Remove of commons-digester from core

[olamy]

See JENKINS-65161.

Proposed changelog entries

• Remove commons-digester wrapper from core and the dependencies entries as well

Proposed upgrade guidelines

With this change commons-digester will not be anymore provided by core.
Some plugins were using it and pull requests has been made to fix the removal (see the list in this PR).
If you need use commons-digester from a plugin, you can look at this PR (jenkinsci/plasticscm-plugin#40) to understand the change.
Or use this code snippet:

    import org.apache.commons.digester3.Digester;
    ....
    public static Digester createDigester(boolean secure) throws SAXException {
        Digester digester = new Digester();
        if (secure) {
            digester.setXIncludeAware(false);
            try {
                digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
                digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
                digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
                digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
            } catch (ParserConfigurationException ex) {
                throw new SAXException("Failed to securely configure xml digester parser", ex);
            }
        }
        return digester;
    }

Corresponding plugin PRs

These plugins were identified using the following approaches:

• Using jenkins-infra/usage-in-plugins looking for hudson.util.Digester2 & org.apache.commons.digester.Digester
• Searching code Jenkinsci GitHub organizations:
  • https://github.com/search?q=jenkinsci+%22org.apache.commons.digester%22&type=Code
  • https://github.com/search?q=jenkinsci+%hudson.util.Digester2%22&type=Code

release status

Legend:
✔️ : Fixed or no need to fix
🛑 : It's not going to be fixed (no maintainer mainly)
❗ : Waiting for something (merge or release)

Status	Plugin	Fix PR and/or status	Number of OSS Installations
✔️	https://github.com/jenkinsci/jelly	only used by RSS Reader and core is producing RSS not reading it	infinity and beyond
✔️	https://github.com/jenkinsci/jenkins-test-harness	Tests only
✔️ 2.14.1	subversion	jenkinsci/subversion-plugin#254	170k
✔️ 2.19	cvs	jenkinsci/cvs-plugin#55	39k
✔️ 0.3.0	maven-info	jenkinsci/maven-info-plugin#9 (last release 7 years ago)	5502
✔️ 4.12.0	clover	jenkinsci/clover-plugin#24	3521
✔️ 1.31	emma	jenkinsci/emma-plugin#11 (last real activity 6 years ago)	3216
✔️ 0.6	cloverphp	jenkinsci/cloverphp-plugin#10 (last activity 6 years ago...)	2,801
✔️ 1.6.7	clearcase	jenkinsci/clearcase-plugin#41	2094
✔️ 2.4.0	teamconcert	jenkinsci/teamconcert-plugin#20 (last activity/release early 2020)	1640
❗ awaiting merge	vs-code-metrics	jenkinsci/vs-code-metrics-plugin#5 (last activity/release 2014)	1435
🛑 (no maintainer)	BlameSubversion	jenkinsci/BlameSubversion-plugin#5 (last activity 8 years ago...)	878
🛑 (no maintainer)	javatest-report	jenkinsci/javatest-report-plugin#4 (last real activity 6 years ago)	440
✔️ 3.6	plasticscm-plugin	jenkinsci/plasticscm-plugin#40 (last release late 2020, recent activity)	284
✔️ 1.7.3	clearcase-ucm	jenkinsci/clearcase-ucm-plugin#5 (last release 2016)	266
✔️ 0.17	vectorcast-coverage	jenkinsci/vectorcast-coverage-plugin#4 (last release in 2021)	206
✔️ 2.3.5	zos-connector	jenkinsci/zos-connector-plugin#13 (recent activity in 2020)	173
🛑 (no maintainer)	vss	jenkinsci/vss-plugin#8 (last release/activity 2011)	168
✔️ 1.10	genexus	jenkinsci/genexus-plugin#15 (activity Sept 2020 & release in April 2020)	149
✔️ 0.9.1	dimensionsscm	jenkinsci/dimensionsscm-plugin#21	113
🛑 (no maintainer)	synergy	jenkinsci/synergy_scm-plugin#17) (last activity 6 years ago)	96
🛑 (no maintainer, needed repo missed)	config-rotator	jenkinsci/config-rotator-plugin#3 (last activity 4 years ago) 🚨 need help from Praqma, as https://code.praqma.net/repo/maven/ no longer exists	62
🛑 (no maintainer)	harvest	jenkinsci/harvest-plugin#5 (last activity 6 years ago)	49
✔️ 0.16	plasticscm-mergebot	jenkinsci/plasticscm-mergebot-plugin#3 (last active/release late 2019)	55
🛑 (no maintainer)	cmvc	jenkinsci/cmvc-plugin#3 (last activity 9 years ago...)	18

Plugins that got suspended

• https://plugins.jenkins.io/svn-release-mgr suspended since https://issues.jenkins-ci.org/browse/INFRA-2487
• https://github.com/jenkinsci/cpptest-plugin suspended since https://issues.jenkins-ci.org/browse/INFRA-2487
• https://github.com/jenkinsci/tfs-plugin suspended since https://issues.jenkins-ci.org/browse/INFRA-2751
• https://github.com/jenkinsci/cflint-plugin (PR-3) suspended since https://issues.jenkins-ci.org/browse/INFRA-2751
• https://github.com/jenkinsci/script-scm-plugin SECURITY-461
• https://github.com/jenkinsci/rtc-plugin (superseded by team-concert)

