Suppress irrelevant Jenkins security warnings

Description

Security warnings for Jenkins and its plugins appear at the top of the "Manage Jenkins" page (/manage), but some of them aren't applicable to our installations. For example, these two warnings show consistently despite the fact that we've upgraded to not-vulnerable versions of the plugins in question and confirmed that any required mitigation has already been performed on build-jenkins and test-jenkins:

  • GitHub Pull Request Builder 1.42.0: GitHub access tokens stored in in build.xml

  • Environment Injector Plugin 2.1.5: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier

To avoid training ourselves to ignore security warnings on this page, we should hide these two warnings on these servers. This is normally possible via an admin form, but we currently can't post changes to that form due to some CSRF bug (and the changes wouldn't survive an Ansible rebuild of the server anyway). So we should add the capability to suppress individual warnings to the jenkins-configuration repository. Code points of interest:

The relevant Jenkins code to use in the configuration groovy seems to be UpdateSiteWarningsConfiguration (see https://javadoc.jenkins-ci.org/). Unfortunately, this doesn't seem to be implemented in the Configuration as Code plugin either, so we can't use that as a reference (https://issues.jenkins-ci.org/browse/JENKINS-56057).

Steps to Reproduce

None

Current Behavior

None

Expected Behavior

None

Reason for Variance

None

Release Notes

None

User Impact Summary

None

Assignee

Unassigned

Reporter

Jeremy Bowman

Labels

None

Reach

None

Impact

None

Platform Area

None

Customer

None

Partner Manager

None

URL

None

Contributor Name

None

Groups with Read-Only Access

None

Actual Points

None

Category of Work

None

Platform Map Area (Levels 1 & 2)

None

Platform Map Area (Levels 3 & 4)

None

Priority

Unset
Configure