[CloudBees CI 2.277.1.2] JEP-228: Unforking XStream

Issue

As per JEP-228’s abstract, the XStream serialization library is used to convert most of Jenkins and CloudBees CI’s configuration to and from XML. The XStream library was forked at the outset of Jenkins back when it was called Hudson. It has now been migrated back to the commonly maintained open source version of XStream. Full technical details are available at JEP-228: Unforking XStream.

Why is this Important?

Having severely out of date libraries in our code base triggers serious warnings during security scans. Moving away from the forked version of this library allows us to benefit from OSS contribution, which improves things like the functionality, performance and security profile of the feature.

What would an error look like?

A typical effect would be that existing settings would not be interpreted during load from a config.xml and they would be displayed in Manage Jenkins -> Manage Old Data instead. If the configuration for that item was saved in this state, the settings might be written in a slightly different format which can be read back by the plugin running in the new version of Jenkins, but not by the plugin running in the old version of Jenkins, or by the corrected plugin, hence essentially the config.xml data could be considered corrupted. A stack trace with NoSuchMethodError may be thrown for HierarchicalStreamReader.peekNextChild.

Environment

CloudBees CI (CloudBees Core) - version 2.277.1.2
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller - version 2.277.1.2
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center - version 2.277.1.2
CloudBees CI (CloudBees Core) on traditional platforms - Client controller - version 2.277.1.2
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center - version 2.277.1.2
Jenkins LTS - version 2.277.1

Resolution

Many plugins have already been updated to be compatible with this change, if you are using any of these plugins on this list, ensure you upgrade them to at least the version listed in the table below before upgrading your Jenkins version: https://github.com/jenkinsci/jep/blob/master/jep/228/compatibility.adoc

If you are using a plugin that is not yet updated to be compatible, you could work to remove your usage of your plugin (for example, in a Pipeline build, is there a command line API you could call from a sh step instead of using a plugin?), migrate to another plugin with similar or equivalent functionality that is updated, or check if there is an active plugin maintainer who could help. Clients can contact CloudBees Support with any questions about this. We also offer an Assisted Upgrade program to help you with your upgrade planning and testing.