Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade commons-beanutils 1.9.4 #827

Merged
merged 1 commit into from
Feb 24, 2021
Merged

Upgrade commons-beanutils 1.9.4 #827

merged 1 commit into from
Feb 24, 2021

Conversation

olamy
Copy link
Member

@olamy olamy commented Feb 23, 2021

Use last version of commons-beanutils as current one is subject to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Signed-off-by: olivier lamy [email protected]

@codecov
Copy link

codecov bot commented Feb 23, 2021

Codecov Report

Merging #827 (f81abe5) into master (0c1b8d1) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##             master     #827   +/-   ##
=========================================
  Coverage     80.10%   80.10%           
  Complexity     1560     1560           
=========================================
  Files           243      243           
  Lines          5666     5666           
  Branches        422      422           
=========================================
  Hits           4539     4539           
  Misses          970      970           
  Partials        157      157           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0c1b8d1...f81abe5. Read the comment docs.

@olamy
Copy link
Member Author

olamy commented Feb 24, 2021

the failure doesn't look to be related to this change

@uhafner uhafner merged commit 9869a3b into jenkinsci:master Feb 24, 2021
@uhafner
Copy link
Member

uhafner commented Feb 24, 2021

Thanks!

@uhafner uhafner added the bug Bugs or performance problems label Feb 25, 2021
@olamy olamy deleted the commons-beanutils-1.9.4 branch March 8, 2021 20:41
@olamy
Copy link
Member Author

olamy commented Mar 22, 2021

@uhafner looking at release 8.10.1 this upgrade has not been included. Do you need a PR on a special branch? Thanks

@uhafner
Copy link
Member

uhafner commented Mar 22, 2021

Ah, seems that I removed that dependency since the warnings plugin is now based on a different Jenkins core version. During the migration I removed all unnecessary dependencies (and this dependency actually is only a transitive one).

Since the next release of the warnings plugin will not contain digester anymore, I think I need to move that dependency to somewhere else (analysis-model or plugin-util). Is commons-beanutils part of core already? Or are other plugins using this dependency as well?

@olamy
Copy link
Member Author

olamy commented Mar 22, 2021

commons-beanutils is part of core for sure.
But I'd like to have warnings-ng-plugin without the jar or at least with version 1.9.4.

wget -O plugin.hpi http://repo.jenkins-ci.org/public/io/jenkins/plugins/warnings-ng/8.10.1/warnings-ng-8.10.1.hpi
unzip -l plugin.hpi | grep beanutils
   246174  12-05-2018 11:41   WEB-INF/lib/commons-beanutils-1.9.3.jar

Even if it's not used some security scanner will see this version which have CVE attached and will flag the .hpi as not secured.

@uhafner
Copy link
Member

uhafner commented Mar 23, 2021

commons-beanutils is part of core for sure

Then it rather makes sense to exclude that dependency instead of declaring it as an explicit dependency?

@olamy
Copy link
Member Author

olamy commented Mar 23, 2021

yup if you don't use/need it. Just add exclusions.

@olamy
Copy link
Member Author

olamy commented Mar 24, 2021

@uhafner do you want me to provide a PR targeting master branch for this?

@uhafner
Copy link
Member

uhafner commented Mar 25, 2021

No, that is not required. I need to merge #842 first. Then the exclusion needs to be made in the analysis-model module and not in the warnings plugin.

@uhafner
Copy link
Member

uhafner commented Apr 11, 2021

@olamy finally released: https://github.com/jenkinsci/warnings-ng-plugin/releases/tag/v9.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Bugs or performance problems
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants