Great, thanks Devin for quick response.
Btw, if there's fix for these plugins coming soon then we might wait for
that and upgrade, just want to avoid any possible pitfalls from downgrade.
Regards,
Khiem
On Thursday, December 16, 2021 at 5:12:49 AM UTC+7 dnus...@cloudbees.com
wrote:
> Hi, th
Hi all. Getting popped by our security team for an old version of log4j.
I've checked and we don't have any of the plugins installed identified by
the following issue:
https://issues.jenkins.io/browse/JENKINS-67353
Here's the info from the scan:
Plugin Output:
Path :
/opt/je
Hmmm, found this page:
https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/
So I ran the script in the script console and got the error indicating that
log4j is not included in any installed and enabled plugin. Anyone have a
clue?
Thanks,
Eric
On Thursday, December 16, 2021 at 1
That's unrelated to Jenkins per se. This directory is the maven cache, also
called 'local repository'.
My theory is that you have a job or more that uses maven with default
values. I suspect you even run these on the controller itself...
Some of your job(s) build(s) a software of yours that depen
I would exclude /opt/jenkins/.m2/repository from any scans, as already
mentioned that is the local maven cache.
Also if you don't maintain that, it will grow and grow.
Personally I update build jobs so they each have their own maven cache
using -Dmaven.repo.local=mvn-repo then delete that after you
Thanks a ton, great cud to chew on! Now I think I know the culprit and
it's been deprecated. Guessing I can just delete that log4j directory and
be done with it.
On Thursday, December 16, 2021 at 1:12:28 PM UTC-7 nhoj.p...@gmail.com
wrote:
> I would exclude /opt/jenkins/.m2/repository from a
