Critical issues

Regression in CloudBees Plugin Usage Plugin 2.0, 2.2

CloudBees CI versions and have a potential issue involving the CloudBees Plugin Usage Plugin versions 2.0 and 2.2:

This plugin produces the analysis.json file in $JENKINS/pup. On large instances, for example with many jobs, this file can be quite large. At the next restart of the controller, the plugin usage analyzer tries to parse this file and with large files this could take some time and it may block the start-up process of the controller thereby leading to longer startup time.

CloudBees recommends that you upgrade to CloudBees CI version or later, or upgrade the CloudBees Plugin Usage Plugin to version 2.6. If you cannot upgrade to, it’s best to disable the CloudBees Plugin Usage Plugin (short name cloudbees-plugin-usage) until then. If Jenkins is not accessible, see Disabling a plugin when Jenkins is down

This issue is only a problem on startup. Another workaround is to remove the file $JENKINS/pup/analysis.json before starting or restarting Jenkins.

Security fixes

CSRF in Client Master connection URL field (CTR-2797)

CloudBees fixed a cross-site request forgery(CSRF) issue in the Client Master URL connection field on the operations center Client Master item manage page and added a new permission check.

The HA status page was not protected allowing anyone to view the status of a cluster

(CTR-2364) With this change, only those with Administer permissions are able to see the HA status page.

snakeyaml:1.10 dependency removed (CTR-2511)

The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.

Upgraded Script Security plugin dependency (CTR-2238)

The Script Security groovy-sandbox library dependency was included as version 1.20 which contains vulnerabilities.

With this fix, the Script Security plugin does not include the groovy-sandbox library dependency as version 1.20.

Plugin Usage page unprotected (FNDJEN-3225)

The Plugin Usage page didn’t check permissions.

The Plugin Usage page now checks that the user has Administer permissions.

Update commons-io to 2.8 (FNDJEN-3006)

Commons-io v2.6 has a security vulnerability that is not exploitable from the existing code.

Commons-io has been updated to 2.8.0 to remove this vulnerability.

New features

CloudBees CI now supports connecting masters using WebSockets (CTR-2656)(CPLT2-6091)

Before, it was only possible to connect Masters to operations center over TCP, which required opening TCP ports across reverse proxies/load balancers and was a manual and cumbersome process. Furthermore, because of this requirement, in Kubernetes environments, we relied on NGINX Ingress controllers to open TCP ports across reverse proxies/load balancers and were prevented from using other Ingress controllers or L7 load balancers provided by Cloud providers. For instance, in OpenShift environments, it is not even possible to expose TCP ports outside.

CloudBees CI now supports connecting any Master to operations center using WebSockets. Connecting masters using WebSockets can be enabled by selecting a checkbox in the Master configuration. No special network configuration is needed, since the regular HTTP(S) port proxied by the CloudBees CI Ingress is used for all communications.

CloudBees Plugin Usage Analyzer plugin

CloudBees now offers an improved and upgraded way to help track the usage of your installed plugins. The new CloudBees Plugin Usage Analyzer plugin helps CloudBees CI Administrators get a holistic view of plugin usage across both FreeStyle and Pipeline jobs in an easy-to-consume way. Users can also download the report and export the raw data for further processing as they need.

For more information, see How to determine if a plugin is in use

Feature enhancements

Standardized error handling for CasC (CTR-2592)

CloudBees has standardized CasC bundle failures/errors in two ways: making errors occur as soon as possible and fail hard so the user cannot get further into the process only to discover errors later. These updates alleviate confusion and save users time by limiting their need to debug to understand what has gone wrong.

Now an action will fail quickly and definitively when a bundle is set but something is invalid in the following ways:

  • When the link file does not exists.

  • When the plugins.yaml content is not valid.

  • When the plugin-catalog.yaml is not valid or there are some issues applying the plugin catalog described in the yaml file.

Beekeeper Plugin Exceptions are now generally available (GA) (FNDJEN-3069)

For information about this feature, see Beekeeper plugin exceptions.

Dependency updates

The following dependency updates are included with this release:

  • Update minimum required Jenkins version to the latest LTS (2.263.1) (CTR-2577)

  • CloudBees Role-Based Access Control Plugin(nectar-rbac) dependency upgraded to version 5.49 (CTR-2752)

  • The CloudBees License plugin is now compatible with jQuery 3.5.x. (CTR-2602)

Update welcome screen UI - Implementation (FNDJEN-2242)

The Jenkins Welcome screen has been updated.

Users with the Overall/Manage permission can now restart and safe restart Jenkins (CTR-2527)

Some configurations that can be set with Configuration as Code for masters may require a restart of Jenkins or are quicker when using a restart. A user with the Overall/Manage permission can now restart Jenkins.

Resolved issues

Build widget broken when a user has Read permission on a running Pipeline but not its parents (NGPIPELINE-1546)

Users with Read permission on a running Pipeline but only Discover permission on one of its parents' folders were unable to view the main Jenkins dashboard due to errors in the build widget.

