CloudBees CI on modern cloud platforms 2.176.3.2

Rolling release: 2019-08-28

Based on Jenkins LTS 2.176.3-cb-6

New features

Helm support added to CloudBees Core

Helm is the standard means of deploying Kubernetes environments. Helm support has been added to CloudBees Core, with a new guide published for Red Hat OpenShift. The existing guide for installing Core using Helm on Kubernetes has also been substantially revised.

Managed masters are now expandable

Managed Masters volumes can now be expanded after creation using the GUI.

New content: monitoring CloudBees Core with DataDog

A new guide to using DataDog to monitor CloudBees Core has been added.

Upgraded Maven plugin core (NGPIPELINE-331)

The Maven plugin (version 3.1) was using an old version of maven core, so some new features (wildcard exclusions, in maven 3.3.3) were not available. With this fix, we have upgraded maven core dependencies making the new features available.

CLI for Pipeline Template Catalog management (NGPIPELINE-513)

Managing catalogs and pipeline templates across a large number of Jenkins masters using the graphical user interface (GUI) is time consuming and prone to human error due to the repetitive nature of the task. A new pipeline-template-catalogs CLI command was created. This CLI command allows the administrator to automate the management catalogs and pipeline templates across multiple Jenkins masters which reduces the amount of time required and ensures accuracy and consistency across all development teams.

Create a team without being able to manage other teams (CTR-475)

It was not possible to allow a user to create a new Team without giving them the permission needed to manage the lifecycle of all teams. A user now only needs ManagedMaster.CREATE and Item.READ permissions in the Teams folder in order to create a team. Furthermore during creation, if they add themselves as user with Administration permissions during the creation they will be able to manage certain aspects of the newly created Team.

New content: Backup and restore guide

A new backup and restore guide has been created, including best practices, how to restore credentials, and an explanation of the $JENKINS_HOME directory.

Update CloudBees Update Center plugin’s Jsoup dependency(CTR-43)

The CloudBees Update Center plugin was using an outdated/unsupported dependency, JSoup 1.7.3., which contained a vulnerability. With this fix the CloudBees Update Center plugin was updated with JSoup 1.8.3.

CLI for Pipeline Template Catalog management (NGPIPELINE-513)

Managing catalogs and pipeline templates across a large number of Jenkins masters using the graphical user interface (GUI) is time consuming and prone to human error due to the repetitive nature of the task. A new pipeline-template-catalogs CLI command was created. This CLI command allows the administrator to automate the management of catalogs and pipeline templates across multiple Jenkins masters which reduces the amount of time required and ensures accuracy and consistency across all development teams.

Create a team without being able to manage other teams (CTR-475)

It was not possible to allow a user to create a new Team without giving them the permission needed to manage the lifecycle of all teams. A user now only needs ManagedMaster.CREATE and Item.READ permissions in the Teams folder in order to create a team. Furthermore during creation, if they add themselves as user with Administration permissions during the creation, they will be able to manage certain aspects of the newly created Team.

New backup and restore guide

A new backup and restore guide has been created, including best practices, how to restore credentials, and an explanation of the $JENKINS_HOME directory.

Resolved issues

Update to 2.176.3.3 instead of 2.176.3.2 revision 2

We recently recommended that you upgrade your 2.176.3.2 environments by applying the 2.176.3.2 revision 2 update. Since that time, we have discovered and fixed a bug in the Beekeeper Upgrade Assistant feature. That bug prevented you from applying the security update in the revision 2 release.

We are providing a new full release 2.176.3.3 which provides the same benefits as the 2.176.3.2 revision 2 update.

If you are running 2.176.3.2, we strongly recommend that you upgrade to the 2.176.3.3 release. This requires a full upgrade of the installed distribution instead of the incremental upgrade previously provided.

Large number of GitHub repos issue (NGPIPELINE-306)

When selecting a Github repo while creating a Multi-Branch Pipeline project, if there are too many repos available to the Github user/owner, the drop down menu either takes a very long time or times out with an error. With this fix, we have added a New UI where users can directly enter their GitHub repository HTTPs URL to create a GitHub based Multi Branch Project.

Configuration screen behavior change (CPLT2-5718)

Problem: saving the configuration screen of a connected master redirected the administrator to the master’s dashboard, rather than back to the management screen in the operations center where navigation originated.

Fix: the browser is now redirected to the master’s management screen.

Removed debugging VM argument (CPLT2-5620)

Problem: The VM argument -XX:+PrintGCDetails can be useful for debugging but adds unnecessary volume to the logs.

Fix: Removed the -XX:+PrintGCDetails argument from Operations Center.

OpenJDK8 Docker parent image updates

The OpenJDK8 Docker parent images has been updated to include recent security fixes in the Java runtime.

Sidecar Injector based on Debian (CPLT2-5670)

Problem: The sidecar injector based on Debian had security issues due to Debian security vulnerabilities.

Fix: We created a new sidecar injector image which uses a different OS without these issues.

Fix Pipeline Event Step plugin issues (CTR-415, -513)

Several libraries where bundled in the Pipeline Event Step plugin that should have been loaded via plugin dependencies. With this fix, the incorrectly bundled libraries have been removed from the plugin.

The Pipeline Event Step plugin version 1.4 had PCT errors because of a detached plugin. With this fix, the matrix-auth dependency was added with test scope.

Update CloudBees Update Center plugin’s Jsoup (CTR-434)

The CloudBees Update Center plugin was using an outdated/unsupported dependency, JSoup 1.7.3., which contained a vulnerability. With this fix the CloudBees Update Center plugin was updated with JSoup 1.8.3.

Release Jackson API plugin update for 2.9.9.1 (JENSEC-514)

Two polymorphic deserialization CVEs were found and fixed in 2.9.9.1.

