[JENKINS-65161] Remove commons-digester from Core

[jenkins-infra-bot]

Currently commons-digester 2.1 is triggering some security alerts on scanner. 

Digester is not used in core but exposed to some plugins which use it.

With the help of https://github.com/jenkins-infra/usage-in-plugins    we found the class 

• https://github.com/jenkinsci/BlameSubversion-plugin (last activity 8 years ago...)
• https://github.com/jenkinsci/clearcase-ucm-plugin (last activity 5 years ago...)
• https://github.com/jenkinsci/cmvc-plugin (last activity 9 years ago)
• https://github.com/jenkinsci/config-rotator-plugin (last activity 4 years ago)
• https://github.com/jenkinsci/cvs-plugin (I didn't know this was still used only used in a test class and using only the wrapper so no impact) (PR: 
  [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 cvs-plugin#55)

• https://plugins.jenkins.io/dimensionsscm/ (only using the wrapper so no impact) (PR: [JENKINS-65161] remove digester 2 from core upgrade build to be able to build with java 11 dimensionsscm-plugin#15)
• https://plugins.jenkins.io/genexus/ (only using the wrapper so no impact)
• https://github.com/jenkinsci/maven-info-plugin (last release 7 years ago, easy change)
• https://plugins.jenkins.io/plasticscm-mergebot/ (import previous Digester package so need some package change but easy change) (PR 
  [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 plasticscm-mergebot-plugin#2)

• https://plugins.jenkins.io/plasticscm-plugin/ (import previous Digester package so need some package change but easy change) (PR 
  [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 plasticscm-plugin#40 )

• https://plugins.jenkins.io/subversion/ (import previous Digester package so need some package change but easy change) (PR [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 subversion-plugin#254 )
• https://github.com/jenkinsci/synergy_scm-plugin (last activity 6 years ago) (PR [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 synergy_scm-plugin#17 )
• https://github.com/jenkinsci/teamconcert-plugin (only using the wrapper so no impact) (PR 
  [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 teamconcert-plugin#20 )

• https://plugins.jenkins.io/zos-connector/ (import previous Digester package so need some package change but easy change) (PR 
  [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 zos-connector-plugin#12 )

A draft PR has been opened here #5320  for discussion.

I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

 

 

---

Originally reported by olamy, imported from: Remove commons-digester from Core

• assignee: olamy
• status: In Progress
• priority: Major
• component(s): core
• resolution: Unresolved
• votes: 0
• watchers: 3
• imported: 2025-11-24

Raw content of original issue

Currently commons-digester 2.1 is triggering some security alerts on scanner. 

Digester is not used in core but exposed to some plugins which use it.

With the help of https://github.com/jenkins-infra/usage-in-plugins    we found the class 

	
https://github.com/jenkinsci/BlameSubversion-plugin (last activity 8 years ago...)
	
https://github.com/jenkinsci/clearcase-ucm-plugin (last activity 5 years ago...)
	
https://github.com/jenkinsci/cmvc-plugin (last activity 9 years ago)
	
https://github.com/jenkinsci/config-rotator-plugin (last activity 4 years ago)
	
https://github.com/jenkinsci/cvs-plugin (I didn't know this was still used  only used in a test class and using only the wrapper so no impact) (PR: 
 [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 cvs-plugin#55)




	
https://plugins.jenkins.io/dimensionsscm/ (only using the wrapper so no impact) (PR: [JENKINS-65161] remove digester 2 from core upgrade build to be able to build with java 11 dimensionsscm-plugin#15)
	
https://plugins.jenkins.io/genexus/ (only using the wrapper so no impact)
	
https://github.com/jenkinsci/maven-info-plugin (last release 7 years ago, easy change)
	
https://plugins.jenkins.io/plasticscm-mergebot/ (import previous Digester package so need some package change but easy change) (PR 
 [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 plasticscm-mergebot-plugin#2)




	
https://plugins.jenkins.io/plasticscm-plugin/ (import previous Digester package so need some package change but easy change) (PR 
 [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 plasticscm-plugin#40 )




	
https://plugins.jenkins.io/subversion/ (import previous Digester package so need some package change but easy change) (PR [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 subversion-plugin#254 )
	
https://github.com/jenkinsci/synergy_scm-plugin (last activity 6 years ago) (PR [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 synergy_scm-plugin#17 )
	
https://github.com/jenkinsci/teamconcert-plugin (only using the wrapper so no impact) (PR 
 [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 teamconcert-plugin#20 )




	
https://plugins.jenkins.io/zos-connector/ (import previous Digester package so need some package change but easy change) (PR 
[JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 zos-connector-plugin#12 )



A draft PR has been opened here #5320  for discussion.

I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

 

 

[jenkins-infra-bot]

oleg_nenashev:

• Original comment link
• Raw content of original comment:

  No objections from me. All plugins are ether barely used or easily patchable 
  

No objections from me. All plugins are ether barely used or easily patchable 

[jenkins-infra-bot]

olamy:

• Original comment link
• Raw content of original comment:

  PR Remove of commons-digester from core #5320 see dependant PRs as well 
  

PR #5320 see dependant PRs as well