CloudBees CD/RO v2024.03.0

Upgraded com.squareup.okio:okio-jvm to version 3.6.0 to address vulnerability.

Upgraded org.json:json library to v20231013 for improved security.

Upgraded the xmlsec library to v2.3.4.

Upgraded Netty library to version 4.1.104.Final to address multiple vulnerabilities.

In previous releases of CloudBees CD/RO, a vulnerability related to curl and a possible path traversal exploit was detected and has been resolved.

PDK v4.0.2 has been released. This PDK version includes an updated SnakeYAML, which addresses previous vulnerabilities. For more information, refer to the PDK release notes.

HTTP Strict Transport Security (HSTS) headers are now active by default in the CloudBees CD/RO Apache web server.

Java has been updated from v17.0.7 to v17.0.9.

Improved XML processing to help mitigate potential denial of service scenarios.

Enhanced HTML parsing for internal libraries to help prevent potential memory overflow issues and improve handling of malformed markup.

Upgraded Logback library to v1.4.14 to address multiple vulnerabilities.

Upgraded the spring-core for enhanced request handling.

The jose4j library has been removed for security reasons.

Upgraded Elasticsearch to v7.17.16.

Removed org.apache.directory.server:apacheds-kerberos-codec, and associated KerberosKeytab API support.

BouncyCastle, a critical cryptography library, was upgraded to resolve security vulnerabilities.

The following CloudBees CD/RO third-party libraries have been updated:

Updated handling of HTTP requests that contain unsanitized data to reduce the risk of data exposure.

Updated Spring framework from v6.1.2 to v6.1.3 and Spring Boot Maven Plugin from v3.2.1 to v3.2.2.

Apache ActiveMQ-Artemis was updated to address a vulnerability that could allow remote code execution.

Starting in CloudBees CD/RO v2024.03.0, you can specify the IP protocol CloudBees CD/RO components use as part of Kubernetes environments. For more information, refer to Configure IP protocol for Helm chart components.

Starting in CloudBees CD/RO v2024.03.0, DSL Git Synchronization is now available for installation as part of the standard CloudBees CD/RO Tools. For installation instructions, refer to the CloudBees Tools installation.

MariaDB Java connection client/driver has been updated to v3.3.0.

Implemented additional validation checks to confirm resources and workspaces targeted for cleanup are enabled and exist. A new post-processor is now included to capture and signal warnings that may occur during the cleanup process.

Examples of CloudBees CD/RO demo and production installations have been added for GKE clusters. For more information, refer to CloudBees CD/RO examples GitHub repository.

OpenShift and ROSA v4.14 have been tested and are supported for CloudBees CD/RO v2024.03.0 running on Kubernetes v1.27. For more information on supported versions, refer to Supported platforms for CloudBees CD/RO on Kubernetes.

Now you can cycle through ascending, descending, and default sorting states directly on list pages such as the pipelines list page. The new default state returns the list view to its original order without needing to refresh or leave the page.

The dashboard page can now be accessed by selecting the new Analytics link in the top menu.

Introduced new arguments for ecconfigure:

To support IPv6 handling, ectool has been updated to allow the following IPv6 inputs:

Optimized the logging configuration by setting the logging level for the HikariCP to:

For various reasons, Kubernetes clusters may migrate an agent pod across nodes, which is normally triggered by a sigterm signal to the current agent pod that immediately terminates it. To provide better monitoring and graceful termination options, support has been added to the CloudBees CD/RO Helm charts to configure termination grace periods for agent pods. For more information, refer to Configure graceful termination period for agent pods.

The procedure editor interface is redesigned while maintaining the same fields and inputs. This enhancement affects both the creation and editing of procedures.

Previously, specifying resources in procedure steps and pipeline stages was limited to directly naming a Resource or a resource pool. A new option in the Assign Resource or Resource Pool interface allows for switching to property mode, enhancing flexibility. This mode requires using a valid path in the property, which is resolved at runtime to either a resource or a pool. An example of a valid server-level property path is /server/super_resource.

The pipeline editor’s stage interface is redesigned while maintaining the same fields and inputs. This enhancement affects both the creation and editing of stages.

