Merge remote-tracking branch 'upstream/master' into JENKINS-69731-scm-BRANCH_NAME

Signed-off-by: Jim Klimov <[email protected]>

Author: jimklimov

.github/workflows/jenkins-security-scan.yml

@@ -0,0 +1,21 @@
+name: Jenkins Security Scan
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  workflow_dispatch:
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+jobs:
+  security-scan:
+    uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2
+    with:
+      java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate.
+      # java-version: 21 # Optionally specify what version of Java to set up for the build, or remove to use a recent default.

.mvn/extensions.xml

@@ -2,6 +2,6 @@
   <extension>
     <groupId>io.jenkins.tools.incrementals</groupId>
     <artifactId>git-changelist-maven-extension</artifactId>
-    <version>1.7</version>
+    <version>1.8</version>
   </extension>
 </extensions>

pom.xml

@@ -28,7 +28,7 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>4.77</version>
+        <version>5.7</version>
         <relativePath/>
     </parent>
     <groupId>io.jenkins.plugins</groupId>
@@ -63,15 +63,18 @@
     </pluginRepositories>
     <properties>
         <changelist>999999-SNAPSHOT</changelist>
-        <jenkins.version>2.414.3</jenkins.version>
+        <!-- https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/ -->
+        <jenkins.baseline>2.479</jenkins.baseline>
+        <jenkins.version>${jenkins.baseline}.1</jenkins.version>
         <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
+        <useBeta>true</useBeta>
     </properties>
     <dependencyManagement>
         <dependencies>
             <dependency>
                 <groupId>io.jenkins.tools.bom</groupId>
-                <artifactId>bom-2.414.x</artifactId>
-                <version>2705.vf5c48c31285b_</version>
+                <artifactId>bom-${jenkins.baseline}.x</artifactId>
+                <version>3893.v213a_42768d35</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
@@ -82,7 +85,7 @@
         <dependency>
             <groupId>org.apache.ivy</groupId>
             <artifactId>ivy</artifactId>
-            <version>2.5.2</version>
+            <version>2.5.3</version>
         </dependency>
 
         <!-- required plugins -->
@@ -135,6 +138,13 @@
         </dependency>
 
         <!-- test only plugins -->
+        <dependency>
+            <!-- GlobalUntrustedLibrariesTest#configRoundtrip -->
+            <groupId>io.jenkins.plugins</groupId>
+            <artifactId>manage-permission</artifactId>
+            <version>1.0.1</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins.workflow</groupId>
             <artifactId>workflow-support</artifactId>
@@ -186,32 +196,5 @@
             <classifier>tests</classifier>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.jenkins-ci.plugins</groupId>
-            <artifactId>subversion</artifactId>
-            <scope>test</scope>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.sshd</groupId>
-                    <artifactId>sshd-common</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.sshd</groupId>
-                    <artifactId>sshd-core</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.jenkins-ci.plugins</groupId>
-            <artifactId>subversion</artifactId>
-            <classifier>tests</classifier>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.tmatesoft.svnkit</groupId>
-            <artifactId>svnkit-cli</artifactId>
-            <version>1.10.10</version>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 </project>

src/main/java/org/jenkinsci/plugins/workflow/cps/global/GrapeHack.java

@@ -35,11 +35,20 @@
 import java.net.URLClassLoader;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.apache.ivy.core.cache.DefaultRepositoryCacheManager;
+import org.apache.ivy.core.cache.RepositoryCacheManager;
+import org.apache.ivy.core.settings.IvySettings;
+import org.apache.ivy.plugins.lock.LockStrategy;
+import org.apache.ivy.plugins.lock.NoLockStrategy;
 
 public class GrapeHack {
 
     private static final Logger LOGGER = Logger.getLogger(GrapeHack.class.getName());
 
+    @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
+    public static boolean DISABLE_NIO_FILE_LOCK =
+            Boolean.getBoolean(GrapeHack.class.getName() + ".DISABLE_NIO_FILE_LOCK");
+
     @SuppressFBWarnings(value="DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED", justification="the least of our concerns")
     @Initializer(after=InitMilestone.PLUGINS_PREPARED, fatal=false)
     public static void hack() throws Exception {
@@ -63,6 +72,32 @@ public static void hack() throws Exception {
         l = engine.getClass().getClassLoader();
         LOGGER.log(Level.FINE, "was also able to load {0}", l.loadClass(ivyGrabRecordName));
         LOGGER.log(Level.FINE, "linked to {0}", l.loadClass("org.apache.ivy.core.module.id.ModuleRevisionId").getProtectionDomain().getCodeSource().getLocation());
+        if (!DISABLE_NIO_FILE_LOCK) {
+            try {
+                /*
+                 * We must use reflection instead of simply casting to GrapeIvy and invoking directly due to the use of
+                 * MaskingClassLoader a few lines above.
+                 */
+                IvySettings settings = (IvySettings) c.getMethod("getSettings").invoke(instance.get(null));
+                RepositoryCacheManager repositoryCacheManager = settings.getDefaultRepositoryCacheManager();
+                if (repositoryCacheManager instanceof DefaultRepositoryCacheManager) {
+                    DefaultRepositoryCacheManager defaultRepositoryCacheManager =
+                            (DefaultRepositoryCacheManager) repositoryCacheManager;
+                    LockStrategy lockStrategy = defaultRepositoryCacheManager.getLockStrategy();
+                    LOGGER.log(Level.FINE, "default lock strategy {0}", lockStrategy);
+                    if (lockStrategy == null || lockStrategy instanceof NoLockStrategy) {
+                        lockStrategy = settings.getLockStrategy("artifact-lock-nio");
+                        if (lockStrategy != null) {
+                            defaultRepositoryCacheManager.setLockStrategy(lockStrategy.getName());
+                            defaultRepositoryCacheManager.setLockStrategy(lockStrategy);
+                        }
+                    }
+                    LOGGER.log(Level.FINE, "using lock strategy {0}", defaultRepositoryCacheManager.getLockStrategy());
+                }
+            } catch (RuntimeException | LinkageError x) {
+                LOGGER.log(Level.FINE, "failed to enable NIO file lock", x);
+            }
+        }
     }
 
