Security fixes
- Bundle generated by the Support Core plugin could contain passwords or other sensitive data (SECURITY-2186)
-
The bundle that is generated by the Support Core plugin could contain passwords or other sensitive data stored in system variables, Java arguments, or other system files.
In version 2.72.2 of the Support Core plugin, a feature was introduced that automatically redacted any passwords stored in the following files:
-
nodes.md
-
about.md
-
nodes/master/system.properties
for controllers and agents -
nodes/master/environment.txt
-
nodes/slave/name/proc/self/environ
andnodes/slave/name/proc/self/cmdline
for Linux agents -
nodes/slave/name/config.xml
for each agent -
launch log files per each agent located in
nodes/slave/name/launchLogs
-
To support this fix, a text file named security-stop-words.txt
has been added to the JENKINS_HOME/support
folder.
It contains security stop words that are used to detect passwords or secrets.
When the bundle is generated, the word "REDACTED" replaces any values associated with these stop words.
For example, if one of the security stop words is "passwd", the following string:
-username.net.passwd=mySecret
will be changed to:
-username.net.passwd=REDACTED
To disable this feature, delete all of the security stop words from the security-stop-words.txt
file.
Any changes made to the security-stop-words.txt
file are applied after a Jenkins instance restart.
Known issues
- The operations center may run out of disk space if using a local folder as the Configuration as Code (CasC) bundle location (BEE-15449)
-
If you use a local folder as the Configuration as Code bundle location and an error occurs, a backup folder is automatically added to the operations center. If the local folder contains other files that are not part of a CasC bundle (for example, read-only files, hidden files, or SCM control files), polling synchronization fails and the backup folder is never deleted. Eventually, the operations center may run out of disk space, resulting in a
No space left on device
exception.To avoid this issue, you can either use an SCM as the Configuration as Code bundle location, or if using a local folder, ensure that only CasC bundles are stored in the local folder.
This will be corrected in a future version.
- Git submodules are not supported when configuring an SCM as the Configuration as Code bundle location (BEE-15832)
-
If you configure an SCM as the Configuration as Code bundle location and select Recursively update submodules for the selected Project Repository, an exception is returned.
- Duplicate Pipeline Template Catalogs in the Configuration as Code jenkins.yaml file on each instance restart (BEE-12722)
-
If a Pipeline Template Catalog is configured in the CasC
jenkins.yaml
file and theid
property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration.