On Wed, Oct 29, 2025 at 04:19:55PM +0100, Sebastian Pipping wrote: > On 10/29/25 14:03, Daniel Beck wrote: > >Additionally, we announce unresolved security issues in the following > >plugins: > > > >* Azure CLI Plugin > >* ByteGuard Build Actions Plugin > >* Curseforge Publisher Plugin > >* Eggplant Runner Plugin > >* Extensible Choice Parameter Plugin > >* JDepend Plugin > >* Nexus Task Runner Plugin > >* OpenShift Pipeline Plugin > >* Publish to Bitbucket Plugin > >* Start Windocks Containers Plugin > >* Themis Plugin > > For anyone else who also wonders about the combination of announcing > without a fix (and the motivation or story behind it), I found > https://www.jenkins.io/security/plugins/#unresolved for a documented > answer.
Thanks. Posting this answer directly in here for those too busy to visit links and for archival, as taken from the Markdown source: https://raw.githubusercontent.com/jenkins-infra/jenkins.io/refs/heads/master/content/security/plugins.adoc > == Announcing Unresolved Vulnerabilities > > In case of a plugin vulnerability, we try to contact the plugin maintainer(s) > to inform them of it. > If they decline (or otherwise fail) to fix the vulnerability, or don't > respond in a timely manner, and the security team doesn't have the capacity > to fix it, we follow the process outlined below in the interest of our users: > > . Publish a security advisory about the plugin, describing the nature of the > vulnerability, but noting that there is no fix (other than no longer using > the plugin). > If there are workarounds, explain them. > . In some cases of particularly severe vulnerabilities, > link:#suspensions[stop publishing the vulnerable plugin on the Jenkins update > sites]. > . Add metadata to update sites to inform administrators on the Jenkins UI > about vulnerable plugins they have installed. > . Display security warnings on https://plugins.jenkins.io/[the plugins site]. > > This allows Jenkins administrators to make an informed decision about their > continued use of plugins with unresolved security vulnerabilities. > > == Following Up Later > > Some maintainers end up fixing security vulnerabilities after we have > announced it as unresolved in their plugin. > This can be any time between hours and years after publication. > > In those cases, security advisories will _not_ be amended, as the information > provided was correct at the time of publication. > Additionally, the security advisory will be clear that the lack of a fix is > only known "_as of publication of this advisory_". > > We will update the security warnings metadata that is shown to administrators > in Jenkins and on https://plugins.jenkins.io/[the plugins site]. > Maintainers can inform us through Jira or email about a fix or > https://github.com/jenkins-infra/update-center2/#security-warnings[file a > pull request updating the warnings metadata] themselves. > Once we confirm the fix is correct and complete, we will update the published > warnings metadata. > This will remove the active security warning from the plugin entry on the > plugins site and from the plugin manager directly in Jenkins. Alexander
