Core cannot send emails, that's the mailer plugin. So if you need emails, it'd be in a (probably new) plugin.
Core however could log warnings; the main problem I see here is that there are no listeners/hooks to be notified when an update site is updated, so it's not quite trivial to log only once when a previously unseen warning shows up. Probably best done as a PeriodicWork while keeping a list of warnings logged since Jenkins started, to prevent duplicates? On Tue, Sep 24, 2019 at 3:59 PM Eric Engstrom <eric.engst...@gmail.com> wrote: > > > On Monday, September 23, 2019 at 11:08:58 AM UTC-5, Daniel Beck wrote: >> >> Jenkins uses the update center metadata to show applicable warnings. It >> would be a bit of a hack, and use internals not meant for public >> consumption, but you could do that, too. See the bottom of >> https://updates.jenkins.io/update-center.actual.json for the warning >> definitions. (No complaining if we change the format without prior warning >> etc.!) >> > > The implication of this is that there is no current method to have jenkins > send notifications (emails, or otherwise) on known vulnerabilities, core or > plug-in. Sounds like an opportunity for improvement, to which I'd be > somewhat happy to help with development, but as a total jenkins _user_, I > would need more pointers for development. The most obvious would be: is > this something that should be in core or should it be yet-another-plug-in? > Or, I suppose, I could develop it as a groovy script that one could run as > a jenkins job within jenkins itself. > > Thoughts? > > >> >> On Mon, Sep 23, 2019 at 5:52 PM Eric Engstrom <eric.e...@gmail.com> >> wrote: >> >>> Yes, I'm subscribed to the "Security advisories" mailing list >>> <https://groups.google.com/forum/m/#!forum/jenkinsci-advisories>, and >>> while it provides indications of core updates w.r.t. vulnerabilities, it's >>> not as helpful for plug-ins - that is, not only would I have to look at all >>> the plug-ins that are listed as being patched, but it doesn't, AFAICT, tell >>> me when there are unpatched vulnerabilities. >>> >> >> Counterexample: >> https://groups.google.com/d/msg/jenkinsci-advisories/T3Zt01nhGao/kn_VhKasCgAJ >> (Aug 7 this year, second email in the "thread" -- Thanks Google!) >> > > Proven wrong - thanks. I'll pay more attention. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/71abc41c-ad1a-4b0a-96b5-aff68b6aaad4%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/71abc41c-ad1a-4b0a-96b5-aff68b6aaad4%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Daniel Beck Senior Software Engineer CloudBees, Inc. [image: CloudBees-Logo.png] -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAMo7PtKjAGy2c3V12yKDULaFe8VbjQk1ogZYM48%2BcK2fcoqJxA%40mail.gmail.com.