CloudBees CI release highlights

What’s new in CloudBees CI 2.375.1.1

Watch the video

Security fixes

Remove obsolete Handlebars plugin (BEE-8551)

The Handlebars plugin is no longer supported, so any use of Handlebars is now declared per plugin as a node.js dependency.

Remove obsolete Handlebars plugin (BEE-8561)

The Handlebars plugin is no longer supported, so any use of Handlebars is now declared per plugin as a node.js dependency.

Fix the CVE-2022-38752 vulnerability (BEE-27100)

When using snakeyaml to parse YAML data, you may be vulnerable to Denial of Service attacks (DOS). This library is a transitive dependency from the cloudbees-installation-manager plugin.

The dependency on the cloudbees-installation-manager plugin now has a provided scope.

Fix the CVE-2022-38751 vulnerability (BEE-27101)

When using snakeyaml to parse YAML data, you may be vulnerable to Denial of Service attacks (DOS). This library is a transitive dependency from the cloudbees-installation-manager plugin.

The dependency on the cloudbees-installation-manager plugin now has a provided scope.

Fix the CVE-2022-25857 vulnerability (BEE-27102)

When using snakeyaml to parse YAML data, you may be vulnerable to Denial of Service attacks (DOS). This library is a transitive dependency from the cloudbees-installation-manager plugin.

The dependency on the cloudbees-installation-manager plugin now has a provided scope.

Fix the CVE-2022-38749 vulnerability (BEE-27104)

When using snakeyaml to parse YAML data, you may be vulnerable to Denial of Service attacks (DOS). This library is a transitive dependency from the cloudbees-installation-manager plugin.

The dependency on the cloudbees-installation-manager plugin now has a provided scope.

Fix the CVE-2022-38750 vulnerability (BEE-27098)

When using snakeyaml to parse YAML data, you may be vulnerable to Denial of Service attacks (DOS). This library is a transitive dependency from the cloudbees-installation-manager plugin.

The dependency on the cloudbees-installation-manager plugin now has a provided scope.

Upgrade com.google.code.gson:gson to version 2.9.1 (BEE-18919)

Upgraded com.google.code.gson:gson to version 2.9.1.

Upgrade com.google.code.gson:gson to version 2.9.1 (BEE-18925)

Upgraded com.google.code.gson:gson to version 2.9.1.

The version of snakeyaml in the snakeyaml-api plugin contained known CVEs (BEE-23851)

The snakeyaml version was updated to a release that fixed these vulnerabilities.

The underlying jackson-databind version was out-of-date (BEE-25766)

The jackson-databind version has been updated to 2.13.4.2.

The underlying jackson-databind version was out-of-date (BEE-25767)

The jackson-databind version has been updated to 2.13.4.2.

The underlying jackson-databind version was out-of-date (BEE-26976)

The jackson-databind version has been updated to 2.13.4.2.

New features

None.

Feature enhancements

No error message received when entering incorrect values to configure the CloudBees Inactive Items plugin (BEE-24875)

When configuring the CloudBees Inactive Items plugin, if you entered incorrect values in the Analysis Frequency or Days before Inactivity fields, there is no error message that indicates the values are incorrect.

Error messages now display by these fields when incorrect values are entered.

Allow exporting inactive items report as a CSV file (BEE-27020)

The Inactive Item reports can now be exported as CSV from the API, the CLI, and the UI.

Improve Configuration as Code bundles page (BEE-10584)

The Configuration as Code bundles topic has been updated. The contents have been split into different tabs and the list of CasC bundles is now clearer.

Remove obsolete Handlebars plugin (BEE-24621)

The Handlebars plugin is no longer supported, so any use of Handlebars is now declared per plugin as a node.js dependency.

Allow Ant Path Expressions for skipping next builds in skip-plugin (BEE-24152)

When defining a skip group in a controller configuration, it is now possible to write Ant Path Expressions to match with jobs to be skipped.