The build widget now operates correctly when users have Read access to a Pipeline but not its parents.

Fix for SECO-757 Jenkins log flooded with SSE gateway plugin-related warnings, which increase memory usage (NGPIPELINE-1507)

With Jenkins deployed on Tomcat, if BlueOcean users close tabs abruptly some internal queues can increase the number of Pipelines thereby generating a lot of events.

The default values of some timeouts now handle exceptions and clear queues more quickly.

Remove jQuery and upgrade frontend toolchain on cloudbees-workflow-ui-plugin (NGPIPELINE-1432)

CloudBees Pipeline Stage View Extensions bundled an outdated version of jQuery, and the dialog for deleting or resuming checkpoints had broken styles when running against Jenkins 2.249 or newer.

CloudBees Pipeline Stage View Extensions no longer bundles jQuery, and the styles of the dialog for deleting or resuming checkpoints now work correctly on all versions of Jenkins.

Performance slowdown when credentials cache file gets large (CTR-788)

A new cache implementation is now in OperationsCenterCredentialsProvider to avoid credentials duplication. The cache also periodically cleans out all entries with no updates/access in the last 48 hours.

Clarify that shared configuration is available to all master types (CTR-2583)

With this fix, the description of the Miscellaneous Configuration Container in operations center indicates that it applies to all masters types, not just Client Masters.

The restore of a backup fails with a digest check error when using Azure Storage (CTR-916)

There was an issue in backup creation when using Azure Storage that caused the backup to be created in Azure without the required digest metadata. Because the backup was created without the required digest metadata, restoring the backup would fail, as there was no digest to check integrity against it.

With this fix, the digest metadata is properly attached to the backup file and then used during the restore process.

The inline help referenced HUDSON_HOME (CTR-2702)

The inline help now references JENKINS_HOME as expected.

Form changes: promoted-builds plugin breaks with tables-to-divs changes (FNDJEN-2775)

No user-facing changes. Internal changes fixing compatibility issues of the plugin with the changes on the layout of the forms of the next LTS.

Known issues

Instances using CloudBees Plugin Usage Plugin version 2.0 experience a long start-up time (FNDJEN-3377)

When using CloudBees Plugin Usage Plugin version 2.0 and the controller restarts, the web UI may display the “Please wait while Jenkins is getting ready to work” message for an unusually long period of time. After the instance is started up, the start-up performance logs show that the {{AnalyzerWork.initialize}} had taken a long time. + The loading of the previous plugin usage report file {{analysis.json}} takes too long. CloudBees will fix this issue in an upcoming release. See this knowledge base article CloudBees Plugin Usage Plugin 2.0 slows down Controller Start Up for immediate steps to remedy the issue until the fix is available.


Upgrade notes

CloudBees High Availability plugin

CloudBees has upgraded the JGroups dependency for the CloudBees High Availability plugin, which means instances with JGroups customized through the GUI fail to start and existing jgroups.xml files may no longer be compatible.

Users with instances using the CloudBees High Availability plugin with JGroups customized through the GUI (under Manage Jenkins > Configure System > High Availability Configuration) must be updated to or higher.

Users with instances that have a customized jgroups.xml file in $JENKINS_HOME must update it manually (or switch to using our defaults). See Upgrade guide for instances running High Availability previous to for more information on customizing the configuration.

If upgrading from a rolling release older than, customers may experience technical difficulties. CloudBees ensures compatibility only between supported versions of the product and recommends upgrading early and often to avoid these difficulties. If you are having difficulties upgrading, contact CloudBees Support for assistance.

snakeyaml:1.10 dependency removed (CTR-2511)

The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.

By removing the Snakeyaml dependency we are also removing old migration code, which means updates from versions of this plugin older than 1.1.0 (3 years old) will require a multi-step upgrade.

The multi-step upgrade involves two steps:

  1. Update to a version previous to this one.

  2. Update to this version.

    If users skip a step in the multi-step process, they could incur data loss.

CloudBees Role-Based Access Control Plugin

With this upgrade, for security reasons, we are disabling the ability to configure RBAC groups and role filters at the views level.

See CloudBees Role-Based Access Control Plugin 5.42 for more information about the security vulnerability.

This change means that any previous groups or role filters created in a view will not be applied and you will not be able to configure them.

This update only affects the views themselves, not the items within them. Previous permissions applied to the items are still enforced.

If you were filtering roles on views before this upgrade, these filters will no longer work, so your users may have a more permissive permission scheme on the views.

CloudBees recommends running this script in your script console to determine if you have a configuration on your instance that will be affected by this change.

If you do have a configuration that will be affected by this change, you have two options:

  1. (CloudBees recommended approach) Recreate each view inside a folder and apply the RBAC configuration to the folder. The folder RBAC configuration is propagated to the view since it is inside the folder.

  2. Enable RBAC configuration on views by setting the system property nectar.plugins.rbac.groups.ViewProxyGroupContainer=true.

    This approach is not recommended for security reasons.