenkins-infra/update-center2 · GitHub are all the warnings

Plugin site pulls warning from update center json - plugin-site/utils.js at 1b6c01f511b55cb81a104ab20a585378310b6fd5 · jenkins-infra/plugin-site · GitHub which inturn comes from but I can’t find any warnings in that file, so the raw data above might be better.

Jenkins Update Center ui just uses that same data.

1 Like
curl -qLs | jq '.warnings[1]'
  "id": "SECURITY-136",
  "message": "Stored XSS vulnerability",
  "name": "extra-columns",
  "type": "plugin",
  "url": "",
  "versions": [
      "lastVersion": "1.16",
      "pattern": "1[.](\\d|1[0123456])(|[.-].*)"

It was right in front of my eyes all along. Thank you for your concise response Gavin!