New features

Beekeeper plugin exceptions (FNDJEN-2567)

Beekeeper plugin exceptions provide a way to fix urgent bugs or security issues related to plugins by upgrading to a version of a plugin that is not yet available in the CloudBees Assurance Program.

See Beekeeper plugin exceptions for more information.

Feature enhancements

Add category for ElasticSearch Reporter Plugin (CPLT2-6669)

The ElasticSearch Reporter configuration button was moved from the Uncategorized section of the /manage page to the System Configuration section.

Client Master security: Get rid of visible "slave" words (CTR-2070)

Replace "slaves" term with "agents".

Allow CloudBees SCM Reporting to be opt-in (STICKY-667)

The CloudBees CI SCM Reporting feature was enabled by default whenever the plugin was installed, which for installations with numerous projects could be an unwelcome surprise.

For discoverability, the feature remains on by default, but there is now a checkbox in the master system configuration to disable it by default without disabling the plugin. Users can disable it by default via GUI or configuration as code. Notifications may still be turned on or off (or further customized) for a particular project in that project’s configuration screen.

CloudBees SCM Reporting GitHub Re-run link enabled (STICKY-171)

Failing tests displayed on the GitHub Checks tab included a Re-run link but the link was disabled.

Now, selecting the Re-run link triggers a new build in CloudBees CI.

See Viewing GitHub Checks tab notifications for more information.

Add Rebuild button to CloudBees Slack Integration message (STICKY-493)

When a PR cannot be successfully built in CloudBees CI, the CloudBees Slack Integration message now includes a Rebuild button that will trigger a new build.

When a new build is started, the previous messages that contain a Rebuild button are updated, so the button is removed to prevent the user from selecting an invalid/out-of-date message.

Enable link to build in the first line of the CloudBees Slack Integration message (STICKY-717)

Before, the initial line of the CloudBees Slack Integration message included a reference to the build number, but did not link to the build.

Now the build reference on the first line of the CloudBees Slack Integration message links to the build.

Verify if the CloudBees Slack Integration user exists before adding a new user (STICKY-670)

When adding a CloudBees Slack Integration new user, if a user is already configured or the user does not exist, the administrator will now receive a warning message. Also, if the user is already configured, the message will prevent the admin from adding the new user.

The same validation is checked if the admin is updating an existing user.

Improved Configuration as Code (CasC) for Controllers export output (CTR-2207)

The readability of the output produced for a Configuration as Code (CasC) for Controllers export has been improved in the following ways:

  • There are now yaml --- document separators between the different documents.

  • The plugin list will now be alphabetized.

The email-ext plugin and Configuration as Code (FNDJEN-2110)

This plugin is now compatible with Configuration as Code.

Jenkins user interface updates (FNDJEN-2723, FNDJEN-2237, FNDJEN-2232, FNDJEN-2193, FNDJEN-2025, FNDJEN-2691)

As part of CloudBees' ongoing effort to update the Jenkins user interface, the following enhancements were made:

  • Colors were normalized in different widgets to be consistent with the new color palette.

  • Tables were restyled with more inner spacing to improve readability. The tables also now use colors that are consistent with the rest of the UI.

  • Hyperlink styles were updated.

  • Side panel widgets were restyled to have a more modern look.

  • Sidebar task list appearance and accessibility were improved.

Warnings NG plugin included in CAP (STICKY-633)

One of the most popular Jenkins LTS plugins, Warnings Next Generation, is now part of the CloudBees Assurance Program (CAP).

Using the Warnings NG plugin greatly enriches the information surfaced through the CloudBees SCM, Slack, and Microsoft Teams Integration plugins.

While the Warnings NG plugin could be used with these plugins before, for customers who strictly use CAP plugins, it was not previously an option.

Allow/disallow Beekeeper Plugin Exceptions (CTR-2197)

A connected master can be configured to allow/disallow Beekeeper Plugin Exceptions from the master configuration page.

Upgraded CloudBees Fast Archiving Plugin dependencies (CTR-2281)

The parent pom dependency org.jenkins-ci.plugins:structs is now 1.20 and commons-net is 3.6, which are compatible with Jenkins 2.250.

Upgraded CloudBees Request Filter Plugin dependencies (CTR-2284)

The parent pom dependency nectar-license is now 8.28 which is compatible with Jenkins 2.250.

Upgraded CloudBees RBAC Auto Configurer plugin dependencies (CTR-2279)

The parent pom dependency and org.jenkins-ci.plugins:structs are now 1.20 which is compatible with Jenkins 2.250.

Upgraded CloudBees Groovy View Plugin dependencies (CTR-2283)

The parent pom dependency org.jenkins-ci.plugins:structs is now 1.20 which is compatible with Jenkins 2.250.

Upgraded CloudBees Skip Next Build Plugin dependencies (CTR-2278)

The parent pom dependency org.jenkins-ci.plugins:structs is 1.20 which is compatible with Jenkins 2.250.

Upgraded CloudBees Restart Aborted Builds Plugin dependencies (CTR-2280)

The parent pom dependency org.jenkins-ci.plugins:structs is now version 1.20 and org.jenkins-ci:symbol-annotation is 1.20. Both are compatible with Jenkins version 2.250.

Upgraded Notification API plugin dependencies (CTR-2285)

The Notification API plugin now uses Jenkins Configuration as Code (JCasC) version 1.40 which is compatible with Jenkins version 2.250 and above.

Upgraded CloudBees Backup Plugin dependencies (CTR-2282)

The plugin dependency org.jenkins-ci.plugins:structs is now compatible with Jenkins 2.250.

[JENKINS-48837] Add BranchProperty support to OrganizationFolder (NGPIPELINE-1314)

Multibranch Pipeline jobs have an option to configure Branch Property Strategies. Org folders did not support this Branch Property Strategy configuration. This prevented the child Multibranch Pipeline jobs from having Branch Property Strategies configured.

With this fix, we added the ability for Org folders to configure Branch Property Strategies for their Multibranch Pipeline children.

Resolved issues

Missed texts on product rebranding (CTR-2208)

Update some texts that were still using the old product naming.

CloudBees Microsoft Teams Integration failure to send message (STICKY-725)

The CloudBees Microsoft Teams Integration plugin would try and resend the message in case of success as well as a failure which caused messages to fail to send.

With this fix, the CloudBees Microsoft Teams Integration plugin now only retries on failure and constructs a new message to do so.

Prevent thread leaks when the previous CloudBees Slack Integration messages are updated (STICKY-736)

When a new build is started, the previous CloudBees Slack Integration messages are updated so the Rebuild button is removed. This fix prevents a thread from leaking when those messages are updated.

Remove direct link to Slack Integration config page from User configuration page (STICKY-662)

Within the User configuration page there was a section for Slack Integration that only provided a link to the Slack configuration page. Since there is a link in the left navigation menu, which is always available for the user, this internal link on the User configuration page was useless and unnecessary.

With this fix, the internal direct link on the User configuration page has been safely removed without breaking backward compatibility.

Improve the CloudBees Slack Integration plugin build logs (STICKY-669, STICKY-682, STICKY-683)

The CloudBes Slack Integration plugin build logs are more consistent and accurate.

Truncate the cause of failure when it is too long in CloudBees Slack Integration message (STICKY-696)

When a build fails, the cause of failure is sent as part of the CloudBees Slack Integration notification. Sometimes the failure was returning an error trace instead of a summary message, which could have caused that notification section to overflow and might have prevented the notification from being sent.

This fix truncates those traces that are too long so the message is always sent.

CloudBees SCM Reporting plugin - race condition in SCMReporterWithPending (STICKY-701)

On occasion a build stage taking approximately five seconds could display a pending commit status or check which was never replaced by a final status or check.

With this fix, a race condition has been addressed.

ClassCastException was deserializing GitHubAppCredentials from operations center on masters (CTR-2183)

With this fix, the serialization mechanism works as expected.

Terminology update for CLI help (CTR-2250)

CloudBees has removed the "slave" term from CLI help for enable-agent-trader, replacing it with "agent".

Remove deprecated slave commands (CTR-226)

CloudBees removed the following deprecated CLI commands: shared-slave-delete, shared-slave-force-release, enable-slave-trader, and disable-slave-trader.

Use their agent replacement CLI commands: shared-agent-delete, shared-agent-force-release, enable-agent-trader, and disable-agent-trader instead.

Master configuration page not properly displaying Plugin Catalog configuration (CTR-2349)

The master configuration page was not properly displaying the status for the Plugin Catalog configuration.

With this fix, the master configuration page displays the correct status for Plugin Catalogs.

Move/Copy of Multibranch does not copy the build files of branches with names with symbols (CTR-1842)

Builds from Multibranch Pipelines created from branches with long names or containing special characters are now copied/moved.

Wording in Configure Global Security refers to Client Masters instead of connected masters (CTR-2145)

A section in Global Security has been updated to indicate the settings apply to more than just Client Masters and include any connected masters.

JENKINS-63516: Use of password parameters with the input step broken in Jenkins 2.236+ (NGPIPELINE-1368)

Prevent changes in Jenkins 2.236 from breaking the use of password parameters with the input step.

JENKINS-63499: Use of password parameters in the Declarative parameters directive broken in Jenkins 2.236+ (NGPIPELINE-1370)

Prevent changes in Jenkins 2.236 from breaking the use of password parameters with the parameters directive.

