Skip to content

Commit

Permalink
[INFRA-1022] Add support for warnings shown to Jenkins admins (#96)
Browse files Browse the repository at this point in the history 
* [INFRA-1022] Add support for warnings shown to Jenkins admins

List of warnings is initialized with recent plugin vulnerabilities

* [INFRA-1022] Rename 'uri' to 'url'

* [INFRA-1022] Propagate failure to include warnings

* [INFRA-1022] Add test for warnings JSON file

* [INFRA-1022] Fix copy & paste error
  • Loading branch information
@daniel-beck
daniel-beck committed Jan 10, 2017
1 parent a197bce commit a6431a9
Show file tree
Hide file tree
Showing 3 changed files with 151 additions and 0 deletions.
8 changes: 8 additions & 0 deletions src/main/java/org/jvnet/hudson/update_center/Main.java
View file
Expand Up @@ -27,6 +27,7 @@
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.kohsuke.args4j.ClassParser;
import org.kohsuke.args4j.CmdLineException;
import org.kohsuke.args4j.CmdLineParser;
Expand Down Expand Up @@ -216,6 +217,7 @@ private JSONObject buildUpdateCenterJson(MavenRepository repo, LatestLinkBuilder
JSONObject core = buildCore(repo, latest);
if (core!=null)
root.put("core", core);
root.put("warnings", buildWarnings());
root.put("plugins", buildPlugins(repo, latest));
root.put("id",id);
if (connectionCheckUrl!=null)
Expand All @@ -227,6 +229,12 @@ private JSONObject buildUpdateCenterJson(MavenRepository repo, LatestLinkBuilder
return root;
}

private JSONArray buildWarnings() throws IOException {
String warningsText = IOUtils.toString(this.getClass().getClassLoader().getResourceAsStream("warnings.json"));
JSONArray warnings = JSONArray.fromObject(warningsText);
return warnings;
}

private static void writeToFile(String string, final File file) throws IOException {
PrintWriter rhpw = new PrintWriter(new OutputStreamWriter(new FileOutputStream(file),"UTF-8"));
rhpw.print(string);
Expand Down
107 changes: 107 additions & 0 deletions src/main/resources/warnings.json
View file
@@ -0,0 +1,107 @@
[
{
"id": "SECURITY-208",
"type": "plugin",
"name": "google-login",
"message": "Authentication bypass vulnerability",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-10-12",
"versions": [
{
"lastVersion": "1.1",
"pattern": "1[.][01](|[.-].*)"
}
]
},
{
"id": "SECURITY-136",
"type": "plugin",
"name": "extra-columns",
"message": "Stored XSS vulnerability",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11",
"versions": [
{
"lastVersion": "1.16",
"pattern": "1[.](\\d|1[0123456])(|[.-].*)"
}
]
},
{
"id": "SECURITY-258",
"type": "plugin",
"name": "script-security",
"message": "Groovy sandbox protection incomplete",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11",
"versions": [
{
"lastVersion": "1.18",
"pattern": "1[.](\\d|1[012345678])(|[.-].*)"
}
]
},
{
"id": "SECURITY-85",
"type": "plugin",
"name": "tap",
"message": "Path traversal vulnerability",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20",
"versions": [
{
"lastVersion": "1.24",
"pattern": "1[.](\\d|1\\d|2[01234])(|[.-].*)"
}
]
},
{
"id": "SECURITY-278",
"type": "plugin",
"name": "image-gallery",
"message": "Path traversal vulnerability",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20",
"versions": [
{
"lastVersion": "1.3",
"pattern": "(0[.].*|1[.][0123])(|[.-].*)"
}
]
},
{
"id": "SECURITY-290",
"type": "plugin",
"name": "build-failure-analyzer",
"message": "Cross-site scripting vulnerability",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20",
"versions": [
{
"lastVersion": "1.15.0",
"pattern": "1[.](\\d|1[012345])[.]\\d+(|[.-].*)"
}
]
},
{
"id": "SECURITY-305",
"type": "plugin",
"name": "async-http-client",
"message": "Improper certificate validation",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-06-20",
"versions": [
{
"lastVersion": "1.7.24",
"pattern": "1[.]7[.](\\d(|[.-].*)|24)"
}
]
},
{
"id": "SECURITY-309",
"type": "plugin",
"name": "cucumber-reports",
"message": "Plugin disables Content-Security-Policy for files served by Jenkins",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-07-27",
"versions": [
{
"firstVersion": "1.3.0",
"lastVersion": "2.5.1",
"pattern": "(1[.][34]|2[.][012345])(|[.-].*)"
}
]
}
]
36 changes: 36 additions & 0 deletions src/test/java/org/jvnet/hudson/update_center/WarningsTest.java
View file
@@ -0,0 +1,36 @@
package org.jvnet.hudson.update_center;

import junit.framework.Assert;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.apache.commons.io.IOUtils;

import java.util.regex.Pattern;

public class WarningsTest {
public void testValidJsonFile() throws Exception {
String warningsText = IOUtils.toString(this.getClass().getClassLoader().getResourceAsStream("warnings.json"));
JSONArray warnings = JSONArray.fromObject(warningsText);

for (int i = 0 ; i < warnings.size() ; i++) {
JSONObject o = warnings.getJSONObject(i);
assertNonEmptyString(o.getString("id"));
assertNonEmptyString(o.getString("type"));
assertNonEmptyString(o.getString("name"));
assertNonEmptyString(o.getString("message"));
assertNonEmptyString(o.getString("url"));
JSONArray versions = o.getJSONArray("versions");
for (int j = 0 ; j < versions.size() ; j++) {
JSONObject version = versions.getJSONObject(j);
String pattern = version.getString("pattern");
assertNonEmptyString(pattern);
Pattern p = Pattern.compile(pattern);
}
}
}

private void assertNonEmptyString(String str) {
Assert.assertNotNull(str);
Assert.assertFalse("".equals(str));
}
}

0 comments on commit a6431a9

Please sign in to comment.