Thanks for the info, very helpful. And as to your question, no. Must be a coincidence. This has come up on our end by simply reviewing the current status. Cheers.
On Tuesday, February 22, 2022 at 10:11:37 AM UTC+2 db...@cloudbees.com wrote: > On Tue, Feb 22, 2022 at 7:25 AM Niv Keidan <niv.k...@veertu.com> wrote: > >> I am running Jenkins 2.319.3 and using a plugin that has 2.277.4 defined >> as <jenkins.version> in its pom.xml. >> Am I exposed to the vulnerabilities in 2.277.4? >> > > No, this only defines the minimum compatible version. The same applies to > dependencies to other plugins. Only bundled libraries (hpi/jpi files are > just zip, open it and look inside) matter. That's why Jenkins doesn't show > security warnings to admins when you update the affected component. > > Tell your security scanner vendor to improve their product to not believe > everything the pom.xml says. > > I'm curious, did a big vendor release some nonsense? This is the third > time this has come up in ~4 days. > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a8fb4abc-1c61-4d28-a619-643f47e4f78dn%40googlegroups.com.
