Trojan FIle on Durable Task

Hi Folks, Hope you are doing well.
I recently installed Jenkins on my Ubuntu EC2 instance
And updated the version from 2.401.2 to 2.440.3
after scanning the system I got an error
Trojan:GenericKD.72346507 identified at locations: /var/lib/jenkins/plugins/durable-task/WEB-INF/lib/lib-durable-task-43.v0b_d629cd2b_0c.jar,/var/lib/jenkins/plugins/durable-task.jpi=>WEB-INF/lib/lib-durable-task-43.v0b_d629cd2b_0c.jar

Can anyone help me solve this issue? I’m eagerly awaiting your response. Thanks in advance!"

Jenkins setup:
Jenkins version :2.440.3
OS:Ubuntu 22.04

This is caused by the durable-task-plugin bundling lib-durable-task <= 550.v0930093c4b_a_6, which utilizes go versions flagged as CVE-2022-0811.

Updating the durable-task-plugin to versions >= 554.vc8635e99256e resolves the alert from your security scanner.

I am not 100% confident cause we keep rescanning the dependency and we’re getting following results leading to VirusTotal basically saying this package is still has issues

And this is the packages used in durable-task-plugin version 550.v0930093c4b_a_6

The “reporting vulnerabilities” page notes that


We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins):

  • Claims of malware in Durable Task plugin or lib-durable-task unless substantiated (e.g., local builds from source are unaffected). Our best guess is that these tools consider the low-level process and signal handling and/or the bundling of native go binaries inside nested jar files in these components to be suspicious behavior. Please report this false positive finding to your anti-malware vendor.

The Jenkins security team does not accept vulnerability reports against the durable task plugin from virus scanners without additional evidence.

Tell the virus scanner vendor that they are reporting something that is not a virus and is not a vulnerability.