The following third-party tools have been updated:

A new CloudBees Accessibility Conformance Report is available that provides information about the accessibility features for CloudBees CD/RO v2024.03. This report is based on the VPAT® (Voluntary Product Accessibility Template) Version 2.4Rev, the WCAG (Web Content Accessibility Guidelines) 2.0 Levels A and AA, Section 508, EN 301 549. For more information, refer to Accessibility.

Elasticsearch has been updated to version 7.17.18.

Starting with the v2024.03.0 CloudBees Analytics installer, you can specify the default IP protocol to use. For more information, on CloudBees Analytics server unattended installation, refer to:

The rolling deployment phases generation in the DSL for Trigger entity was refactored to prevent conflicts between the rollingDeployManualStepAssignees Collection type of the CreateOrModifyScheduleOperation argument and the DSL field String type.

The rolling deployment phases generation in the DSL for Trigger entity was refactored to prevent conflicts between the rollingDeployPhases Collection type of the CreateOrModifyScheduleOperation argument and the DSL field String type.

The rolling deployment phases generation in the DSL for Trigger entity was refactored to prevent conflicts between the rollingDeployPhases Collection type of the CreateOrModifyTriggerOperation argument and the DSL field String type.

The myProcess/owningProjectName property is now retained after restarting CloudBees CD/RO.

When mapping is not found for an objecftType, the InvalidObjectType EcException now occurs.

Resolved a system freeze issue due to duplicate parameter names within a single container. During the upgrade to this release, duplicates are automatically removed.

In previous releases, when running CloudBees CD/RO agents on Linux ARM, an exception was raised for invalid ELF headerI caused by libxml2.so.2. This issue has been fixed in v2024.03.0.

Field deleted has been excluded from the describeObject API response when a SearchFilterView view name is specified.

When renaming or deleting an object before this update, validation based on the existing name property failed for non-property containers. This release corrects the issue by ensuring the correct path for the name property is provided for both property containers and non-property containers.

When running evalDSL using --overwrite 1, child objects represented as empty entities without any properties were still present after importing the DSL. The overwrite handling has now been updated so that all child objects not specified in DSL are deleted.

The rolling deploy phases are no longer limited by size.

Previously, commas (,) were not permitted in the names of a rolling deploy phase. This has been addressed, and now commas are permitted.

The multi-select behavior issue was resolved. Now, adding multiple parameter values works as expected.

Fixed an issue where the renderCondition formal parameter field incorrectly evaluated integer inputs. Now, the parameter is evaluated on input and forces the use of a string.

Updated handling patters for pure HTML to accurately display full address links.

Previously, not all active CloudBees CI users were displayed in the CloudBees CD/RO interface. This issue has now been fixed, and CloudBees CD/RO displays an accurate list of active CloudBees CI users.

Resolved an issue where abortAllPipelineRuns requests could be erroneously triggered in pipeline runs associated with a release from the Pipeline runs list page. This issue would cause all pipeline runs associated with the release to be aborted.

When upgrading to v2023.12.0 on Kubernetes, CloudBees Analytics (flow-devopsinsight) fails to start if your certificates were generated using cbflow-tools from v2023.10 or earlier or custom certificates generated using OpenSSL 2. To resolve this issue in v2023.12.0, new certificates must be generated. For more information on generating Analytics server certificates, refer to Configure CloudBees Analytics server certificates.

Kerberos Keytab configurations are deprecated and no longer supported. UI configurations for this functionality are now removed.

Previously, not all snapshots appeared in the selection menu and prevented users from being able to view or select all available snapshots. Now, all snapshots are displayed in the selection menu.

The MeanLeadTime report does not work correctly when Elasticsearch only has pipeline runs but no release runs.

The CloudBees CD/RO UI does not allow you to transfer artifacts across zones.

When a custom data retention policy schedule is set to run once, the data is not purged after archiving. To purge data after archiving, use a repeat schedule or the global data retention setting.

When using PostgreSQL with change tracking enabled, EcAuditStrategy errors may appear in the server log. This is a known issue, but is not expected to have any effect on the performance of the system.

