Update plugins related to 2022-10-19 security advisory; add ionicons-api
#1507
Conversation
…2.x for compatibility with workflow-cps and pipeline-groovy-lib
sample-plugin/pom.xml
Outdated
| <dependency> | ||
| <groupId>io.jenkins.plugins</groupId> | ||
| <artifactId>ionicons-api</artifactId> | ||
| </dependency> |
There was a problem hiding this comment.
This is going to fail prep in 2.332.x and 2.319.x lines. Maybe you can add it to the 2.346.x and 2.361.x profiles? But then we would also need to introduce a weekly profile and make sure prep.sh calls that, so a bit bigger change.
There was a problem hiding this comment.
Looking at README.md, I think we can just delete the dependency here, since ionicons-api will be picked up transitively via workflow-cps on the appropriate LTS lines. Then we just need to tweak check.groovy to accept the fact that ionicons-api is part of dependencyManagement in 2.332.x and 2.319.x but is not used by the plugin.
…check.groovy to allow it to be unused when testing BOM on old LTS lines
| @@ -7,7 +7,8 @@ assert artifactMap['junit:junit'] == project.artifactMap['junit:junit'] | |||
| def managedPluginDeps = managedDeps.collect {stripAllButGA(it)}.grep { ga -> | |||
| def art = artifactMap[ga] | |||
| if (art == null) { | |||
| if (ga.contains('.plugins')) { // TODO without an Artifact, we have no reliable way of checking whether it is actually a plugin | |||
| if (ga.contains('.plugins') // TODO without an Artifact, we have no reliable way of checking whether it is actually a plugin | |||
| && !(ga == 'io.jenkins.plugins:ionicons-api' && settings.activeProfiles.any {it ==~ /^2[.](332|319)[.]x$/})) { // TODO: Remove once 2.332.x is no longer part of the BOM (or if MNG-5600 is fixed and we can exclude this dependency in the BOM for old LTS lines) | |||
There was a problem hiding this comment.
Seems fine for now. If we need to do this sort of thing regularly we should probably introduce a text file with a list of plugins limited to newer lines.
There was a problem hiding this comment.
(And now I am curious whether we can do the same for example for instance-identity.)
| @@ -7,7 +7,8 @@ assert artifactMap['junit:junit'] == project.artifactMap['junit:junit'] | |||
| def managedPluginDeps = managedDeps.collect {stripAllButGA(it)}.grep { ga -> | |||
| def art = artifactMap[ga] | |||
| if (art == null) { | |||
| if (ga.contains('.plugins')) { // TODO without an Artifact, we have no reliable way of checking whether it is actually a plugin | |||
| if (ga.contains('.plugins') // TODO without an Artifact, we have no reliable way of checking whether it is actually a plugin | |||
| && !(ga == 'io.jenkins.plugins:ionicons-api' && settings.activeProfiles.any {it ==~ /^2[.](332|319)[.]x$/})) { // TODO: Remove once 2.332.x is no longer part of the BOM (or if MNG-5600 is fixed and we can exclude this dependency in the BOM for old LTS lines) | |||
There was a problem hiding this comment.
or simply
| && !(ga == 'io.jenkins.plugins:ionicons-api' && settings.activeProfiles.any {it ==~ /^2[.](332|319)[.]x$/})) { // TODO: Remove once 2.332.x is no longer part of the BOM (or if MNG-5600 is fixed and we can exclude this dependency in the BOM for old LTS lines) | |
| && ga != 'io.jenkins.plugins:ionicons-api') { // TODO: Remove once 2.332.x is no longer part of the BOM (or if MNG-5600 is fixed and we can exclude this dependency in the BOM for old LTS lines) |
There was a problem hiding this comment.
Yeah, I added this defensively before I realized that there was a transitive dependency on ionicons-api because I wanted to make sure that we still verified its inclusion in sample on the recent LTS lines. If you are confident that it will be a long-term dependency of various plugins used by sample, then simplifying this check is probably fine.
There was a problem hiding this comment.
confident that it will be a long-term dependency
Not really, but at some point we will drop 2.332.x and be able to delete this exemption as well, so I just thought we could simplify a bit. OTOH the check as written here does textually mention the old line names, making it more likely to appear in a text search when dropping old lines.
|
The |
…r compatibility with pipeline-model-definition
jglick
changed the title
ionicons-api
Should be fine at this point. Previously I was not sure what to do about |
|
Looks like the PCT failed while trying to test
At a glance, it does not seem related to my changes. Should we be connecting to |
|
We should, yes. That plugin’s POM does specify |
|
Does Maven use a different context when looking up the dependencies for Maven plugins or something? Do we need |
|
Oh sorry I missed that it was referring to the Maven extension. Yes this is loaded prior to parsing the POM, so will go to Central. Probably we could override that with a custom settings file. #1508 |
Replaces #1506, #1504, #1501, and #1496. We have to add
ionicons-api, whose oldest version requires Jenkins 2.346.1, and I am not sure how we exclude it frombom-2.332.xandbom-2.319.x(if it is even possible (MNG-5600), and if we even care).