Upgrade commons-beanutils 1.9.4

[olamy]

Use last version of commons-beanutils as current one is subject to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Signed-off-by: olivier lamy olamy@apache.org

[codecov]

Codecov Report

Merging #827 (f81abe5) into master (0c1b8d1) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master     #827   +/-   ##
=========================================
  Coverage     80.10%   80.10%           
  Complexity     1560     1560           
=========================================
  Files           243      243           
  Lines          5666     5666           
  Branches        422      422           
=========================================
  Hits           4539     4539           
  Misses          970      970           
  Partials        157      157           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0c1b8d1...f81abe5. Read the comment docs.

[olamy]

the failure doesn't look to be related to this change

[uhafner]

Thanks!

[olamy]

@uhafner looking at release 8.10.1 this upgrade has not been included. Do you need a PR on a special branch? Thanks

[uhafner]

Ah, seems that I removed that dependency since the warnings plugin is now based on a different Jenkins core version. During the migration I removed all unnecessary dependencies (and this dependency actually is only a transitive one).

Since the next release of the warnings plugin will not contain digester anymore, I think I need to move that dependency to somewhere else (analysis-model or plugin-util). Is commons-beanutils part of core already? Or are other plugins using this dependency as well?

[olamy]

commons-beanutils is part of core for sure.
But I'd like to have warnings-ng-plugin without the jar or at least with version 1.9.4.

wget -O plugin.hpi http://repo.jenkins-ci.org/public/io/jenkins/plugins/warnings-ng/8.10.1/warnings-ng-8.10.1.hpi
unzip -l plugin.hpi | grep beanutils
   246174  12-05-2018 11:41   WEB-INF/lib/commons-beanutils-1.9.3.jar

Even if it's not used some security scanner will see this version which have CVE attached and will flag the .hpi as not secured.

[uhafner]

commons-beanutils is part of core for sure

Then it rather makes sense to exclude that dependency instead of declaring it as an explicit dependency?

[olamy]

yup if you don't use/need it. Just add exclusions.

[olamy]

@uhafner do you want me to provide a PR targeting master branch for this?

[uhafner]

No, that is not required. I need to merge #842 first. Then the exclusion needs to be made in the analysis-model module and not in the warnings plugin.

[uhafner]

@olamy finally released: https://github.com/jenkinsci/warnings-ng-plugin/releases/tag/v9.0.0