Never released

• https://github.com/jenkinsci/cocoemma-plugin
• https://github.com/jenkinsci/jwsdp-sqe-plugin
• https://github.com/jenkinsci/pucm-plugin
• https://github.com/jenkinsci/purecm-plugin

Submitter checklist

• (If applicable) Jira issue is well described
• Changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developer, depending on the change). Examples
  • Fill-in the Proposed changelog entries section only if there are breaking changes or other changes which may require extra steps from users during the upgrade
• Appropriate autotests or explanation to why this change has no tests
• For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Maintainer checklist

Before the changes are marked as ready-for-merge:

• There are at least 2 approvals for the pull request and no outstanding requests for change
• Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
• Changelog entries in the PR title and/or Proposed changelog entries are correct
• Proper changelog labels are set so that the changelog can be generated automatically
• If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
• If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

[olamy]

Still a draft as this need some discussions.
This upgrade need some package changes in commons-digester library but it should be covered as the hudson.util.Digester2 is a wrapper on a top of it.
But I cannot see any usage in core of the class hudson.util.Digester2.
why not simply remove it?

[rsandell]

Have you checked the usage in plugins? I have a hunch that I might have used it somewhere a long time ago :)

[daniel-beck]

why not simply remove it?

Used a lot in plugins, which is why it got a security hardening recently. Please use https://github.com/jenkins-infra/usage-in-plugins to identify uses of APIs you plan to change.

[jglick]

I would rather suggest deprecating Digester2 and maybe detaching it to a split plugin, unless we can kill all plugin references.

[olamy]

Used in 14 plugins:

• https://github.com/jenkinsci/BlameSubversion-plugin (last activity 8 years ago...)
• https://github.com/jenkinsci/clearcase-ucm-plugin (last activity 5 years ago...)
• https://github.com/jenkinsci/cmvc-plugin (last activity 9 years ago)
• https://github.com/jenkinsci/config-rotator-plugin (last activity 4 years ago)
• https://github.com/jenkinsci/cvs-plugin (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact)
• https://plugins.jenkins.io/dimensionsscm/ (only using the wrapper so no impact)
• https://plugins.jenkins.io/genexus/ (only using the wrapper so no impact)
• https://github.com/jenkinsci/maven-info-plugin (last release 7 years ago, easy change)
• https://plugins.jenkins.io/plasticscm-mergebot/ (import previous Digester package so need some package change but easy change)
• https://plugins.jenkins.io/plasticscm-plugin/ (import previous Digester package so need some package change but easy change)
• https://plugins.jenkins.io/subversion/ (import previous Digester package so need some package change but easy change)
• https://github.com/jenkinsci/synergy_scm-plugin (last activity 6 years ago)
• https://github.com/jenkinsci/teamconcert-plugin (only using the wrapper so no impact)
• https://plugins.jenkins.io/zos-connector/ (import previous Digester package so need some package change but easy change)

[daniel-beck]

Digester does not by default prevent XXE vulnerabilities. The recent change in core to Digester2 does, that's the hardening I was referring to in an earlier comment. So unless a plugin already specifically opts out of bad defaults (like CVS), those linked PRs create XXE vulnerabilities.

[olamy]

ok I will fix the PRs but we should remove this from core as we do not use it.

[batmat]

@bitwiseman the table just got updated with latest status a few seconds ago, can you please file a PR to update the JEP-231 with impacted plugins?

Thank you!

[trivalik]

The https://github.com/jenkinsci/tfs-plugin is not suspended see https://issues.jenkins-ci.org/browse/INFRA-2751

[timja]

The jenkinsci/tfs-plugin is not suspended see issues.jenkins-ci.org/browse/INFRA-2751

@trivalik it is until:

In regards to security issues, we just announced more problems with the plugin in https://www.jenkins.io/security/advisory/2021-03-30/ and we require those be addressed before the plugin distribution is restored. I'd be happy to be involved in review to ensure those are properly resolved.

Likely not terribly hard to do, just needs someone to step up and do it

[trivalik]

@timja Are these related to this class https://github.com/jenkinsci/tfs-plugin/blob/master/tfs/src/main/java/hudson/plugins/tfs/model/Server.java?

I provide a pull request for SECURITY-1506 / CVE-2020-2249 jenkinsci/tfs-plugin#244 but nobody is review nor merging it.

[timja]

responded in the tfs plugin PR

[basil]

Causes the test harness to stop compiling against recent cores: ExtractChangeLogParser#parse.

[jglick]

Should be easy enough to fix in the usual way (jenkinsci/subversion-plugin#259).

[basil]

@olamy FYI

[basil]

Causes the test harness to stop compiling against recent cores: ExtractChangeLogParser#parse.

@olamy Do you intend to fix this regression?

[olamy]

@basil yup on it.