When the skip group is activated, all jobs matching the specified Ant Path Expressions will be skipped. Refer to Controlling builds documentation for more information.

Resolved issues

The Update Center signature hosted in operations center is empty (BEE-27236)

controllers configured to an Update Center hosted on operations center cannot refresh the Update Center metadata from the Manage Plugins. It fails with the trustAnchors parameters must be non-null. This is caused by an issue with the self-certified signature provided that returned an empty signature certificate.

This issue has been resolved.

CasC export ignores operations center agent provision service (BEE-27095)

CasC export ignored the operations center agent provisioning service and there was no clear symbol besides cloudImpl. No matter the CasC settings, the operations center cloud was automatically registered when the controller was online and was automatically removed when the controller was offline.

If using CasC, the operationsCenterAgentProvisioningService is now specified in jenkins.clouds. If not using CasC, the previous automatic behavior remains.

The AssertionError is hidden by the OperationsCenterRootAction function (BEE-27776)

Some legacy code in OperationsCenterRootAction would hide the AssertionError, making it difficult to follow call sequences.

The OperationsCenterRootAction error management no longer hides errors.

Incorrect channel termination sequence when using websockets to connect a client controller to the operations center (BEE-23297)

When the network connection using WebSockets between the operations center and controllers could not be establish, the operations center logs contained a lot of entries regarding the channel’s closure.

The channel now closes properly in order to avoid multiple stack traces in the logs.

Updated text on the CloudBees Inactive Items plugin page (BEE-24879)

Labels and descriptions were updated on the CloudBees Inactive Items plugin page.

Plugin Upgrade (BEE-27297, BEE-27287, BEE-27286, BEE-27290, BEE-27347, BEE-27294)

The woodstox-core plugin version has been upgraded from 6.2.6 to 6.4.0.

CloudBees footer is visible (BEE-27794)

Beginning with weekly release 2.375, the CloudBees footer is partially visible when it should be hidden. This secondary footer should be visible only when the mouse hovers over the Jenkins footer.

The issue is now fixed.

The Beekeeper Update Center page incorrectly displays a warning (BEE-23204)

The Beekeeper Upgrade Assistant page shows a warning "The CAP Update Sites are not correctly configured." even though the update sites are configured correctly. The offline update site is at the origin of this false-positive warning as it is detected as a "Generic Update Site".

This issue has been resolved.

The SSHD plugin cannot start as a detached plugin because its dependency, the Mina SSHD API

Core plugin, is not a detached or bootstrap plugin (BEE-24381):: The cloudbees-installation-manager 2.332.0.18 plugin overrides the detached plugin folder location to improve the plugin dependency management. This, along with the envelope-maven 2.0.100 plugin, improves the plugin dependency management and reduces the war size.

JENKINS-67946: GitHub Branch Source does not support GitHub Enterprise Managed User accounts (BEE-27457)

The GitHub Branch Source plugin was not building pull requests (PR) from forks when the fork owner username contained an underscore (_). Underscores appear in usernames when using GitHub Enterprise Managed Users (EMU).

This discrepancy causes events coming from PRs from forks not to be processed accordingly. The PRs from forks owned by GitHub EMU users are not automatically triggered.

The workaround was to run branch indexing.

This issue has been resolved.

Winstone has been upgraded and as a result the following Jenkins startup options --ajp13Port, --ajp13ListenAddress, --handlerCountMax, and --handlerCountMaxIdle are no longer supported and no replacement has been provided (BEE-28419)

You must remove these Jenkins startup options from any custom startup scripts or parameters.

Inactive items not running automatically (BEE-24907)

The Inactive Items Periodic Analyzer intermittently created a second instance of the Inactive Items Configuration and then stops functioning. In other instances, the first execution of the Inactive Items Periodic Analyzer was scheduled between 0 and 30 days and changes to the Analysis Frequency only became visible during rescheduling and not after the frequency setup change.

The Inactive Items Periodic Analyzer can no longer create a second instance of the Inactive Items Configuration and can now be rescheduled on every Analysis Frequency change.

