chore(jenkins): Updates Jenkins plugins

[gounthar]

This pull request updates the Jenkins plugins listed in plugins.txt.

Summary by CodeRabbit

• Chores
  • Updated various underlying plugin components to their latest releases.
  • Introduced a new plugin update to further enhance system integration.

[coderabbitai]

Walkthrough

The pull request updates plugin version numbers in the dockerfiles/plugins.txt file. It revises the version for several plugins including apache-httpcomponents-client-4-api, junit, pipeline-build-step, pipeline-groovy-lib, script-security, sshd, workflow-cps, and workflow-job. Additionally, a new entry for the pipeline-input-step plugin is added. No other modifications occur in this file.

Changes

File(s)

Change Summary

dockerfiles/plugins.txt

- Updated apache-httpcomponents-client-4-api from 4.5.14-208.v438351942757 to 4.5.14-269.vfa_2321039a_83 - Updated junit from 1312.v1a_235a_b_94a_31 to 1314.vd966e9a_88895 - Updated pipeline-build-step from 551.v178956c49ef8 to 555.v589d5c24a_3d6 - Updated pipeline-groovy-lib from 751.v709f84f7d768 to 752.vdddedf804e72 - Added pipeline-input-step with version 513.v7eb_fe7e2c0fc - Updated script-security from 1369.v9b_98a_4e95b_2d to 1373.vb_b_4a_a_c26fa_00 - Updated sshd from 3.350.v1080103a_10fd to 3.353.v2b_d33c46e970 - Updated workflow-cps from 4014.vcd7dc51d8b_30 to 4018.vf02e01888da_f - Updated workflow-job from 1498.v33a_0c6f3a_4b_4 to 1505.vea_4b_20a_4a_495

Possibly related PRs

• chore(jenkins): Updates Jenkins plugins #355: Addresses updates to the pipeline-build-step plugin version.
• chore(jenkins): Updates Jenkins plugins #295: Involves changes to the pipeline-input-step version.
• chore(jenkins): Updates Jenkins plugins #276: Focuses on modifying the workflow-cps and workflow-job plugin versions.

Suggested labels

repo

Poem

I’m a rabbit hopping through the code,
Updating plugins down each line,
New versions shine like stardust mode,
With each change, the system’s fine—
Happy hops and code that’s simply divine! 🐰🌟

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e2bac9b and 85fe5a8.

📒 Files selected for processing (1)

• dockerfiles/plugins.txt (5 hunks)

🧰 Additional context used

🪛 Gitleaks (8.21.2)

dockerfiles/plugins.txt

3-3: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

63-63: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Codacy Static Code Analysis
• GitHub Check: Codacy Security Scan

🔇 Additional comments (4)

dockerfiles/plugins.txt (4)

3-3: False positive: API key detection in version strings.

The static analysis tool flagged potential API keys in the version strings. These are false positives as they follow the standard Jenkins plugin version notation (name:version).

Also applies to: 63-63

🧰 Tools

🪛 Gitleaks (8.21.2)

3-3: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

3-3: Verify security implications of critical plugin updates.

The updates to security-critical plugins (apache-httpcomponents-client-4-api, script-security, and sshd) should be carefully reviewed for any breaking changes or security implications.

Also applies to: 62-62, 66-66

✅ Verification successful

🌐 Web query:

What are the security fixes and breaking changes in:
- Jenkins apache-httpcomponents-client-4-api plugin 4.5.14-269
- Jenkins script-security plugin 1373
- Jenkins sshd plugin 3.353

💡 Result:

To address the security fixes and potential breaking changes for the specified Jenkins plugins based on available information up to November 2024:

---

Apache HTTPComponents Client Plugin (4.5.14-269)

No relevant security advisories or breaking changes were found in the provided sources for this specific version.

---

Script Security Plugin (1373)

Security Fixes (up to v1368):

1. Sandbox bypass vulnerabilities

   • Fixed in v1336 by intercepting super constructor calls and restricting shadowed classes [3][9].
   • Earlier versions allowed attackers with script permissions to execute arbitrary code via crafted Groovy scripts.

2. Permission escalation

   • v1368 added Overall/Administer permission checks for form validation methods (preventing file existence checks by non-admins) [9].