     private GrapeHack() {}

src/main/java/org/jenkinsci/plugins/workflow/libs/AbstractGlobalLibraries.java

@@ -0,0 +1,100 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2024 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.jenkinsci.plugins.workflow.libs;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.model.ItemGroup;
+import hudson.model.Job;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import jenkins.model.GlobalConfiguration;
+import jenkins.model.Jenkins;
+import net.sf.json.JSONObject;
+import org.kohsuke.stapler.StaplerRequest2;
+
+/**
+ * Common code between {@link GlobalLibraries} and {@link GlobalUntrustedLibraries}.
+ */
+public abstract class AbstractGlobalLibraries extends GlobalConfiguration {
+    private List<LibraryConfiguration> libraries = new ArrayList<>();
+
+    protected AbstractGlobalLibraries() {
+        load();
+    }
+
+    public abstract String getDescription();
+
+    public List<LibraryConfiguration> getLibraries() {
+        return libraries;
+    }
+
+    public void setLibraries(List<LibraryConfiguration> libraries) {
+        this.libraries = libraries;
+        save();
+    }
+
+    @Override public boolean configure(StaplerRequest2 req, JSONObject json) throws FormException {
+        if (Jenkins.get().hasPermission(getRequiredGlobalConfigPagePermission())) {
+            setLibraries(Collections.emptyList()); // allow last library to be deleted
+            return super.configure(req, json);
+        } else {
+            return true;
+        }
+    }
+
+    abstract static class AbstractForJob extends LibraryResolver {
+        @NonNull
+        protected abstract AbstractGlobalLibraries getConfiguration();
+
+        @NonNull @Override public final Collection<LibraryConfiguration> forJob(@NonNull Job<?,?> job, @NonNull Map<String,String> libraryVersions) {
+            return getLibraries();
+        }
+
+        @NonNull @Override public final Collection<LibraryConfiguration> fromConfiguration(@NonNull StaplerRequest2 request) {
+            if (Jenkins.get().hasPermission(getConfiguration().getRequiredGlobalConfigPagePermission())) {
+                return getLibraries();
+            }
+            return Collections.emptySet();
+        }
+
+        @NonNull @Override public final Collection<LibraryConfiguration> suggestedConfigurations(@NonNull ItemGroup<?> group) {
+            return getLibraries();
+        }
+
+        private List<LibraryConfiguration> getLibraries() {
+            return getConfiguration()
+                    .getLibraries()
+                    .stream()
+                    .map(this::mayWrapLibrary)
+                    .collect(Collectors.toList());
+        }
+
+        @NonNull
+        protected abstract LibraryConfiguration mayWrapLibrary(@NonNull LibraryConfiguration library);
+    }
+}

src/main/java/org/jenkinsci/plugins/workflow/libs/FolderLibraries.java

@@ -38,7 +38,7 @@
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
-import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerRequest2;
 
 /**
  * Like {@link GlobalLibraries} but scoped to a folder.
@@ -57,7 +57,7 @@ public List<LibraryConfiguration> getLibraries() {
 
     @Extension public static class DescriptorImpl extends AbstractFolderPropertyDescriptor {
 
-        @Override public AbstractFolderProperty<?> newInstance(StaplerRequest req, JSONObject formData) throws FormException {
+        @Override public AbstractFolderProperty<?> newInstance(StaplerRequest2 req, JSONObject formData) throws FormException {
             FolderLibraries prop = (FolderLibraries) super.newInstance(req, formData);
             return prop.libraries.isEmpty() ? null : prop;
         }
@@ -91,7 +91,7 @@ private Collection<LibraryConfiguration> forGroup(@CheckForNull ItemGroup<?> gro
             return forGroup(job.getParent(), false);
         }
 
-        @Override public Collection<LibraryConfiguration> fromConfiguration(StaplerRequest request) {
+        @Override public Collection<LibraryConfiguration> fromConfiguration(StaplerRequest2 request) {
             return forGroup(request.findAncestorObject(AbstractFolder.class), true);
         }