Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[INFRA-1022] Add support for warnings shown to Jenkins admins (#96)
* [INFRA-1022] Add support for warnings shown to Jenkins admins List of warnings is initialized with recent plugin vulnerabilities * [INFRA-1022] Rename 'uri' to 'url' * [INFRA-1022] Propagate failure to include warnings * [INFRA-1022] Add test for warnings JSON file * [INFRA-1022] Fix copy & paste error
- Loading branch information
1 parent
a197bce
commit a6431a9
Showing
3 changed files
with
151 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
[ | ||
{ | ||
"id": "SECURITY-208", | ||
"type": "plugin", | ||
"name": "google-login", | ||
"message": "Authentication bypass vulnerability", | ||
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-10-12", | ||
"versions": [ | ||
{ | ||
"lastVersion": "1.1", | ||
"pattern": "1[.][01](|[.-].*)" | ||
} | ||
] | ||
}, | ||
{ | ||
"id": "SECURITY-136", | ||
"type": "plugin", | ||
"name": "extra-columns", | ||
"message": "Stored XSS vulnerability", | ||
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11", | ||
"versions": [ | ||
{ | ||
"lastVersion": "1.16", | ||
"pattern": "1[.](\\d|1[0123456])(|[.-].*)" | ||
} | ||
] | ||
}, | ||
{ | ||
"id": "SECURITY-258", | ||
"type": "plugin", | ||
"name": "script-security", | ||
"message": "Groovy sandbox protection incomplete", | ||
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11", | ||
"versions": [ | ||
{ | ||
"lastVersion": "1.18", | ||
"pattern": "1[.](\\d|1[012345678])(|[.-].*)" | ||
} | ||
] | ||
}, | ||
{ | ||
"id": "SECURITY-85", | ||
"type": "plugin", | ||
"name": "tap", | ||
"message": "Path traversal vulnerability", | ||
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20", | ||
"versions": [ | ||
{ | ||
"lastVersion": "1.24", | ||
"pattern": "1[.](\\d|1\\d|2[01234])(|[.-].*)" | ||
} | ||
] | ||
}, | ||
{ | ||
"id": "SECURITY-278", | ||
"type": "plugin", | ||
"name": "image-gallery", | ||
"message": "Path traversal vulnerability", | ||
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20", | ||
"versions": [ | ||
{ | ||
"lastVersion": "1.3", | ||
"pattern": "(0[.].*|1[.][0123])(|[.-].*)" | ||
} | ||
] | ||
}, | ||
{ | ||
"id": "SECURITY-290", | ||
"type": "plugin", | ||
"name": "build-failure-analyzer", | ||
"message": "Cross-site scripting vulnerability", | ||
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20", | ||
"versions": [ | ||
{ | ||
"lastVersion": "1.15.0", | ||
"pattern": "1[.](\\d|1[012345])[.]\\d+(|[.-].*)" | ||
} | ||
] | ||
}, | ||
{ | ||
"id": "SECURITY-305", | ||
"type": "plugin", | ||
"name": "async-http-client", | ||
"message": "Improper certificate validation", | ||
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20", | ||
"versions": [ | ||
{ | ||
"lastVersion": "1.7.24", | ||
"pattern": "1[.]7[.](\\d(|[.-].*)|24)" | ||
} | ||
] | ||
}, | ||
{ | ||
"id": "SECURITY-309", | ||
"type": "plugin", | ||
"name": "cucumber-reports", | ||
"message": "Plugin disables Content-Security-Policy for files served by Jenkins", | ||
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-07-27", | ||
"versions": [ | ||
{ | ||
"firstVersion": "1.3.0", | ||
"lastVersion": "2.5.1", | ||
"pattern": "(1[.][34]|2[.][012345])(|[.-].*)" | ||
} | ||
] | ||
} | ||
] |
36 changes: 36 additions & 0 deletions
36
src/test/java/org/jvnet/hudson/update_center/WarningsTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package org.jvnet.hudson.update_center; | ||
|
||
import junit.framework.Assert; | ||
import net.sf.json.JSONArray; | ||
import net.sf.json.JSONObject; | ||
import org.apache.commons.io.IOUtils; | ||
|
||
import java.util.regex.Pattern; | ||
|
||
public class WarningsTest { | ||
public void testValidJsonFile() throws Exception { | ||
String warningsText = IOUtils.toString(this.getClass().getClassLoader().getResourceAsStream("warnings.json")); | ||
JSONArray warnings = JSONArray.fromObject(warningsText); | ||
|
||
for (int i = 0 ; i < warnings.size() ; i++) { | ||
JSONObject o = warnings.getJSONObject(i); | ||
assertNonEmptyString(o.getString("id")); | ||
assertNonEmptyString(o.getString("type")); | ||
assertNonEmptyString(o.getString("name")); | ||
assertNonEmptyString(o.getString("message")); | ||
assertNonEmptyString(o.getString("url")); | ||
JSONArray versions = o.getJSONArray("versions"); | ||
for (int j = 0 ; j < versions.size() ; j++) { | ||
JSONObject version = versions.getJSONObject(j); | ||
String pattern = version.getString("pattern"); | ||
assertNonEmptyString(pattern); | ||
Pattern p = Pattern.compile(pattern); | ||
} | ||
} | ||
} | ||
|
||
private void assertNonEmptyString(String str) { | ||
Assert.assertNotNull(str); | ||
Assert.assertFalse("".equals(str)); | ||
} | ||
} |