Merge branch 'master' into logging-exMTL

Author: jimklimov

.github/workflows/jenkins-security-scan.yml

@@ -0,0 +1,20 @@
+name: Jenkins Security Scan
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  workflow_dispatch:
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+jobs:
+  security-scan:
+    uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2
+    with:
+      java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate.

.mvn/extensions.xml

@@ -2,6 +2,6 @@
   <extension>
     <groupId>io.jenkins.tools.incrementals</groupId>
     <artifactId>git-changelist-maven-extension</artifactId>
-    <version>1.7</version>
+    <version>1.8</version>
   </extension>
 </extensions>

Jenkinsfile

@@ -5,7 +5,8 @@ https://github.com/jenkins-infra/pipeline-library/
 
 */
 buildPlugin(
-  useContainerAgent: true, // Set to `false` if you need to use Docker for containerized tests
+  forkCount: '1C',
+  useContainerAgent: true,
   configurations: [
     [platform: 'linux', jdk: 21],
     [platform: 'windows', jdk: 17],

lib/pom.xml

@@ -50,7 +50,7 @@
         <plugin>
             <groupId>org.codehaus.mojo</groupId>
             <artifactId>exec-maven-plugin</artifactId>
-            <version>3.2.0</version>
+            <version>3.5.0</version>
             <executions>
                 <execution>
                     <phase>generate-sources</phase>
@@ -61,6 +61,8 @@
                         <sourceRoot>${project.build.directory}/generated-sources/dgm</sourceRoot>
                         <executable>java</executable>
                         <arguments>
+                            <!-- Workaround for CodeQL support on JDK17+, see https://github.com/jenkinsci/workflow-cps-plugin/pull/901. -->
+                            <argument>--add-opens=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED</argument>
                             <argument>-jar</argument>
                             <argument>${project.build.directory}/groovy-cps-dgm-builder-${project.version}-jar-with-dependencies.jar</argument>
                             <argument>${project.build.directory}/generated-sources/dgm</argument>

plugin/pom.xml

@@ -49,8 +49,8 @@
         <dependencies>
             <dependency>
                 <groupId>io.jenkins.tools.bom</groupId>
-                <artifactId>bom-2.414.x</artifactId>
-                <version>2982.vdce2153031a_0</version>
+                <artifactId>bom-${jenkins.baseline}.x</artifactId>
+                <version>4023.va_eeb_b_4e45f07</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
@@ -80,7 +80,6 @@
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>script-security</artifactId>
-            <version>1336.vf33a_a_9863911</version>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
@@ -225,47 +224,32 @@
             <scope>test</scope>
         </dependency>
         <dependency>
-            <groupId>org.jenkins-ci.plugins</groupId>
-            <artifactId>subversion</artifactId>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>testcontainers</artifactId>
+            <version>1.20.4</version>
             <scope>test</scope>
             <exclusions>
+                <!-- Provided by Jenkins core -->
                 <exclusion>
-                    <groupId>org.apache.sshd</groupId>
-                    <artifactId>sshd-common</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.sshd</groupId>
-                    <artifactId>sshd-core</artifactId>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-api</artifactId>
                 </exclusion>
             </exclusions>
         </dependency>
         <dependency>
-            <groupId>org.jenkins-ci.plugins</groupId>
-            <artifactId>subversion</artifactId>
-            <classifier>tests</classifier>
+            <groupId>org.awaitility</groupId>
+            <artifactId>awaitility</artifactId>
+            <version>4.2.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
-            <groupId>org.testcontainers</groupId>
-            <artifactId>testcontainers</artifactId>
-            <version>1.19.7</version>
+            <groupId>io.jenkins</groupId>
+            <artifactId>configuration-as-code</artifactId>
             <scope>test</scope>
-            <exclusions>
-                <!-- Provided by Jenkins core -->
-                <exclusion>
-                    <groupId>org.apache.commons</groupId>
-                    <artifactId>commons-compress</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.slf4j</groupId>
-                    <artifactId>slf4j-api</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
         <dependency>
-            <groupId>org.tmatesoft.svnkit</groupId>
-            <artifactId>svnkit-cli</artifactId>
-            <version>1.10.10</version>
+            <groupId>io.jenkins.configuration-as-code</groupId>
+            <artifactId>test-harness</artifactId>
             <scope>test</scope>
         </dependency>
     </dependencies>

plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsBodyExecution.java

@@ -249,6 +249,9 @@ public boolean cancel(Throwable error) {
             t.getExecution().runInCpsVmThread(new FutureCallback<>() {
                 @Override
                 public void onSuccess(CpsThreadGroup g) {
+                    if (thread == null) {
+                        return;
+                    }
                     // Similar to getCurrentExecutions but we want the raw CpsThread, not a StepExecution; cf. CpsFlowExecution.interrupt
                     Map<FlowHead, CpsThread> m = new LinkedHashMap<>();
                     for (CpsThread t : thread.group.getThreads()) {
@@ -357,6 +360,9 @@ public Next receive(Object o) {
                     sc.onFailure(t);
                 }
             }
+            synchronized (CpsBodyExecution.this) {
+                thread = null;
+            }
             return Next.terminate(null);
         }
 
