chore(deps): bump bom-2.346.x from 1706.vc166d5f429f8 to 1723.vcb_9fee52c9fc #107
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [bom-2.346.x](https://github.com/jenkinsci/bom) from 1706.vc166d5f429f8 to 1723.vcb_9fee52c9fc. - [Release notes](https://github.com/jenkinsci/bom/releases) - [Commits](https://github.com/jenkinsci/bom/commits) --- updated-dependencies: - dependency-name: io.jenkins.tools.bom:bom-2.346.x dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
deleted the
dependabot/maven/io.jenkins.tools.bom-bom-2.346.x-1723.vcb_9fee52c9fc
branch
|
@NotMyFault AFAICS, this will fix https://access.redhat.com/security/cve/CVE-2022-45047 (TBH, I haven't checked whether sshd-plugin is actually vulnerable). |
If a vulnerability affects a plugin, the security team knows about it in advance and publishes an advisory. No advisory has been published. I cut a release nevertheless, because people tend to panic and trust scanners more than proper evaluations. |
Thanks and you do have a point. No pressure from my side! |
The vulnerability scanner that reported this would resolve a CVE is incorrect. It indicates that the vulnerability scanner probably does not understand Jenkins plugin dependencies as expressed in pom.xml. When one Jenkins plugin depends on another Jenkins plugin, the dependency is resolved at Jenkins runtime by the currently loaded Jenkins plugin. Changing the plugin dependencies of a plugin mandates that the dependency must have at least the version specified. If there is a security is in the dependency, the Jenkins administrator resolves it by installing the plugin version that fixes the security issue. |
|
@MarkEWaite thanks for pointing that out! I was actually surprised by the trivy report because my instance is already using |
Bumps bom-2.346.x from 1706.vc166d5f429f8 to 1723.vcb_9fee52c9fc.
Release notes
Sourced from bom-2.346.x's releases.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot will merge this PR once CI passes on it, as requested by @NotMyFault.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)