1

I'm on Jenkins version 2.234. Our audit team reported that the latest jQuery plugin used by Jenkins is version 1.12.4 which is fairly old and has a lot of vulnerabilities.

They found the 1.12.4 jQuery plugin on the below URL:

[https://myhost:9043/adjuncts/24d46f61/org/kohsuke/stapler/jquery/jquery.full.js]

The current of jQuery is 3.5.1 [https://jquery.com/download/]

A second issue is with the summary report plugin [https://www.jenkins.io/doc/pipeline/steps/summary_report/] that I use. It implicitly ships with an even older jQuery version 1.4.2 and can be accessed using the below URL on my system [https://myhost:9043/plugin/summary_report/lib/jquery/js/jquery-1.4.2.min.js]

How do I go about addressing the vulnerabilities of jQuery as the solution proposed is simply updating it?

I'm, however, unaware of how to update jQuery for Jenkins as well as for the Display Report plugin.

Can someone please suggest?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Ashar
  • 2,942
  • 10
  • 58
  • 122
  • Where does the jquery come from? It might be Jenkins, but it also might be any of its plugins. Can the plugins be updated? If not, then how about uninstalling them? If this is not an option then you have a problem. – Marek Puchalski Jun 30 '20 at 20:56
  • It is definitely Jenkins core product and not plugins as far as JQuery 1.12.4 is concerned. See here: https://plugins.jenkins.io/jquery3-api/ Note from documentation: Since Jenkins uses jQuery 1.x as well make sure to use the global symbol jQuery3 rather than $ when accessing jQuery 3.x. Can we remove the old jquery plugin 1.12.x and install jquery3 plugin; will it break anything? I have not written anything specific to jquery just that one of my plugins `summary_report` uses a different & older version of jquery 1.4.x but it too ships as a library inside the `summary_report` plugin. – Ashar Jul 01 '20 at 07:40
  • If the issue lies in Jenkins, I would create a ticket to them to fix it. Updating JQuery yourself is like asking for trouble. Updating up to 3.5.1 needs skipping 2 major releases forward and will most probably not work. And look on the page https://jquery.com/. Looks like 1.x and 2.x jquery version will not longer receive patches... – Marek Puchalski Jul 01 '20 at 07:45

0 Answers0