-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump snakeyaml from 1.33 to 2.0 #75
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2.0 is a potentially breaking change to consumers as some constructors have been removed.
need to ensure that the removed code is not being used by any consumers before this is upgraded.
3d85939
to
b67df79
Compare
Hi @jtnord |
https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md There is no vulnerability in snakeyaml - it works as expected - the vulnerability is in any libraries that use it insecurely with untrusted data. The Jenkins plugin ecosystem has been checked for this usage. Additionally as commented above - 2.0 is potentially breaking so this needs some time to check all consumers will not break and adjust them as appropriate. |
b67df79
to
1642e22
Compare
1642e22
to
f142114
Compare
The ConfigurationAsCodeTest in the plugin bill of materials fails with no such method error when snakeyaml is updated to the incremental build from this pull request.
The configuration as code automated tests will need adaptation before they are ready for snakeyaml 2.0. |
Bumps [snakeyaml](https://bitbucket.org/snakeyaml/snakeyaml) from 1.33 to 2.0. - [Commits](https://bitbucket.org/snakeyaml/snakeyaml/branches/compare/snakeyaml-2.0..snakeyaml-1.33) --- updated-dependencies: - dependency-name: org.yaml:snakeyaml dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
f142114
to
5c28c7c
Compare
the production code will need some fixes also
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following proprietary plugins should be tested as well:
|
Might need a release of fabric8io/kubernetes-client#5098 and a corresponding upgrade in https://github.com/jenkinsci/kubernetes-client-api-plugin as well. |
@basil the PR you linked to is now included https://github.com/fabric8io/kubernetes-client/releases/tag/v6.7.0 |
|
https://github.com/jenkinsci/scm-filter-jervis-plugin/ will be broken by SnakeYAML 2.0 due to how it uses Representer without being constructed with DumperOptions. I've updated the upstream library samrocketman/jervis@40b76c2 I am currently working on converting scm-filter-jervis-plugin from gradle to maven so that it can use automated plugin release. I plan to release the update for jervis to maven central once this project is onboarded to maven automatic releases. |
- Requires latest Jenkins. - Packages Jervis 1.7 (same as old version) - Update license copyright to 2023 - Convert from building with Gradle to Maven. - Update plugin for continuous automated release. - Use GMavenPlus to compile groovy. - Targets Java 1.8 bytecode. - Reduce size of plugin by relying on other Jenkins plugins instead of packaging libraries for bouncy castle and snakeyaml. - Update README and plugin docs with terminology updates for accuracy. This release is vulnerable breakage in the future by a dependency: jenkinsci/snakeyaml-api-plugin#75 See also: - https://www.jenkins.io/doc/developer/publishing/releasing-cd/
Jervis centralized all YAML usage in order to save time fixing YAML parsing. See also: - [`YamlOperator`][1]. - jenkinsci/snakeyaml-api-plugin#75 [1]: https://github.com/samrocketman/jervis/blob/jervis-2.0/src/main/groovy/net/gleske/jervis/tools/YamlOperator.groovy
scm-filter-jervis successfully patched. It might be worthwhile to centralize common YAML parsing operations plugins might use within this plugin to expose a plugin API for YAML. Jervis used to use snakeyaml in several classes and since centralizing it, it has been easy to react to breaking changes. |
I think we are good to go on this, any concerns @jtnord? |
the k8s plugins (this will require a bump in some consumers of this plugin) need to be updated and the maintainer is on his holidays at the moment. |
Superseded by #94. |
@olamy mentions that jenkinsci/blueocean-plugin#2472 is needed to be in a release as well |
Bumps snakeyaml from 1.33 to 2.0.
Commits
c98ffba
issue 561: add negative test casee2ca740
Use Maven wrapper on github49d91a1
Fix target for github19e331d
Disable toolchain for github42c7812
Cobertura plugin does not work03c82b5
Rename GlobalTagRejectionTest to be run by Maven6e8cd89
Remove coberturad9b0f48
Improve Javadoc519791a
Run install and site goals under docker82f33d2
Merge branch 'master' into add-module-infoYou can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)