Suppress irrelevant Jenkins security warnings

Description

Security warnings for Jenkins and its plugins appear at the top of the "Manage Jenkins" page (/manage), but some of them aren't applicable to our installations. For example, these two warnings show consistently despite the fact that we've upgraded to not-vulnerable versions of the plugins in question and confirmed that any required mitigation has already been performed on build-jenkins and test-jenkins:

  • GitHub Pull Request Builder 1.42.0: GitHub access tokens stored in in build.xml

  • Environment Injector Plugin 2.1.5: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier

To avoid training ourselves to ignore security warnings on this page, we should hide these two warnings on these servers. This is normally possible via an admin form, but we currently can't post changes to that form due to some CSRF bug (and the changes wouldn't survive an Ansible rebuild of the server anyway). So we should add the capability to suppress individual warnings to the jenkins-configuration repository. Code points of interest:

The relevant Jenkins code to use in the configuration groovy seems to be UpdateSiteWarningsConfiguration (see https://javadoc.jenkins-ci.org/). Unfortunately, this doesn't seem to be implemented in the Configuration as Code plugin either, so we can't use that as a reference (https://issues.jenkins-ci.org/browse/JENKINS-56057).

Steps to Reproduce

None

Current Behavior

None

Expected Behavior

None

Reason for Variance

None

Release Notes

None

User Impact Summary

None
Your pinned fields
Click on the next to a field label to start pinning.

Assignee

Unassigned

Reporter

Jeremy Bowman