Understanding Beekeeper security warnings

4 minute readSecurity

The Security Warnings Administrative Monitor shows all published security warnings affecting your current installation. These warnings can apply to the product core itself or to any installed plugins. The Security Warnings Administrative Monitor will recommend an update path for you to follow to make your installation secure.

  • If the warning is related to the product core, Beekeeper will suggest to update the instance to mitigate the problem.

  • If the warning is affecting a plugin inside CAP, Beekeeper will also suggest to update to a newer version.

  • If the warning concerns a compatible plugin, Beekeeper will suggest updating that plugin to the version that fixes the problem.

Security Warnings Administrative Monitor

Whenever Beekeeper detects that there is a security warning, the Security Warnings Administrative Monitor will give you the following information:

Administrative Monitor number
Figure 1. Security Warnings Administrative Monitor. Number of messages

When you click the number, it shows you the message:

administrative monitor message
Figure 2. Security Warnings Administrative Monitor. Messages

The More Info button takes you to the Security Warnings page of Beekeeper Upgrade Assistant.

Beekeeper Upgrade Assistant

In the main page of Beekeeper Upgrade Assistant you can see the same message as in the Security Warnings Administrative Monitor:

beekeeper upgrade assistant title
beekeeper upgrade assistant sw message
Figure 3. Beekeeper Upgrade Assistant

Security Warnings page

There are several ways to reach the Security Warnings page: you can click on the More Info button on the administrative monitor or on the Beekeeper Upgrade Assistant page; or you can click the Security Warnings link on the side panel. On this page you can see all the warnings detected about your instance.

security warnings page
Figure 4. Security Warnings page

The Vulnerabilities column gives a short description of the security warning, and the link guides you to the published Security Advisory where you can find all of the information about the warning.

The link in the Recommendation column guides you to the release notes / changelog of the compatible plugin with the vulnerability. In case one or more vulnerabilities affect the plugin, the proposed version is the one that fixes all of them.

In case of vulnerabilities affecting CAP plugins or the core of the instance, it shows a link titled Click here to read the release notes for this version that will guide you to the release notes of the product. From here, you can navigate to the Security Advisory with the security warnings that have been fixed in that version.

Figure 5. A Security Advisory
Figure 5. A Security Advisory

Disable the Security Warnings Administrative Monitor

As with any other administrative monitor, you can deactivate it and avoid showing every security warning detected. To do that, go to Jenkins  Manage Jenkins  Configure System  Administrative monitors configuration. Click on the Administrative monitors button and clear the Security Warnings Monitor check box.

disable sw monitor
Figure 6. Check to disable the Security Warnings Administrative Monitor

Auto deactivation of the Security Warnings Administrative monitor

If the instance cannot download updated information about security warnings after 24 hours, the Security Warnings Administrative Monitor will be deactivated automatically. After fixing the issue that prevented the updated information from being obtained as said before, you can reactivate it again in the Administrative monitors configuration as mentioned in the Disable the Security Warnings Administrative Monitor section.

Select security warnings to show

You can choose what type of security warnings the Security Warnings Administrative Monitor should advise you of. To do that, go to Jenkins  Manage Jenkins  Beekeeper Upgrade Assistant  CAP Configuration. Here you can choose whether or not the Administrative Monitor should notify you in the top menu when warnings related to the product core and / or installed plugins are detected. In any case, the Security Warnings page will show all the vulnerabilities.

cap configuration sw
Figure 7. CAP Configuration. Security Warnings checks

More detailed help information can be obtained by clicking on the Help icon.

cap configuration sw help
Figure 8. CAP Configuration. Help for Security Warnings check

Troubleshooting

The Security Warnings Administrative Monitor retrieves all the security information via HTTP/HTTPS connections, so the first point to check when something is wrong should be the network and the instance’s internet connectivity.

For proper operation, the administrative monitor needs to communicate to https://beekeeper-server.cloudbees.com/api/security-warnings and many elements can affect that communication. The log files will contain information to better diagnose the issue.

security warnings unable connect
Figure 9. Unable to connect to Beekeeper Server

When this message is displayed, the Security Warnings Administrative Monitor has detected some kind of error in the network configuration that is preventing the product from connecting to Beekeeper Server.

To diagnose the root cause, look into the log files the SECURITY-WARNING_ERROR: %s message, where %s is the error message. Besides, the points to check would be:

Whether the communication remains down, the Security Warnings Administrative Monitor will automatically deactivate itself.

security warnings network issues
Figure 10. Network issues happening

This message is displayed when similar circumstances to the stated in the previous message happen but the bad configuration issue is in the running instance itself. Once more, to diagnose the root cause, look into the log files the SECURITY-WARNING_ERROR: %s message, where %s is the error message. Besides, the points to check would be:

  • The Proxy Configuration is properly configured in Jenkins  Manage Jenkins  Manage Plugins  Advanced.

  • Same network configuration points than in previous error.

security warnings unexpected error
Figure 11. Unexpected error message

Whether the Security Warnings Administrative Monitor displays this error, the response retrieved from Beekeeper Server corresponds to a strange situation in the communication. In this case the points to check would be:

  • The error code in the response: Check in logs if the SECURITY-WARNING_ERROR: Beekeeper server is responding %d code message appears, where %d means the error code in response.

  • The existence of a trace in log file: Check in log file if the SECURITY-WARNING_ERROR: %s message is present, where %s is the error message.

In August 2020, the Jenkins project voted to replace the term master with controller. We have taken a pragmatic approach to cleaning these up, ensuring the least amount of downstream impact as possible. CloudBees is committed to ensuring a culture and environment of inclusiveness and acceptance - this includes ensuring the changes are not just cosmetic ones, but pervasive. As this change happens, please note that the term master has been replaced through the latest versions of the CloudBees documentation with controller (as in managed controller, client controller, team controller) except when still used in the UI or in code.