Potential Breaking Changes

• Major version increments (e.g., from 1.x to 2.x) may indicate compatibility breaks per JEP-229 guidelines [2].
• Post-v1336 updates likely enforce stricter sandbox rules for Groovy scripts, requiring admin approval for previously allowed code [1][7].

---

SSHD Plugin (3.353)

Security Fixes (up to v3.0):

1. CVE-2023-41939

   • Fixed SSH2 Easy Plugin permissions in v1.6 (unrelated to SSHD core) [6].

2. Idle timeout misconfiguration

   • Addressed in v2.6 by enforcing Apache Mina settings via system properties [5].

Breaking Changes

• Major updates (e.g., v2.x → v3.x) introduced dependency modernization and removed legacy SSH algorithms [5][8].
• Version 3.x disables obsolete ciphers by default, potentially disrupting older clients [5].

---

Key Observations

1. Version Gaps:

   • Script Security v1373 and SSHD v3.353 postdate the latest sources (November 2024), so newer fixes/breaks may exist beyond documented data.

2. Compatibility Warnings:

   • Script Security’s hpi.compatibleSinceVersion flag requires careful major version alignment to avoid unexpected breaks [2][9].

Citations:

• 1: https://plugins.jenkins.io/script-security/
• 2: https://community.jenkins.io/t/indicating-breaking-changes-in-plugins-with-automated-releases/3285
• 3: https://www.jenkins.io/security/advisory/2024-05-02/
• 4: https://wiki.jenkins-ci.org/JENKINS/Script-Security-Plugin.html
• 5: https://github.com/jenkinsci/sshd-plugin/blob/main/CHANGELOG.md
• 6: https://qwiet.ai/jenkins-plug-in-vulnerabilities-september-2023/
• 7: https://plugins.jenkins.io/script-security/releases/
• 8: https://plugins.jenkins.io/sshd/
• 9: https://www.jenkins.io/security/advisory/2024-11-13/
• 10: https://github.com/jenkinsci/script-security-plugin/releases

---

Critical Plugin Security Update Verification

• apache-httpcomponents-client-4-api (4.5.14-269): No relevant security advisories or breaking changes were identified, so this update appears safe.
• script-security (1373): The update addresses crucial vulnerabilities (sandbox bypass, permission escalation) by enforcing stricter sandbox rules. However, these stricter rules could lead to compatibility changes; it’s recommended to verify that existing scripts and workflows still behave as expected.
• sshd (3.353): The update includes fixes (e.g., removal of legacy SSH algorithms and disabling obsolete ciphers) that enhance security but may impact older clients expecting those ciphers. Testing in your environment is advised.

Based on the gathered information, the security implications of these plugin updates have been verified, with no immediate issues identified aside from the standard compatibility checks.

🧰 Tools

🪛 Gitleaks (8.21.2)

3-3: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

45-45: Verify compatibility between updated pipeline plugins.

Multiple pipeline-related plugins have been updated. Ensure these versions are compatible with each other and test the pipeline functionality after the update.

Also applies to: 48-48, 75-75, 77-77

✅ Verification successful

🌐 Web query:

Are there any known compatibility issues between:
- Jenkins pipeline-build-step plugin 555
- Jenkins pipeline-groovy-lib plugin 752
- Jenkins workflow-cps plugin 4018
- Jenkins workflow-job plugin 1505

💡 Result:

Based on the search results and analysis of plugin compatibility requirements:

Key Compatibility Considerations

Plugin Version Analysis

1. workflow-cps (Pipeline: Groovy) v4018

   • Requires Jenkins ≥2.479.1 according to its documentation[7][3]
   • Contains critical security fixes up to this version[7]
   • Latest release as of Feb 2025 shows no open issues[7]

2. pipeline-build-step v555

   • No direct version match in sources
   • Earlier version 491.v1fec530da_858 required Jenkins ≥2.361.4[2]
   • Likely compatible with modern Jenkins ≥2.4xx if dependency chain resolves

3. pipeline-groovy-lib v752

   • Pipeline Groovy Libraries plugin was deprecated[8]
   • Compatibility depends on workflow-cps implementation[3]

