New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support jcasc and renovate plugin #125
Conversation
Hi Stefan Spieker, I hope this message finds you well. I wanted to touch base regarding the upcoming deployment of the change you have in this PR. Could you provide an estimated timeline for when we can expect this to be fully deployed? I'm quite excited about the new features. Is there a possibility for me to install a beta version in the meantime? This would allow me to start exploring the new capabilities and provide any early feedback that might be useful. Looking forward to your response and eager to get started with the new enhancements. Best regards, |
Hi. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Finally getting to this PR after coming back from the Contributor Summit. Sorry it took so long. I hope you don't mind that I took the liberty of formatting the codebase to make this change easier to review.
Great job cleaning up this very old code! think adding an HtmlUnit test for the GlobalConfiguration
as in the archetype will help flush out and fix the remaining issues and give us confidence in this refactoring.
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupMgmtLink.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Show resolved
Hide resolved
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Outdated
Show resolved
Hide resolved
…uginImpl.java Co-authored-by: Basil Crow <me@basilcrow.com>
…uginImpl.java Co-authored-by: Basil Crow <me@basilcrow.com>
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Outdated
Show resolved
Hide resolved
Thanks a lot @basil for all the suggestions! That really helped bring up some confidence that the introduced changes really work. It also helped increase my understanding of how to test within the Jenkins ecosystem. If you have the time, it would be great if you could check if I managed to implement your suggestions correctly. @sbandaru08 You could give it a try, if you like. My tests were quite successful, I will test it on another system before releasing it. So if you want to give it a try, you can grab it from ci.jenkins.io and upload it manually to your instance. |
The configuration of the plugin is still on it's own page |
src/main/resources/org/jvnet/hudson/plugins/thinbackup/ThinBackupMgmtLink/index.jelly
Outdated
Show resolved
Hide resolved
Thanks a lot, this is a technical debt because of intensive mocking usage. I need to move to Jenkinsrule and stop mocking everything. I guess this will also improve the test coverage and improve the tests. |
…eal jenkins and not only mock data
@mawinter69 Thanks a lot again. I think I have integrated all your suggestions and have learned quite a few things on the way. I will test this a little more and bring a fresh new version 2 out. @sbandaru08: I think it is now really ready to test, if you like and have the time. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall, and interactive testing works fine. Very nice job on renovating this plugin!
The one thing I would suggest before releasing this (I know, there seems to be an endless list of tasks with this plugin) is to get Jenkins Security Scan enabled on trunk and then confirm this PR is not creating any new security warnings. Old plugins like this often have existing security scan warnings, many of them false positives, but with a substantial rewrite like this, it's always worth checking that new problems aren't being introduced, and the security scan is a great way to do that automatically. If we aren't sure about something, we can always ask for a review from the security team before releasing it, which is always better than a security vulnerability being detected after a release!
try { | ||
Files.move(oldConfig.toPath(), newConfig.toPath(), StandardCopyOption.REPLACE_EXISTING); | ||
} catch (IOException e) { | ||
LOGGER.severe( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps throw new UncheckedIOException(e);
would be more desirable than logging and driving on, following the general principle of failing fast, but no strong preference here.
Co-authored-by: Basil Crow <me@basilcrow.com>
Thanks a lot for your constant improvement suggestions. I already learned a lot about how things work and also understand the plugin a lot better! 😉 I really enjoyed polishing this plugin and will try to contribute some learnings to the documentation. I hope that it might be easier for the next one to work on these things. |
Many (but not all) of those "missing POST annotation" or "missing permission check" warnings are false positive: the very detailed guidance from the security team in the security scan results should help you determine whether that is the case. It is possible but rare for the security scan to turn up legitimate existing issues; an example of this was in Email Extension. The main thing to check is that you aren't introducing any new issues in this PR. You should be able to merge the main branch in, and then GitHub Actions should run the security scan against this PR and flag any new issues, if found. |
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupMgmtLink.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupMgmtLink.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
src/main/java/org/jvnet/hudson/plugins/thinbackup/ThinBackupPluginImpl.java
Fixed
Show fixed
Hide fixed
Thanks again @basil! The documentation is great. Since I'm only using the methods for validation of an admin form, I decided that it will not harm to restrict that also to |
It looks like you applied the maximum strength fix (requiring POST and adding missing permission checks everywhere) to all security scan warnings, in which case I don't see a need to ask for security team review. Most such checks are probably overkill, but it doesn't hurt. I could see a need for security team review if you were on the fence about whether or not a warning was a false positive, but that doesn't seem to be the case if you've applied the maximum strength fix to all warnings. |
Thanks for the renovation. Works fine in our setup. |
Very nice! 🎉 |
Started at Contributor summit. Thanks a lot @basil and @nre-ableton. It was quite some fun doing this with you together. I think I finally managed to get it compatible with JCasC, still some fine-tuning and testing to do ...
So after some iterations it was a quite big renovation, including:
/manage
org.apache.commons.lang.StringUtils
usage with native Java callsThis also comes with BREAKING CHANGES:
thinBackup.xml
toorg.jvnet.hudson.plugins.thinbackup.ThinBackupPluginImpl.xml
) and will be automatically converted after the first start with the new version. The new name complies with the newer naming convention, which was automatically adjusted because of the internal renovation.Testing done
Submitter checklist