Environment variables textbox for folders located in an incorrect place (NGPIPELINE-1221)

When using the Folder plus plugin in v2.222.2.1, the Environment variables textbox for the folder was located in an incorrect place.

We removed section headers from the Docker workflow properties and now the Environment variable textbox is located in the correct place.

Docker workflow fails with empty string environment variable (NGPIPELINE-1351)

Empty string environment variables caused a malformed Docker run command in docker-workflow.

With this fix, we added a check for empty key values.

JENKINS-63164: Completed node steps restart after resuming Pipelines in some cases (NGPIPELINE-1330)

In some cases, block-scoped steps that had already completed could be persisted in serialized Pipelines, causing the already-completed steps to resume when the Pipeline resumed.

With this fix, completed block-scoped steps should no longer be persisted in the state of serialized Pipelines.

JENKINS-62305: Password parameters cannot be used with the build step in Jenkins 2.236+ (NGPIPELINE-1331)

Password parameters no longer worked with the Pipeline build step in Jenkins 2.236 and newer.

With this fix, password parameters now work with the Pipeline build step in Jenkins 2.236 and newer.

Detached plugins not aligned with envelope versions (PRD-2623)

Some detached plugins embedded into the WAR file were unaligned with contents of the CloudBees Assurance Program. As a result, security scans on some distributables could show false positives even if those misaligned plugins were overridden by plugins from the CloudBees Assurance Program during installation.

Detached plugins and plugins in the CloudBees Assurance Program are now aligned.

Known issues

Version 4.0 or higher of .NET Framework is required to launch controller or agents on Windows services

Starting from this release, .NET Framework 2.0 doesn’t work for launching CloudBees controller or agents as Windows services. Microsoft.NET Framework 4.0 or above is now required for using the default service management features.

This release also upgrades Windows Service Wrapper (WinSW) from 2.3.0 to 2.9.0 and replaces the bundled binary from .NET Framework 2.0 to 4.0. There are many improvements and fixes in these versions, big thanks to NextTurn and all other contributors. You can find the full WinSW changelog here, just a few highlights important to CloudBees users:

  • Prompt for permission elevation when administrative access is required. Now CloudBees users do not need to run the agent process as Administrator to install the agent as a service from GUI.

  • Enable TLS 1.1/1.2 in .NET Framework 4.0 packages on Windows 7 and Windows Server 2008 R2.

  • Enable strong cryptography when running .NET Framework 4.0 binaries on .NET 4.6.

  • Support security descriptor string in the Windows service definition.

  • Support 'If-Modified-Since' and proxy settings for automatic downloads.

  • Fix Runaway Process Killer extension so that it does not kill wrong processes with the same PID on startup.

  • Fix the default domain name in the serviceaccount parameter (jira:JENKINS-12660[])

  • Fix archiving of old logs in the roll-by-size-time mode.

    Use-cases affected by .NET Framework 2.0 support removal

    If you use .NET Framework 2.0 to run the CloudBees Windows services, the following use cases are likely to be affected:

  • Installing the CloudBees controller as a Windows service from Web UI. The official MSI Installer supports .NET Framework 2.0 for the moment, but it will be changed in future versions.

  • Installing agents as Windows services from GUI. This feature is provided by the Windows Agent Installer Module from the Jenkins core.

  • Installing agents over Windows Management Instrumentation (WMI) via the WMI Windows Agents plugin

  • Auto-updating of Windows service wrappers on agents installed from GUI.

Upgrade guidelines

+ If all of your CloudBees controller and agent instances already use .NET Framework 4.0 or above, there are no special upgrade steps required.

+ If you run the CloudBees controller as a Windows Service with .NET Framework 2.0, this instance will require an upgrade of .NET Framework to version 4.0 or above. .NET Framework 4.6.1 or above is recommended because this .NET version provides many platform features by default (e.g. TLS 1.2 encryption and strong cryptography), and Windows Service Wrapper does not have to apply custom workarounds.

+ If you want to continue running some of your agents with .NET Framework 2.0, the following extra upgrade steps are required:

+ . Disable auto-upgrade of Windows Service Wrapper on agents by setting the -Dorg.jenkinsci.modules.windows_slave_installer.disableAutoUpdate=true flag on the CloudBees controller side. . Upgrade agents with .NET Framework 4.0+ by downloading the recent Windows Service Wrapper 2.x version from WinSW GitHub Releases and manually replacing the wrapper ".exe" files in the agent workspaces.


Revision 3 (2020-09-23)

CloudBees Security Advisory 2020-09-23

Revision 2 (2020-09-16)

CloudBees Security Advisory 2020-09-16