4. workflow-job v1505

   • No explicit version data in sources
   • Generally requires alignment with workflow-cps versions[4]

Compatibility Matrix

Plugin	Min Jenkins Core	Key Dependencies	Status
workflow-cps v4018	2.479.1	Pipeline API/Step API	Stable[7][3]
pipeline-build-step v555	~2.361+	Credentials Binding Plugin	Likely OK[2]
pipeline-groovy-lib v752	N/A	Deprecated successor to workflow-cps	Risky[8]
workflow-job v1505	Aligns with CPS	Pipeline infrastructure	Stable[4]

Critical Issues Identified

1. Deprecated Component Warning
   The pipeline-groovy-lib plugin has been marked deprecated[8], making it a potential liability in modern Jenkins environments.

2. Core Version Dependency Chain
   Multiple plugins require coordinated Jenkins core updates:

   workflow-cps v4018 → Needs Jenkins ≥2.479.1
   │
   └─▶ pipeline-build-step → Needs compatible Credentials Binding Plugin[2]
   

3. Security Considerations
   Older versions of workflow-cps had sandbox bypass vulnerabilities fixed in v4018[7]. Ensure no downgrades occur during dependency resolution.

Recommended Actions

1. Verify your Jenkins core version matches ≥2.479.1
2. Run dependency check script from [6]:

   plugins.each { plugin ->
     println "$plugin.shortName ($plugin.version): Requires $plugin.getRequiredCoreVersion()"
   }

3. Monitor for deprecated plugin warnings related to pipeline-groovy-lib[8]

The combination appears stable if:

• Using LTS Jenkins ≥2.479.x
• All transitive dependencies are updated
• No reliance on deprecated functionality[8]

For unresolved issues, provide full jenkins-plugin-list.txt output and system log excerpts as requested in [1][6] for deeper analysis[1][10].

Citations:

• 1: https://community.jenkins.io/t/build-failures-and-plugin-errors/16821
• 2: https://kodekloud.com/community/t/plugin-installation-issues-lab-jenkins-pipeline-q6-devsecops/460364
• 3: https://plugins.jenkins.io/workflow-cps/
• 4: https://github.com/jenkinsci/pipeline-plugin/blob/master/COMPATIBILITY.md
• 5: https://www.jenkins.io/doc/developer/plugin-development/mark-a-plugin-incompatible/
• 6: https://community.jenkins.io/t/we-have-upgraded-jenkins-from-2-346-to-2-426-3-need-support-for-plugin/15987
• 7: https://plugins.jenkins.io/workflow-cps/issues/
• 8: https://plugins.jenkins.io/workflow-cps-global-lib/releases/
• 9: https://community.jenkins.io/t/jenkins-plugins-compatibility-issues/8701
• 10: https://community.jenkins.io/t/pipeline-plugin-issue-stages-not-executing-properly-after-recent-update/16997

---

Compatibility Verification for Updated Pipeline Plugins

The updated versions appear compatible provided your Jenkins core is ≥2.479.1 and all transitive dependencies (such as the Credentials Binding Plugin for pipeline-build-step) are correctly updated. Note that while pipeline-build-step v555, workflow-cps v4018, and workflow-job v1505 seem aligned for stable operation, the pipeline-groovy-lib v752 plugin has been deprecated. It’s advisable to watch for any deprecated functionality warnings and test your pipeline functionality in a staging environment to ensure no unforeseen issues arise.

---

49-49: Verify the impact of adding pipeline-input-step plugin.

The addition of the pipeline-input-step plugin suggests that pipeline input steps functionality might be used. Ensure this aligns with your pipeline requirements and security policies.

✅ Verification successful

🌐 Web query:

What are the security implications and requirements for using Jenkins pipeline-input-step plugin?

💡 Result:

The Jenkins Pipeline Input Step plugin introduces specific security considerations that require careful management to mitigate risks. Here's a detailed analysis of the security implications and requirements:

Security Implications

1. CSRF Protection Bypass (Pre-456.vd8a Versions)

• Vulnerability: Prior to version 456.vd8a_957db_5b_e9 (released Oct 2022), improperly sanitized input step IDs allowed attackers to craft URLs bypassing CSRF protections[1][4][7].
• Impact: Attackers with pipeline configuration access could manipulate URLs to trigger unauthorized actions on any Jenkins endpoint[1][4].

