Skip to content

Remove historical documentation#2822

Merged
timja merged 2 commits intojenkinsci:masterfrom
somiljain2006:Secrets-todo-fix
Apr 9, 2026
Merged

Remove historical documentation#2822
timja merged 2 commits intojenkinsci:masterfrom
somiljain2006:Secrets-todo-fix

Conversation

@somiljain2006
Copy link
Copy Markdown
Contributor

@somiljain2006 somiljain2006 commented Apr 9, 2026
edited
Loading

Replaced the TODO placeholder in secrets.adoc with a reference to the published Jenkins Security Advisory for SECURITY-1446 (CVE-2019-10362). The advisory documents the variable interpolation vulnerability in previously exported configurations and the fix introduced in JCasC 1.25, which aligns with the behavior described in this section.

Your checklist for this pull request

🚨 Please review the guidelines for contributing to this repository.

  • Make sure you are requesting to pull a topic/feature/bugfix branch (right side) and not your master branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or in Jenkins JIRA
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Did you provide a test-case? That demonstrates a feature that works or fixes the issue.

@somiljain2006 somiljain2006 requested a review from a team as a code owner April 9, 2026 14:25
timja
timja approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@timja timja left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fine to add but at this point we could probably remove the section as its very historical

@timja timja added the documentation A PR that adds to documentation - used by Release Drafter label Apr 9, 2026
@timja timja enabled auto-merge (squash) April 9, 2026 14:48
auto-merge was automatically disabled April 9, 2026 15:29

Head branch was pushed to by a user without write access

@timja timja changed the title Add SECURITY-1446 advisory link to secrets documentation Remove historical documentation Apr 9, 2026
@timja timja enabled auto-merge (squash) April 9, 2026 15:41
oleg-nenashev
oleg-nenashev reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@oleg-nenashev oleg-nenashev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep Security Considerations at least. "In some cases non-admin users can contribute to JCasC exports if they have some permissions (e.g. agent/view configuration or credentials management)," is still relevant IMHO. The compatibility ones can be removed indeed, while keeping the actual behavior.

Leaving thee decision to the current maintainers so no strong vote

@timja timja disabled auto-merge April 9, 2026 16:08
@timja
Copy link
Copy Markdown
Member

timja commented Apr 9, 2026

I would keep Security Considerations at least. "In some cases non-admin users can contribute to JCasC exports if they have some permissions (e.g. agent/view configuration or credentials management)," is still relevant IMHO. The compatibility ones can be removed indeed, while keeping the actual behavior.

Reading the docs it all seems related to the security issue. The agent view one is people putting variables in to get secrets out but those are escaped for a long time.

@timja timja merged commit 1d37a8e into jenkinsci:master Apr 9, 2026
17 checks passed
@somiljain2006 somiljain2006 deleted the Secrets-todo-fix branch April 10, 2026 03:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oleg-nenashev oleg-nenashev oleg-nenashev left review comments

@timja timja timja approved these changes

Assignees

No one assigned

Labels

documentation A PR that adds to documentation - used by Release Drafter

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@somiljain2006 @timja @oleg-nenashev