Issue
After installing a new release of the product, we are getting a security warning message, related to a tier 3 plugin, under Beekeeper Upgrade Assistant > Security Warnings.
Example:
When trying to update the tier 3 plugin, we get an error related to a tier 1 or 2 plugin dependency.
Example:
However, the plugin version requested cannot be installed because it is not available on the Update Plugins tab.
Resolution
This happens when a tier 3 community plugin that receives a security fix also upgrades at least one of its dependencies on a tier 1 or 2 plugin to a version which is a more recent version than the one recommended by the CloudBees Assurance Program (CAP). Security vulnerabilities impacting non-CAP plugins are displayed, even if the upgrade is not possible within CAP, in order to expose the security problem.
In this case, CloudBees security team advises to read the security advisory and determine if the vulnerability impacts you before applying any changes. Incase you are impacted, these are some possible solutions:
-
Uninstall the tier 3 plugin. This is the recommended solution if the plugin is not critical for your instance.
-
Use Beekeeper plugin exceptions. This solution is not recommended as it may entail a risk. In case this is the only solution, it is recommended taking a backup of the instance and testing the plugin upgrade in a test environment first.