Events that originate from the default CloudBees CI create default configurations. URLs for these new controllers are not Jenkins configured URLs and cause 401 errors.

You may experience SSO sign-in issues when using Kerberos due to a Microsoft known issue.

When a process step that is not manual is modified to be manual after the process runs, but before the associated job step evaluated, the step hangs and adds a java.lang.IllegalStateException: Unknown step type: manual exception to the log.

The flowRuntime response contains hasCIJobs=1 if a release was started from CloudBees CD/RO and the previous release run was triggered within CloudBees CI.

On Windows agents, "Export DSL" catalog item fails to export objects that end in spaces.

When running getCIBuildLog for a CloudBees CI build, the build log cannot be accessed without restarting the build CloudBees CI controller. As a workaround, restart your CloudBees CI controller, and set up a number of executors, and getCIBuildLog can then be used to access the CloudBees CI build logs.

Before upgrading from CloudBees CD/RO v10.2 and earlier, if legacy services exist in your system, upgrades may fail and database consistency break. Additionally, even if the upgrade returns successfully, it may still be impossible to run the validateDatabase API.

In CloudBees CI job responses, actual parameters are returned that are not defined within the job. Additionally, saving and reloading the tasks doesn’t clear undefined actual parameters.

Currently, if a formal parameter depends on a dropdown menu to get project parameter dependencies for object-like parameters, such as projectName, you can select multiple options in dropdown menus. However, there is only an object name (or list of names in case of multi-select) in the parameter value with no connection to a project and without the ability to identify which object exists in which projects.

Catalog items configured with both a parameter form and formal parameter(s) fail to run when executed in the UI. As a workaround, delete the formal parameter(s), and run the catalog item with the parameter form.

SyncArtifactVersions procedure completes with success, rather than showing a warning, when manifest is missing and overwrite = false.

When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error: Upload file: Exit code 1: ERROR: Publish failure: Unexpected retrieval exception for repository error.

Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or ectool) until the CloudBees CD/RO server is restarted.

(Microsoft Windows platforms only) If the Elasticsearch cluster used by CloudBees Analytics is in the red state (meaning that it only partly functions and some data is unavailable), then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions.

The Microsoft Edge® browser does not work with SAML 2.0 and is missing a self-signed certificate during redirection from the identity provider to the service provider. Microsoft Edge® is not recommended for sign-in via SAML 2.0.

The LANG environment variable must be set to en.US.UTF-8; otherwise, the upgrade fails. Refer to KBEC-00452 - Error installing CloudBees CD/RO 10.0.x when Lang environment variable is different than en.US.UTF-8 for details.

Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration.

The stage inclusion status in the Release Dashboard changes color after a stage is renamed.

If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter), then the step is not retried even if it uses retry on error error handling. The job eventually completes with an error.

The retry count for group tasks or rules using automated retry on error is missing from the Pipeline runtime page.

Multiple mapped environments with the same name from different projects are not supported in email notifications.

A project import might not include the path-to-production view.

All subreleases of a release must appear before the release in the DSL for the release-to-subrelease links to be created.

The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor.

If Release Command Center was set up for Jira for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping projectName:releaseProjectName, then before upgrading to 10.0, the field mapping must be updated to mention the actual release project name using the following field mapping format: "release-project-name-in-CloudBees CD/RO":releaseProjectName.

Approval by email on manual tasks should not expect parameters.

If you use the ectool export to export your system configuration from a previous release, and then use ectool import to import the same configuration to a CloudBees CD/RO 10.0 server, some out-of-the-box content introduced in the releases since the version from which the full export was done, such as new or updated plugins, new catalog items, and persona-based menu items, may be missing in the CloudBees CD/RO server UI. It is recommended to use ectool export and ectool import only between servers at the same version.

SSO does not work unless PHP configuration is changed due to a security-related request. As a workaround, change session.cookie_samesite to "Strict" in /opt/electriccloud/electriccommander/apache/conf/php.ini and restart the web server.

CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them.

Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to service objects from applications and releases.

You can only revert changes for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.

Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server, and the network latency between the servers. Ensure that your directory provider can handle the additional load for supporting nested group hierarchy traversal.

System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking.