Consider no longer using http_request plugin

[daniel-beck]

Service(s)

ci.jenkins.io

Summary

ci.jenkins.io uses http_request plugin for https://github.com/jenkins-infra/pipeline-library/blob/aa9213e20d368a84369a78a00ea6599c0db6ff12/vars/infra.groovy#L345-L352 (and potentially more).

We announced an unresolved security vulnerability in this plugin today: https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2053

While it doesn't affect us given how we're using the plugin, we should still consider implementing this differently, so the unmaintained/improperly maintained plugin is no longer needed and can be uninstalled.

Reproduction steps

No response

[jglick]

I do not think we want to do this. It fills a need that was not adequately met otherwise. jenkins-infra/pipeline-library#210 by @timja

[MarkEWaite]

Release 1.16 of the http request plugin has been delivered. The changelog reports that the security issue is resolved.

Thanks to @offa for making that change!

What additional steps are required in order to show the issue as resolved in the Jenkins update center?

[daniel-beck]

Nothing relevant changed since I filed this issue. We weren't affected by the vulnerability before. The problem is that the plugin is essentially unmaintained (Basil's availability is very limited per jenkins-infra/repository-permissions-updater#2019, Oleg last released a plugin more than a year ago, and Janario was unresponsive).

[basil]

I think Mark was asking about how to remove the "Passwords stored in plain text" warning from the latest version which I think just needs a PR to update-center2.

[MarkEWaite]

Submitted jenkins-infra/update-center2#628 to note in update center that the issue is resolved.

[daniel-beck]

I think Mark was asking about how to remove the "Passwords stored in plain text" warning from the latest version which I think just needs a PR to update-center2.

Off topic, but FTR documented on https://www.jenkins.io/security/plugins/ which is linked from every unresolved advisory entry since this year.

[dduportal]

• PR merged on update_center
• update center's job ran successfully and updated the index
• Index updated on ci.jenkins.io: the error message about security issue disappeared

[daniel-beck]

As I wrote in #3075 (comment),

Nothing relevant changed since I filed this issue. We weren't affected by the vulnerability before. The problem is that the plugin is essentially unmaintained (Basil's availability is very limited per jenkins-infra/repository-permissions-updater#2019, Oleg last released a plugin more than a year ago, and Janario was unresponsive).

If you want to reject this request because we really need the plugin (basically Jesse's comment) and consider it being unmaintained an acceptable risk, that's fine. But this request has nothing to do with the vulnerability that was announced, then fixed. That just made it clear that the plugin is unmaintained. It's not maintained any better now, there are no new maintainers.

[basil]

If you want to reject this request because we need the plugin for some reason and consider it being unmaintained an acceptable risk, that's fine.

For what it is worth, I think the same is true for other plugins we rely on, such as display-url-api: JENKINS-69006 has not been fixed in over a month despite very clear next steps being identified, precluding #2833. While it is unfortunate that we have come to rely on some unmaintained or poorly-maintained plugins, I think that is simply the reality—whether we like it or not.

In some ways, a poorly maintained plugin that we still rely on is better than an unmaintained one that we still rely on, because at least someone is available to merge PRs and cut emergency releases if need be. Without that, problems can escalate quickly.

I do wish I had more time and interest to work on plugins like http_request. The truth is, I just stepped up to be an "interim maintainer" to deliver some Guava fixes and have just been keeping it on life support. I get the sense this is not an uncommon scenario in the ecosystem.