Hi Folks, Hope you are doing well.
I recently installed Jenkins on my Ubuntu EC2 instance
And updated the version from 2.401.2 to 2.440.3
after scanning the system I got an error Trojan:GenericKD.72346507 identified at locations: /var/lib/jenkins/plugins/durable-task/WEB-INF/lib/lib-durable-task-43.v0b_d629cd2b_0c.jar,/var/lib/jenkins/plugins/durable-task.jpi=>WEB-INF/lib/lib-durable-task-43.v0b_d629cd2b_0c.jar
Can anyone help me solve this issue? I’m eagerly awaiting your response. Thanks in advance!"
Jenkins setup:
Jenkins version :2.440.3
OS:Ubuntu 22.04
I am not 100% confident cause we keep rescanning the dependency and we’re getting following results leading to VirusTotal basically saying this package is still has issues
And this is the packages used in durable-task-plugin version 550.v0930093c4b_a_6
We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins):
Claims of malware in Durable Task plugin or lib-durable-task unless substantiated (e.g., local builds from source are unaffected). Our best guess is that these tools consider the low-level process and signal handling and/or the bundling of native go binaries inside nested jar files in these components to be suspicious behavior. Please report this false positive finding to your anti-malware vendor.
The Jenkins security team does not accept vulnerability reports against the durable task plugin from virus scanners without additional evidence.
Tell the virus scanner vendor that they are reporting something that is not a virus and is not a vulnerability.