@@ -377,6 +383,9 @@ public Next receive(Object o) {
                     sc.onFailure(e);
                 }
             }
+            synchronized (CpsBodyExecution.this) {
+                thread = null;
+            }
             return Next.terminate(null);
         }
 

plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java

@@ -24,16 +24,22 @@
 
 package org.jenkinsci.plugins.workflow.cps;
 
+import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.AbortException;
 import hudson.Extension;
+import hudson.Util;
 import hudson.model.Action;
+import hudson.model.Descriptor;
+import hudson.model.Failure;
 import hudson.model.Item;
 import hudson.model.Job;
 import hudson.model.Queue;
 import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.util.FormValidation;
 import hudson.util.StreamTaskListener;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.workflow.cps.persistence.PersistIn;
@@ -43,6 +49,8 @@
 import org.jenkinsci.plugins.workflow.flow.FlowDurabilityHint;
 import org.jenkinsci.plugins.workflow.flow.FlowExecutionOwner;
 import org.jenkinsci.plugins.workflow.flow.GlobalDefaultFlowDurabilityLevel;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 
@@ -61,6 +69,7 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerRequest2;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
@@ -75,13 +84,14 @@ public class CpsFlowDefinition extends FlowDefinition {
      * @deprecated use {@link #CpsFlowDefinition(String, boolean)} instead
      */
     @Deprecated
-    public CpsFlowDefinition(String script) {
+    public CpsFlowDefinition(String script) throws Descriptor.FormException {
         this(script, false);
     }
 
     @DataBoundConstructor
-    public CpsFlowDefinition(String script, boolean sandbox) {
-        StaplerRequest req = Stapler.getCurrentRequest();
+    public CpsFlowDefinition(String script, boolean sandbox) throws Descriptor.FormException {
+        ScriptApproval.validateSandbox(sandbox);
+        StaplerRequest2 req = Stapler.getCurrentRequest2();
         this.script = sandbox ? script : ScriptApproval.get().configuring(script, GroovyLanguage.get(),
                 ApprovalContext.create().withCurrentUser().withItemAsKey(req != null ? req.findAncestorObject(Item.class) : null), req == null);
         this.sandbox = sandbox;
@@ -138,8 +148,26 @@ public static class DescriptorImpl extends FlowDefinitionDescriptor {
          * @DataBoundSetters have been invoked (rather than in the @DataBoundConstructor), which is why we use Descriptor.newInstance.
          */
         @Override
+        public FlowDefinition newInstance(@NonNull StaplerRequest2 req, @NonNull JSONObject formData) throws FormException {
+            if (Util.isOverridden(FlowDefinitionDescriptor.class, getClass(), "newInstance", StaplerRequest.class, JSONObject.class)) {
+                return newInstance(StaplerRequest.fromStaplerRequest2(req), formData);
+            } else {
+                CpsFlowDefinition cpsFlowDefinition = (CpsFlowDefinition) super.newInstance(req, formData);
+                return newInstanceImpl(cpsFlowDefinition, req, formData);
+            }
+        }
+
+        /**
+         * @deprecated use {@link #newInstance(StaplerRequest2, JSONObject)}
+         */
+        @Deprecated
+        @Override
         public FlowDefinition newInstance(@NonNull StaplerRequest req, @NonNull JSONObject formData) throws FormException {
             CpsFlowDefinition cpsFlowDefinition = (CpsFlowDefinition) super.newInstance(req, formData);
+            return newInstanceImpl(cpsFlowDefinition, StaplerRequest.toStaplerRequest2(req), formData);
+        }
+
+        private FlowDefinition newInstanceImpl(CpsFlowDefinition cpsFlowDefinition, @NonNull StaplerRequest2 req, @NonNull JSONObject formData) {
             if (!cpsFlowDefinition.sandbox && formData.get("oldScript") != null) {
                 String oldScript = formData.getString("oldScript");
                 boolean approveIfAdmin = !StringUtils.equals(oldScript, cpsFlowDefinition.script);
@@ -178,5 +206,10 @@ public JSON doCheckScriptCompile(@AncestorInPath Item job, @QueryParameter Strin
             // Approval requirements are managed by regular stapler form validation (via doCheckScript)
         }
 
+        @Restricted(NoExternalUse.class) // stapler
+        public boolean shouldHideSandbox(@CheckForNull CpsFlowDefinition instance) {
+            return ScriptApproval.shouldHideSandbox(instance, CpsFlowDefinition::isSandbox);
+        }
+
     }
 }