Branch: refs/heads/master
Home: https://github.com/jenkinsci/codescene-plugin
Commit: 291d6d8005e2632acca6040a54dd52269b877662
https://github.com/jenkinsci/codescene-plugin/commit/291d6d8005e2632acca6040a54dd52269b877662
Author: Juraj Martinka <juma...@gmail.com>
Date: 2020-11-24 (Tue, 24 Nov 2020)
Changed paths:
M pom.xml
Log Message:
-----------
Update junit to 4.13.1 to fix temporary folder disclosure vulnerability.
See
https://github.com/jenkinsci/codescene-plugin/network/alert/pom.xml/junit:junit/open.
It's not important in our case but good to clear list of alerts of GitHub's
dependabot.
Here's a copy of the `Impact` section from the bug description:
---
On Unix like systems, the system's temporary directory is shared between all
users on that system. Because of this, when files and directories are written
into this directory they are, by default, readable by other users on that same
system.
This vulnerability does not allow other users to overwrite the contents of
these directories or files. This is purely an information disclosure
vulnerability.
When analyzing the impact of this vulnerability, here are the important
questions to ask:
Do the JUnit tests write sensitive information, like API keys or passwords,
into the temporary folder?
If yes, this vulnerability impacts you, but only if you also answer 'yes' to
question 2.
If no, this vulnerability does not impact you.
Do the JUnit tests ever execute in an environment where the OS has other
untrusted users.
This may apply in CI/CD environments but normally won't be 'yes' for personal
developer machines.
If yes, and you answered 'yes' to question 1, this vulnerability impacts you.
If no, this vulnerability does not impact you.
Commit: 97be6e28211bab61832ffb54c8732ea51c70db78
https://github.com/jenkinsci/codescene-plugin/commit/97be6e28211bab61832ffb54c8732ea51c70db78
Author: Juraj Martinka <juraj.marti...@empear.com>
Date: 2020-11-24 (Tue, 24 Nov 2020)
Changed paths:
M pom.xml
Log Message:
-----------
Merge pull request #20 from jenkinsci/junit
Update junit to 4.13.1 to fix temporary folder disclosure vulnerability.
Compare:
https://github.com/jenkinsci/codescene-plugin/compare/12bb3591e04f...97be6e28211b
--
You received this message because you are subscribed to the Google Groups
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-commits+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/codescene-plugin/push/refs/heads/master/12bb35-97be6e%40github.com.