Blank setup wizard appeared after starting a controller (BEE-24915)

Fixed a rare occurrence of blank setup wizard after starting up a controller.

As an admin, a 404 error was displayed when trying to access RBAC group information inside a folder in the controller view (BEE-24633)

The inherited group list contained incorrect links when using the folder in the controller view.

Group links are now built correctly and the group page is accessible from the controller view.

Known issues

Sandboxed Groovy scripts, including Pipelines, that use the @Field annotation to declare fields with a type other than Object and do not provide an initial value for the field fail to compile.

The Sandboxed Groovy scripts, including Pipelines, that use the @Field annotation to declare fields with a type other than Object and do not provide an initial value for the field fail to compile. You should define an initial value for any fields that are declared using the @Field annotation, or change their declared type to Object.

For example, the following fields cause the script to fail to compile:

  • @Field String myField1

  • @Field Integer myField2

To resolve this, provide an initial value as in the following examples:

  • @Field String myField1 = null

  • @Field Integer myField2 = 0

You can also declare the fields as type Object as in the following examples:

  • @Field def myField1

  • @Field Object myField2

This is being tracked as JENKINS-69899.

Jira Plugin removed from CAP (BEE-22980)

The Jira Plugin has been removed from the CloudBees Assurance Program (CAP).

JIRA Integration For Blue Ocean Plugin removed from CAP (BEE-23090)

The JIRA Integration For Blue Ocean Plugin has been removed from the CloudBees Assurance Program (CAP).

CloudBees Docker Build And Publish Plugin removed from CAP (BEE-22981)

The CloudBees Docker Build And Publish Plugin has been removed from the CloudBees Assurance Program (CAP).

Mecurial Plugin removed from CAP (BEE-22979)

The Mecurial Plugin has been removed from the CloudBees Assurance Program (CAP).

MSBuild Plugin removed from CAP (BEE-22978)

The MSBuild Plugin has been removed from the CloudBees Assurance Program (CAP).

Duplicate Pipeline Template Catalogs in the Configuration as Code jenkins.yaml file on each instance restart (BEE-12722)

If a Pipeline Template Catalog is configured in the CasC jenkins.yaml file and the id property is not defined, the catalog is duplicated on each instance restart and in the exported CasC configuration.

Non-HTTP based Update Center URLs cause an exception in Plugin Manager (BEE-28906)

In the Advanced tab of the Plugin Manager, an error is shown for the Update Site configuration. This does not impact the installation or upgrade of plugins in most cases.

Upgrade notes

Java 11 is now required

Beginning with the September release, Java 11 is now required to run CloudBees CI. It is not possible to run the operations center, the controllers, or agents on Java 8 any longer. Java Web Start is no longer supported for inbound agents.

For more information, refer to Migrate to Java 11.

When you upgrade to Java 11, you must update your Java garbage collection arguments (BEE-16018)

Garbage collection has been updated in Java 11. Many of the previously recommended arguments are no longer supported. When you upgrade your JDK to Java 11, you must also update your garbage collection configuration. Using unsupported Java arguments will result in startup failure.

End of life announcement (BEE-23004)

After assessing the viability of our supported plugins, CloudBees will no longer support the following plugins:

  • CloudBees Docker Build and Publish

  • Jira

  • JIRA Integration For Blue Ocean

  • Mercurial

  • MSBuild

  • Promoted Builds

These plugins have been removed from the CloudBees Assurance Program (CAP). This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation, as well as maintaining existing products that are actively used by customers.

If you installed any of these plugins using a Configuration as Code bundle via the plugins.yaml file, you must include them in the plugin catalog to continue using them. Refer to Installing non-CAP plugins with plugin catalogs.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

Migration to Jakarta Mail (BEE-22565)

The CloudBees Nodes Plus plugin and the Operations Center Server plugin were updated to use jakarta.mail instead of javax.mail. This migration may break existing scripts that relied upon javax.mail. You may need to recreate any broken scripts.