On Tue, Feb 22, 2022 at 7:25 AM Niv Keidan <niv.kei...@veertu.com> wrote:
> I am running Jenkins 2.319.3 and using a plugin that has 2.277.4 defined > as <jenkins.version> in its pom.xml. > Am I exposed to the vulnerabilities in 2.277.4? > No, this only defines the minimum compatible version. The same applies to dependencies to other plugins. Only bundled libraries (hpi/jpi files are just zip, open it and look inside) matter. That's why Jenkins doesn't show security warnings to admins when you update the affected component. Tell your security scanner vendor to improve their product to not believe everything the pom.xml says. I'm curious, did a big vendor release some nonsense? This is the third time this has come up in ~4 days. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLuvvDa8gVY70XRT3-SkqoxFrDwG%2B0%2Bmeiy61XBj293Aw%40mail.gmail.com.