While performing plugin updates and Jenkins upgrade I was unable to remove Static Analysis Utilities plugins. Removal is not an option via the GUI. If I remove the plugins from the docker build and then from the plugins.txt, Jenkins is still reporting this as a CVE. Suspect the plugin is a dependency for other installed plugins but I was unable to figure it out. Can anyone assist?
Based on the plugins.txt file that you uploaded elsewhere, I don’t see any mention of static analysis utilities in that plugins.txt file.
When I load that file and run it with Jenkins 2.361.1, there are some issues (many plugins need to be updated), but the static analysis utilities are not in the installed plugins and they are not in the plugins.txt file. There is one deprecated plugin that should be removed, Pipeline: Deprecated Groovy Libraries, but that is the only deprecated plugin in your list.
You may need to remove the contents of the plugins directory in your container and restart the container.
2 Likes
By default, the docker plugin scripts will install into /usr/share/jenkins/ref/plugins
At startup, jenkins will copy without overwriting any files in /usr/share/jenkins/ref/plugins to /var/jenkins_home/plugins
That mean if the .jpi file is still in /var/jenkins_home/plugins (for example you mount /var/jenkins_home outside of the image), it’ll still load it up. You’ll want to remove it from /var/jenkins_home/plugins as well
2 Likes
I’ve uploaded a revised version of your plugins.txt, updated with the most recent plugin releases.
I use this shell script to download Jenkins 2.361.1, download those plugins, and start Jenkins:
#!/bin/bash
# User reports cannot remove static analysis utilities
# https://github.com/jenkins-infra/helpdesk/issues/3155
JENKINS_WAR_VERSION=2.361.1
JENKINS_WAR=jenkins-${JENKINS_WAR_VERSION}.war
PLUGIN_MANAGER_VERSION=2.12.9
PLUGIN_MANAGER_JAR=jenkins-plugin-manager-${PLUGIN_MANAGER_VERSION}.jar
if [ ! -f ../$PLUGIN_MANAGER_JAR ]; then
wget https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/${PLUGIN_MANAGER_VERSION}/$PLUGIN_MANAGER_JAR
mv $PLUGIN_MANAGER_JAR ..
fi
if [ ! -d plugins ]; then
mkdir plugins
fi
java -jar ../$PLUGIN_MANAGER_JAR --jenkins-version $JENKINS_WAR_VERSION --latest false --plugin-download-directory plugins --plugin-file plugins.txt
if [ ! -f ../$JENKINS_WAR ]; then
wget https://get.jenkins.io/war-stable/${JENKINS_WAR_VERSION}/jenkins.war
mv jenkins.war ../$JENKINS_WAR
fi
JENKINS_HOME=. java -jar ../$JENKINS_WAR
2 Likes
Correct, Static Analysis Utilities is not defined in the plugins.txt and that’s the issue. Being that it’s not defined but still making it to install is what the real problem is. I’m not sure if its because the update center has some kind of definition that required at install or what. It could also be a dependency of another plugin and there is some automation in the background that installs the plugin.
Also, I agree that the plugins could use updating but keeping up with the cadence of plugins and versions coming out every week is a lot of work. Needless to say I’m a little behind however, the vulnerability doesn’t hinder production. Silver lining.
I’ll give removing the contents of the plugins directory a try.
Thank you for the script!!
Thanks Mark!
Thanks halkeye, I’ll give that a try.
After removing analysis-core plugin from the /var/jenkins_home/plugins Jenkins stopped with errors. I’m attaching the logs. jenkins-logs · GitHub
@MarkEWaite I also updated the plugins.txt with the changes you suggested
The log shows that Jenkins is failing to load plugins because the plugins it is trying to load do not meet its compatibility requirements. One of the plugins states that newer dependent plugin versions are required than you have provided.
I can’t duplicate the problem you’re describing. The issue must somehow be local to your environment or specific to the installation method that you’re using.
I created a plugins.txt file based on the original file you shared elsewhere, with one deprecated plugin removed and 50+ plugins updated to their current releases. I started Jenkins 2.361.1 in a fresh directory and confirmed that Jenkins starts without error and with all plugins enabled.
Something is causing outdated files to be left in your plugins directory. If you’ve cleared the contents of that directory and removed all of its subdirectories, then added the current releases of the desired plugins, then you should not be seeing that startup error message.
I’m seeing /configuration-as-code/reload/ in your logs. Are you manually calling that? or are you using the helm chart? It applies its own plugins from the pipeline, to entirely disable it (assuming you are using plugins.txt somewhere else), you want to do
controller:
overwritePlugins: true # run rm /var/jenkins_home/plugins/*
installPlugins: false # don't run the plugins.txt from helm
1 Like
I’m using helm to deploy. I was curious about those controller plugins and what they should be set to. So if I’m setting the installPlugins config to false, do the plugins that need updating get installed through the overwritePlugins config being set to true?
The process for updating the plugins is to have a script look at the update center json and then use the copy command in a Dockerfile like so:
COPY plugins.txt /usr/share/jenkins/plugins.txt
I find the defaults in the helm chart incredibly frustrating. So my suggestion is to do all plugin management yourself, inside your container, and clear the plugin dir on startup.
You can just include the ones in the plugin - helm-charts/values.yaml at aff05875d84a7d79f010abc8756a11940804131b · jenkinsci/helm-charts · GitHub - in your plugins.txt. I don’t think the helm chart actually uses anything natively other than casc (which you already have enabled).
Ok, after multiple attempts of reloading the plugins via the controller.installPlugins and controller.overWritePlugins in the values.yaml configs, Jenkins still fails to start without analysis-core:1.96 and tasks:4.53 plugins.
So, I added them back in and I get Jenkins to start and run as intended. I can also upgrade to the latest version of Jenkins however, the vulnerability is still a problem. I can’t remove the plugins and get Jenkins to a running state after I upgrade to the latest version either.
My guess… there is a dependency plugin that needs them to be in play in order to run or upgrade. Also, I looked in the update center json and didn’t see the two plugins listed so I’m still confused how to remove them without breaking Jenkins.