Core cannot send emails, that's the mailer plugin. So if you need emails, it'd be in a (probably new) plugin.
Core however could log warnings; the main problem I see here is that there are no listeners/hooks to be notified when an update site is updated, so it's not quite trivial to log only once when a previously unseen warning shows up. Probably best done as a PeriodicWork while keeping a list of warnings logged since Jenkins started, to prevent duplicates? On Tue, Sep 24, 2019 at 3:59 PM Eric Engstrom <[email protected]> wrote: > > > On Monday, September 23, 2019 at 11:08:58 AM UTC-5, Daniel Beck wrote: >> >> Jenkins uses the update center metadata to show applicable warnings. It >> would be a bit of a hack, and use internals not meant for public >> consumption, but you could do that, too. See the bottom of >> https://updates.jenkins.io/update-center.actual.json for the warning >> definitions. (No complaining if we change the format without prior warning >> etc.!) >> > > The implication of this is that there is no current method to have jenkins > send notifications (emails, or otherwise) on known vulnerabilities, core or > plug-in. Sounds like an opportunity for improvement, to which I'd be > somewhat happy to help with development, but as a total jenkins _user_, I > would need more pointers for development. The most obvious would be: is > this something that should be in core or should it be yet-another-plug-in? > Or, I suppose, I could develop it as a groovy script that one could run as > a jenkins job within jenkins itself. > > Thoughts? > > >> >> On Mon, Sep 23, 2019 at 5:52 PM Eric Engstrom <[email protected]> >> wrote: >> >>> Yes, I'm subscribed to the "Security advisories" mailing list >>> <https://groups.google.com/forum/m/#!forum/jenkinsci-advisories>, and >>> while it provides indications of core updates w.r.t. vulnerabilities, it's >>> not as helpful for plug-ins - that is, not only would I have to look at all >>> the plug-ins that are listed as being patched, but it doesn't, AFAICT, tell >>> me when there are unpatched vulnerabilities. >>> >> >> Counterexample: >> https://groups.google.com/d/msg/jenkinsci-advisories/T3Zt01nhGao/kn_VhKasCgAJ >> (Aug 7 this year, second email in the "thread" -- Thanks Google!) >> > > Proven wrong - thanks. I'll pay more attention. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/71abc41c-ad1a-4b0a-96b5-aff68b6aaad4%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/71abc41c-ad1a-4b0a-96b5-aff68b6aaad4%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Daniel Beck Senior Software Engineer CloudBees, Inc. [image: CloudBees-Logo.png] -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAMo7PtKjAGy2c3V12yKDULaFe8VbjQk1ogZYM48%2BcK2fcoqJxA%40mail.gmail.com.
