From: Aric Gardner <agardner@linuxfoundation.org>
Date: Fri, 17 May 2019 21:34:30 +0000 (-0400)
Subject: List insecure plugins
X-Git-Tag: v0.24.0~5^2
X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F12%2F15712%2F12;p=releng%2Flftools.git

List insecure plugins

List active plugins that have a known
vulnerability

Example output:

$ lftools jenkins -s 'build.opnfv.org/ci' plugins sec
pam-auth:1.5    pam-auth:1.5
https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1316
credentials:2.1.18      credentials:2.1.18
https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322

jenkins_jobs.ini config
$ cat ~/.config/jenkins_jobs/jenkins_jobs.ini | grep build.opnfv.org/ci
[build.opnfv.org/ci]
user=
password=
url=https://build.opnfv.org/ci

ISSUE: RELENG-2046
Signed-off-by: Aric Gardner <agardner@linuxfoundation.org>
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
Change-Id: I807a1e33d10c42c0d48f7fd179858eebc368c1e8
---

diff --git a/docs/index.rst b/docs/index.rst
index 0ffbd580..8a55e5cd 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -20,6 +20,7 @@ Contents:
     release-notes
     installation
     commands/index
+    jenkins/index
 
 Indices and tables
 ==================
diff --git a/docs/jenkins/index.rst b/docs/jenkins/index.rst
new file mode 100644
index 00000000..306ca5f1
--- /dev/null
+++ b/docs/jenkins/index.rst
@@ -0,0 +1,12 @@
+#######
+Jenkins
+#######
+
+lftools is a collection of scripts written directly in python or externally via
+bash. It supports the following Jenkins specific commands.
+
+.. toctree::
+    :maxdepth: 2
+
+    plugins
+
diff --git a/docs/jenkins/plugins.rst b/docs/jenkins/plugins.rst
new file mode 100644
index 00000000..20758190
--- /dev/null
+++ b/docs/jenkins/plugins.rst
@@ -0,0 +1,6 @@
+*******
+Plugins
+*******
+
+.. program-output:: lftools jenkins plugins --help
+
diff --git a/lftools/cli/jenkins/plugins.py b/lftools/cli/jenkins/plugins.py
index efeb41be..283da214 100644
--- a/lftools/cli/jenkins/plugins.py
+++ b/lftools/cli/jenkins/plugins.py
@@ -12,6 +12,7 @@
 __author__ = 'Trevor Bramwell'
 
 import click
+import requests
 
 
 def checkmark(truthy):
@@ -21,8 +22,8 @@ def checkmark(truthy):
     return u'\u2717'
 
 
-def print_plugin(plugin, namefield='longName'):
-    """Print the plugin longName and version."""
+def print_plugin(plugin, namefield='shortName'):
+    """Print the plugin shortName and version."""
     print("%s:%s" % (plugin[namefield], plugin['version']))
 
 
@@ -124,6 +125,59 @@ def active(ctx):
             print_plugin(plugin)
 
 
+@click.command()
+@click.pass_context
+def sec(ctx):
+    """List plugins with a known vulnerability.
+
+    Output is in the format:
+
+    Vulnerable Version\t Installed Version\t Link.
+    """
+    r = requests.get('http://updates.jenkins-ci.org/update-center.actual.json')
+    warn = r.json()['warnings']
+
+    # create a dict of relevant info from jenkins update center
+    secdict = {}
+    for w in warn:
+        name = (w['name'])
+        url = (w['url'])
+        for version in w['versions']:
+            lastversion = version.get('lastVersion')
+        nv = {name: lastversion}
+        secdict.update(nv)
+
+    # create a dict of our active plugins
+    activedict = {}
+    plugins = ctx.obj['plugins']
+    for key in plugins.keys():
+        _, plugin_name = key
+        plugin = plugins[plugin_name]
+        if plugin['active']:
+            name = plugin['shortName']
+            version = plugin['version']
+            nv = {name: version}
+            activedict.update(nv)
+
+    # find the delta
+    shared = []
+    for key in set(secdict.keys()) & set(activedict.keys()):
+        shared.append(key)
+        ourversion = (activedict[key])
+        theirversion = (secdict[key])
+        t1 = tuple([ourversion])
+        t2 = tuple([theirversion])
+        if (t1) <= (t2):
+            # Print Vulnerable Version\t Installed Version\t Link
+            for w in warn:
+                name = (w['name'])
+                url = (w['url'])
+                for version in w['versions']:
+                    lastversion = version.get('lastVersion')
+                if name == key and secdict[key] == lastversion:
+                    print("{0}:{1}\t{0}:{2}\t{3}".format(key, secdict[key], activedict[key], url))
+
+
 plugins_init.add_command(list_plugins, name='list')
 plugins_init.add_command(pinned)
 plugins_init.add_command(dynamic)
@@ -131,3 +185,4 @@ plugins_init.add_command(needs_update, name='needs-update')
 plugins_init.add_command(active)
 plugins_init.add_command(enabled)
 plugins_init.add_command(disabled)
+plugins_init.add_command(sec)
diff --git a/releasenotes/notes/lftools-jenkins-plugins-b4dbbf23454f659d.yaml b/releasenotes/notes/lftools-jenkins-plugins-b4dbbf23454f659d.yaml
new file mode 100644
index 00000000..55cb5207
--- /dev/null
+++ b/releasenotes/notes/lftools-jenkins-plugins-b4dbbf23454f659d.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    List active plugins that have a known vulnerability.