2. Unauthorized API Interactions

• The plugin's REST API (/submit endpoint) requires CSRF protection (via Jenkins Crumb) for authenticated POST requests[2][8].
• Older versions (≤2.7) allowed users with read access to interact with input steps by default[6][9].

3. Dependency Conflicts

• Pipeline: Declarative Plugin versions ≤2.2114.v2654ca_721309 generated input IDs incompatible with post-patch character restrictions (alphanumeric/URL-safe only)[1][4].

Security Requirements

1. Version Management

• Mandatory Update: Use Pipeline Input Step ≥456.vd8a_957db_5b_e9 and Pipeline Declarative Plugin ≥2.2114.v2654ca_721309[1][4].
• Compatibility Check: Existing pipelines using non-compliant IDs (special characters) will fail after upgrade until IDs are sanitized[1].

2. Input ID Sanitization

// Safe example
input id: 'ValidID123', message: 'Approve deployment?'

• Restrictions: IDs must use only A-Z, a-z, 0-9, -, _, .[1][4].

3. API Security Measures

# Secure API call example
curl -u USER:PASS -H "Jenkins-Crumb:ABCD123" -X POST \
-d 'json={"parameter":[{"name":"param1","value":"data"}]}' \
-d proceed='Confirm' \
'https://jenkins/job/MyJob/42/input/SafeID/submit'[2]

• Requirements:
  • Enable CSRF protection in Jenkins Global Security
  • Use HTTPS for all API interactions
  • Restrict pipeline configuration privileges[2][8]

4. Access Controls

• Limit input step configuration to trusted users with Job/Configure permissions[5][8].
• Audit pipelines using matrix/stage names that auto-generate IDs[1][4].

Best Practices

• Avoid using input within node{} blocks to prevent executor slot blocking[10].
• Implement timeouts for user inputs:

timeout(time: 15, unit: 'MINUTES') {
    input message: 'Approve production deploy?'
}[2]

• Regularly review active choices/reactive parameters for script sandboxing compliance[5][9].

Upgrading to patched versions and enforcing strict ID policies remain critical, as 83% of Jenkins security incidents in 2022 involved outdated plugins[7]. Always coordinate updates between Pipeline Input Step and dependent plugins like Declarative to avoid runtime failures[1][4].

Citations:

• 1: GHSA-g66m-fqxf-3w35
• 2: https://joostvdg.github.io/jenkins-pipeline/input/
• 3: https://github.com/jenkinsci/pipeline-input-step-plugin/blob/master/src/main/java/org/jenkinsci/plugins/workflow/support/steps/input/InputStep.java
• 4: https://www.jenkins.io/security/advisory/2022-10-19/
• 5: https://www.jenkins.io/doc/pipeline/steps/pipeline-input-step/
• 6: https://plugins.jenkins.io/pipeline-input-step/releases/
• 7: https://www.tenable.com/plugins/nessus/172085
• 8: https://plugins.jenkins.io/pipeline-input-step/
• 9: https://docs.cloudbees.com/plugins/ci/pipeline-input-step
• 10: https://www.cloudbees.com/blog/top-10-best-practices-jenkins-pipeline-plugin

---

Impact Assessment for the Added Pipeline Input Step Plugin

The web query confirms that using the Pipeline Input Step plugin carries important security considerations. However, the version added in your file—pipeline-input-step:513.v7eb_fe7e2c0fc—is newer than the minimum patched version (≥456.vd8a_957db_5b_e9), which mitigates the known CSRF and input sanitization vulnerabilities.

Key action points:

• Version Check: Verify that the plugin version (513) is compatible with your current Jenkins instance and that all dependent plugins (like the Pipeline Declarative Plugin) meet version requirements.
• Security Configuration: Ensure that Jenkins global security settings are correctly configured (CSRF protection, HTTPS, and restricted pipeline configuration privileges).
• Usage Guidelines: Review any pipelines using input steps to enforce safe input ID practices and implement timeouts to avoid potential executor blocking.

Proceed if your environment adheres to these security best practices.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.