Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency org.jenkins-ci.plugins.workflow:workflow-cps-global-lib to v588 [security] #5248

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 23, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.jenkins-ci.plugins.workflow:workflow-cps-global-lib 2.6 -> 588.v576c103a_ff86 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-29047

Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definition. In that case, Jenkins will just use the Pipeline definition in the pull request’s destination branch instead.

In Pipeline: Deprecated Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier the same protection does not apply to uses of the library step with a retriever argument pointing to a library in the current build’s repository and branch (e.g., library(…, retriever: legacySCM(scm))). This allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the library behavior in their pull request, even if the Pipeline is configured to not trust them.

Pipeline: Deprecated Groovy Libraries Plugin 566.vd0a_a_3334a_555 and 2.21.3 aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted.

CVE-2022-43405

Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin (formerly Pipeline: Shared Groovy Libraries Plugin) define the library Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be used to instantiate classes defined in the loaded library.

In Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier and in Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier, the library step can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type. This is similar to SECURITY-582 in the 2017-08-07 security advisory, but in a different plugin.

This vulnerability allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Pipeline: Groovy Libraries Plugin 613.v9c41a_160233f rejects improper calls to sandbox-generated synthetic constructors when using the library step.

Pipeline: Deprecated Groovy Libraries Plugin 588.v576c103a_ff86 no longer contains the library step. It has been moved into the Pipeline: Groovy Libraries Plugin.

CVE-2022-25174

Jenkins Pipeline: Shared Groovy Libraries Plugin prior to 561.va_ce0de3c2d69, 2.21.1, and 2.18.1 uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

CVE-2022-25177

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

CVE-2022-25178

Jenkins Pipeline: Shared Groovy Libraries Plugin does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.

CVE-2019-10357

A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.


Release Notes

jenkinsci/workflow-cps-global-lib-plugin (org.jenkins-ci.plugins.workflow:workflow-cps-global-lib)

v588.v576c103a_ff86

Compare Source

This plugin now contains only the old system whereby you could git clone https://jenkins/workflowLibs.git and push changes to a single library to a Git service hosted by Jenkins itself. That system is long since deprecated and rarely used. If you have updated to this version, you should already have the new plugin Pipeline: Groovy Libraries which contains the system of libraries loaded from an SCM of your choice which most people know about and use; assuming you are not using workflowLibs.git, you may now uninstall this plugin (now renamed Pipeline: Deprecated Groovy Libraries).

You may wish to further uninstall Git Server if it is otherwise unused; and in turn SSH Server assuming you are not using the SSH transport for the Jenkins CLI (most people use HTTP or WebSocket transport).

🚨 Removed

v583.vf3b_454e43966

Compare Source

👷 Changes for plugin developers

v581.ve633085a_8a_87

Compare Source

🐛 Bug fixes

v575.v24fa_0a_b_f7383

Compare Source

👷 Changes for plugin developers

📦 Dependency updates

v570.v21311f4951f8

Compare Source

🚀 New features and improvements

📦 Dependency updates

v566.vd0a_a_3334a_555

Compare Source

v564.ve62a_4eb_b_e039

Compare Source

🐛 Bug fixes

  • Fix recent security fixes if JENKINS_HOME or the workspace directory contains a symlink (#​139) @​dwnusbaum

🚦 Tests

  • Fix tests for recent security fixes for compatibility with Windows and Git plugin 4.10.3 (#​139) @​dwnusbaum

v561.va_ce0de3c2d69

Compare Source

🐛 Security fixes

📦 Dependency updates

📝 Documentation updates

v552.554.vdba55efb9e88

Compare Source

v544.vff04fa68714d

NOTE: This release accidentally moves Jenkins to 2.304. 545.v7b28cce323cf moves it down to 2.303.1

🐛 Bug fixes

👻 Maintenance

v2.19

Release date: 2021-04-30

  • Developer: Expose LibrariesAction and LibraryRecord to Jenkins' REST API (PR 107)

v2.18

Release date: 2021-02-19

  • Fix: Prevent ConcurrentModificationException from being thrown when serializing LibrariesAction.libraries (JENKINS-41037)
  • Internal: Fix PCT failures related to Git plugin 4.6.0 (PR 104)

v2.17

Release date: 2020-07-20

  • Internal: Remove dependency on commons-lang3 to avoid version conflicts with jenkins-test-harness in downstream projects. (PR 94)
  • Internal: Update minimum required Jenkins version and plugin dependencies. (PR 95)
  • Internal: Fix tests affected by JENKINS-60406 when running against Jenkins 2.222.x or newer. (PR 96)

v2.16

Release date: 2020-03-13

  • Fix: Exclude the contents of src/test/ in shared libraries from being used by Pipelines, as these files were likely only intended to be used in tests for the libraries rather than by Pipelines, and depending on the contents of src/test/, it may be unsafe for those files to be exposed to Pipelines. To restore the previous behavior that allowed access to files in src/test/, pass -Dorg.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES=true to the java command used to start Jenkins. (PR 91)
  • Fix: Do not bundle JARs from Jenkins Apache HttpComponents Client 4.x API Plugin in this plugin (PR 75)
  • Fix: Trim leading and trailing whitespace when configuration the name or version of a shared library (JENKINS-59527)
  • Improvement: Clarify that if the "Include @​Library changes in job recent changes" option is checked, changes to the library will trigger builds of Pipelines that use the library (PR 61)
  • Internal: Migrate wiki content to GitHub (PR 89)
  • Internal: Add tests related to the criteria used to decide if an SCM is modern or legacy (JENKINS-58964)
  • Internal: Update tests to handle behavior changes caused by SECURITY-1713 (PR 90)
  • Internal: Update parent POM (PR 88)
  • Internal: Enable the sandbox consistently in tests (PR 79)
  • Internal: Remove duplicated code (PR 74)

v2.15

Release date: 2019-07-31

v2.14

Release date: 2019-07-11

  • JENKINS-43802 -
    Make folder-scoped credentials work correctly with shared libraries.
  • JENKINS-44892 -
    Do not add a UUID parameter when constructing the library step on
    the Pipeline Syntax page.
  • Fix: (PR
    63
    ) -
    Support for SCM retry count did not retry the checkout attempt for
    certain kinds of errors when it should have. 
  • Internal: (PR
    66
    ) -
    Do not add nullability annotations to primitive types.
  • Internal: (PR
    67
    PR
    70
    PR
    73
    )
    - Dependency and test updates, new integration tests for issues
    fixed in upstream plugins.

v2.13

Release date: 2019-02-01

  • Fix: (PR
    59
    ) -
    Support for SCM retry count added in 2.12 did not apply to some SCM
    operations.
  • Internal: (PR
    57
    )
    - Avoid use of deprecated APIs.
  • Internal: (PR
    44
    ,
    PR
    56
    ) -
    Add additional tests and update tests to run correctly on Windows

v2.12

Release date: 2018-10-02

  • Fix: JENKINS-40109 -
    Make compilation errors in shared libraries serializable so that the
    actual compilation error is reported instead of
    NotSerializableException in some cases.
  • Improvement: Implement support for SCM retry count.

v2.11

Release date: 2018-09-08

  • JENKINS-53485 -
    Fix a file leak introduced in version 2.10 of this plugin affecting
    all uses of the libraryResource step.

v2.10

Release date: 2018-08-21

  • Important: As of this release, the plugin requires Java 8 and
    Jenkins 2.60.3 or newer.
  • JENKINS-52313 -
    Add an optional encoding argument to the libraryResource
    step. Base64 is a supported encoding, and will cause the resource
    to be loaded as a Base64-encoded string, which is useful for copying
    binary resources such as images when combined with Pipeline: Basic
    Steps 2.8.1 or higher.

v2.9

Release date: 2017-09-13

  • JENKINS-41497 -
    allow excluding shared libraries from changelogs (and therefore from
    SCM polling as well) via global configuration option
    and/or @Library(value="some-lib@master", changelog=false).

v2.8

Release date: 2017-04-24

  • Fixing some bugs affecting Windows-based masters (agent platform
    irrelevant):
    • improper handling of CRNL in *.txt global variable help files
    • incorrect display of class names in Replay when using class
      libraries
    • failure of class library access from library step depending on
      filesystem canonicalization

v2.7

Release date: 2017-03-03

  • JENKINS-39450
    Added a library step as a dynamic alternative to @Library used
    since 2.3.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner January 23, 2025 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants