Thanks for the info, very helpful. And as to your question, no. Must be a coincidence. This has come up on our end by simply reviewing the current status. Cheers.
On Tuesday, February 22, 2022 at 10:11:37 AM UTC+2 [email protected] wrote: > On Tue, Feb 22, 2022 at 7:25 AM Niv Keidan <[email protected]> wrote: > >> I am running Jenkins 2.319.3 and using a plugin that has 2.277.4 defined >> as <jenkins.version> in its pom.xml. >> Am I exposed to the vulnerabilities in 2.277.4? >> > > No, this only defines the minimum compatible version. The same applies to > dependencies to other plugins. Only bundled libraries (hpi/jpi files are > just zip, open it and look inside) matter. That's why Jenkins doesn't show > security warnings to admins when you update the affected component. > > Tell your security scanner vendor to improve their product to not believe > everything the pom.xml says. > > I'm curious, did a big vendor release some nonsense? This is the third > time this has come up in ~4 days. > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a8fb4abc-1c61-4d28-a619-643f47e4f78dn%40googlegroups.com.