Pipeline: Groovy plugin (NGPIPELINE-614, -27, -582, -467)

The CPS method mismatch detection introduced in Pipeline: Groovy Plugin 2.71 incorrectly logged a warning for some kinds of Groovy metaprogramming where it should not have. CPS method mismatch warnings will no longer be logged for some kinds of Groovy metaprogramming.

Uses of CPS-transformed code in a non-CPS-transformed context in Pipelines did not fail cleanly or log a warning explaining the problem. With this fix, use of CPS-transformed code in a non-CPS-transformed context in Pipelines now logs a warning explaining the problem, and links to https://www.jenkins.io/redirect/pipeline-cps-method-mismatches/ which provides some guidance on how to fix common errors.

Calling overridden methods using super in some class hierarchies in a Pipeline could cause a StackOverflowException to be thrown due to an infinite loop. With this fix, super methods are now resolved correctly, preventing the infinite loop.

The whitelist for the Groovy sandbox was not set up correctly for script-level initializers, such as those for fields defined using @Field or fields defined on a sandboxed script that directly extends groovy.lang.Script or one of its subclasses. Because of this, these initializers were unable to call any method or reference any fields even if they were whitelisted. The whitelist for the Groovy sandbox is now set up correctly for script-level initializers.

JIRA Site doesn’t show credentials (NGPIPELINE-522)

JIRA Site at the folder level did not show credentials for non-admin users, even though the user has all the credentials related permissions. With this fix, credentials are displayed as expected.

Pipeline steps do not detect stray parameters (NGPIPELINE-588)

If a named argument passed to a Pipeline step did not correspond to an actual parameter of the step, the argument was silently ignored, masking common issues like misspelling the parameter. With this fix, a warning is now printed to the build log when a named argument passed to a Pipeline step does not correspond to any of the step’s parameters.

Org Property Migration issue (NGPIPELINE-584)

The Branch API plugin included an admin monitor that recommended that users install the Basic Branch Build Strategies plugin to migrate away from the "Automatic branch project triggering" property for organization folders because it was deprecated. An automated migration for this property in the Basic Branch Build Strategies plugin caused issues in some configuration, causing change requests to no longer be built, and causing errors when trying to rebuild an existing Pipeline job. The administrative monitor recommending Basic Branch Build Strategies Plugin be installed has been disabled along with the automated migration. The "Automatic branch project triggering" property for organization folders has been reinstated.

Update Durable Task Plugin (NGPIPELINE-582)

The wrapper process for shell steps stayed open for the entire life of the user-specified script, leaking JVM resources in some cases. With this fix, the wrapper process for shell steps now executes in the background.

The absolute path to sh on the master was used to launch shell scripts on agents when no default shell was specified. If the path on master did not match the path to sh on agents, the shell script would not execute. With this fix, agents now use sh without an absolute path if no default shell is specified.

The Powershell step did not propagate error codes in scripts correctly starting in version 1.23 of this plugin. With this fix, error codes in Powershell scripts now propagate correctly.

Update Workflow Durable Task Step plugin (NGPIPELINE-582)

If an agent being used by a Pipeline was removed (deconfigured) from Jenkins, the build would hang forever. With this fix, Pipeline builds now abort immediately if an agent they are using has been removed from Jenkins.

GitHub Webhook issues in BlueOcean (NGPIPELINE-551)

GitHub Webhooks were not created after new pipeline creation in BlueOcean. This issue was specific to pipelines created using BlueOcean. With this fix, webhooks are registered with GitHub on new pipelines created in BlueOcean.

Issues with the Pipeline Template Catalog UI (NGPIPELINE-525)

For users without Pipeline Template Catalog permissions, the left nav displayed only the icon for Pipeline Templates Catalog. Additionally, these same users could access an incomplete Pipeline Templates Catalog page. With this fix, we added new view-only permission, fixing the left nav and Pipeline Templates Catalog page to render data according to permissions.

GitHub Org Folders Discard Old Items issue (NGPIPELINE-173)

The Discard Old Items configuration for Organization Folders was easily misunderstood by users as being about artifacts and builds. With this fix, the Discard Old Items settings for Organization Folders and Multibranch Projects now have a description explaining their use.

Parallel step snippet generator error (NGPIPELINE-395)

The GDSL file provided by Jenkins to support syntax highlighting in IntelliJ IDEA did not support the parallel step, and incorrectly marked some step parameter types as Map when they should have been List. The parallel step is now correctly supported, and step parameter types have been fixed where appropriate.

Provisioning limits issues (CTR-16, -423)

There was confusion about applying provisioning limits to a Master when using Kubernetes Cloud. With this fix, the inline help has been updated to clarify provisioning limits behavior.

In Operations Center, when users configured Provisioning limits, the code was counting all the executors on the Jenkins instance, even the offline agents. With this fix, the code limits enforcement for nodes provisioning on the cloud by ignoring executors on offline nodes while computing the current count of executors.

Team folder must not include the rename option (CTR-432)

The rename action was available for team folders, and using this option would rename the folder on the filesystem, bypassing Team functions. With this fix, the "rename" menu item is removed for team folders. Users can still change the display name of the folder using folder settings if they want to rename the team on the UI.

Improve processing speed of the update center (CTR-442)

Clicking 'Check Now' in the Update Center was taking a long time to return. With this fix, we improved the processing speed of the 'Check now' button in Update Center.

Shared Library using folder-scoped credential fails to authentic

Shared Libraries using folder-scoped credentials failed to authenticate. With this fix, we added functionality to expose parent item scope to children, allowing shared libraries to see and use folder-scoped credentials.

Known issues

None

Revisions

Revision 2 (2019-09-12)

CloudBees Security Advisory 2019-09-12