fix(deps): update dependency org.jenkins-ci.plugins.workflow:workflow-cps-global-lib to v588 [security] #5248
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.6
->588.v576c103a_ff86
GitHub Vulnerability Alerts
CVE-2022-29047
Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definition. In that case, Jenkins will just use the Pipeline definition in the pull request’s destination branch instead.
In Pipeline: Deprecated Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier the same protection does not apply to uses of the
library
step with aretriever
argument pointing to a library in the current build’s repository and branch (e.g.,library(…, retriever: legacySCM(scm))
). This allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the library behavior in their pull request, even if the Pipeline is configured to not trust them.Pipeline: Deprecated Groovy Libraries Plugin 566.vd0a_a_3334a_555 and 2.21.3 aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted.
CVE-2022-43405
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin (formerly Pipeline: Shared Groovy Libraries Plugin) define the l
ibrary
Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be used to instantiate classes defined in the loaded library.In Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier and in Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier, the
library
step can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type. This is similar to SECURITY-582 in the 2017-08-07 security advisory, but in a different plugin.This vulnerability allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Pipeline: Groovy Libraries Plugin 613.v9c41a_160233f rejects improper calls to sandbox-generated synthetic constructors when using the
library
step.Pipeline: Deprecated Groovy Libraries Plugin 588.v576c103a_ff86 no longer contains the
library
step. It has been moved into the Pipeline: Groovy Libraries Plugin.CVE-2022-25174
Jenkins Pipeline: Shared Groovy Libraries Plugin prior to 561.va_ce0de3c2d69, 2.21.1, and 2.18.1 uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
CVE-2022-25177
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.
CVE-2022-25178
Jenkins Pipeline: Shared Groovy Libraries Plugin does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.
CVE-2019-10357
A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries.
Release Notes
jenkinsci/workflow-cps-global-lib-plugin (org.jenkins-ci.plugins.workflow:workflow-cps-global-lib)
v588.v576c103a_ff86
Compare Source
This plugin now contains only the old system whereby you could
git clone https://jenkins/workflowLibs.git
and push changes to a single library to a Git service hosted by Jenkins itself. That system is long since deprecated and rarely used. If you have updated to this version, you should already have the new plugin Pipeline: Groovy Libraries which contains the system of libraries loaded from an SCM of your choice which most people know about and use; assuming you are not usingworkflowLibs.git
, you may now uninstall this plugin (now renamed Pipeline: Deprecated Groovy Libraries).You may wish to further uninstall Git Server if it is otherwise unused; and in turn SSH Server assuming you are not using the SSH transport for the Jenkins CLI (most people use HTTP or WebSocket transport).
🚨 Removed
v583.vf3b_454e43966
Compare Source
👷 Changes for plugin developers
v581.ve633085a_8a_87
Compare Source
🐛 Bug fixes
v575.v24fa_0a_b_f7383
Compare Source
👷 Changes for plugin developers
LibraryMemoryTest#loaderReleased
fails on Java 17 whensupport-core
is present (#163) @basil📦 Dependency updates
v570.v21311f4951f8
Compare Source
🚀 New features and improvements
📦 Dependency updates
v566.vd0a_a_3334a_555
Compare Source
v564.ve62a_4eb_b_e039
Compare Source
🐛 Bug fixes
🚦 Tests
v561.va_ce0de3c2d69
Compare Source
🐛 Security fixes
ace0de3
)📦 Dependency updates
📝 Documentation updates
v552.554.vdba55efb9e88
Compare Source
v544.vff04fa68714d
NOTE: This release accidentally moves Jenkins to 2.304. 545.v7b28cce323cf moves it down to 2.303.1
🐛 Bug fixes
👻 Maintenance
SCMSourceRetriever
leaks@libs
workspaces (#115) @basilv2.19
Release date: 2021-04-30
v2.18
Release date: 2021-02-19
ConcurrentModificationException
from being thrown when serializingLibrariesAction.libraries
(JENKINS-41037)v2.17
Release date: 2020-07-20
commons-lang3
to avoid version conflicts withjenkins-test-harness
in downstream projects. (PR 94)v2.16
Release date: 2020-03-13
src/test/
in shared libraries from being used by Pipelines, as these files were likely only intended to be used in tests for the libraries rather than by Pipelines, and depending on the contents ofsrc/test/
, it may be unsafe for those files to be exposed to Pipelines. To restore the previous behavior that allowed access to files in src/test/, pass-Dorg.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES=true
to the java command used to start Jenkins. (PR 91)v2.15
Release date: 2019-07-31
v2.14
Release date: 2019-07-11
Make folder-scoped credentials work correctly with shared libraries.
Do not add a UUID parameter when constructing the
library
step onthe Pipeline Syntax page.
63) -
Support for SCM retry count did not retry the checkout attempt for
certain kinds of errors when it should have.
66) -
Do not add nullability annotations to primitive types.
67, PR
70, PR
73)
- Dependency and test updates, new integration tests for issues
fixed in upstream plugins.
v2.13
Release date: 2019-02-01
59) -
Support for SCM retry count added in 2.12 did not apply to some SCM
operations.
57)
- Avoid use of deprecated APIs.
44,
PR
56) -
Add additional tests and update tests to run correctly on Windows
v2.12
Release date: 2018-10-02
Make compilation errors in shared libraries serializable so that the
actual compilation error is reported instead of
a
NotSerializableException
in some cases.v2.11
Release date: 2018-09-08
Fix a file leak introduced in version 2.10 of this plugin affecting
all uses of the
libraryResource
step.v2.10
Release date: 2018-08-21
Jenkins 2.60.3 or newer.
Add an optional encoding argument to the
libraryResource
step.
Base64
is a supported encoding, and will cause the resourceto be loaded as a Base64-encoded string, which is useful for copying
binary resources such as images when combined with Pipeline: Basic
Steps 2.8.1 or higher.
v2.9
Release date: 2017-09-13
allow excluding shared libraries from changelogs (and therefore from
SCM polling as well) via global configuration option
and/or
@Library(value="some-lib@master", changelog=false)
.v2.8
Release date: 2017-04-24
irrelevant):
*.txt
global variable help fileslibraries
library
step depending onfilesystem canonicalization
v2.7
Release date: 2017-03-03
Added a
library
step as a dynamic alternative to@Library
usedsince 2.3.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.