CloudBees Jenkins Platform 2.235.4.1

RELEASED: 2020-08-12

Based on Jenkins LTS2.235.4-cb-3

Rolling release

Security advisory

CloudBees Security Advisory 2020-08-12

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI.

New features

Microsoft Teams Integration now available as a Preview (STICKY-505, -504, -503): CloudBees Microsoft Teams Integration sends team (channel) messages in Microsoft Teams, providing actionable information about build status and test results, including direct links to results and error details.

See Actionable build notifications in Microsoft Teams with CloudBees Microsoft Teams Integration for more information.

Feature enhancements

Bitbucket support in CloudBees Slack Integration plugin (STICKY-284, -538): The CloudBees Slack Integration plugin GUI, as well as configuration-as-code schema, referred to GitHub user IDs when in fact it could work with any Jenkins branch source plugin defining the author of a “change request”, such as Bitbucket.

The GUI text for this field now refers more generically to SCM IDs. For purposes of CasC the preferred field name is now scmId rather than github.

See Configuring CloudBees CI Slack Integration users for more information.
Enable AppManifest for GitHub Enterprise (STICKY-668): The wizard to create a new GitHub App was enabled on github.com, but not on GitHub Enterprise. The wizard did not work on GitHub Enterprise because of a 422 error code, which has been fixed in recent GitHub Enterprise releases (verified in 2.21.2).

The wizard is now enabled for both github.com and GitHub Enterprise, subject to other basic conditions.

See Enabling actionable build notifications in GitHub and Bitbucket - Enabling GitHub App authentication for more information.
Test results should mention positive results (STICKY-544): Test result summaries mentioned how many or (in some cases) which tests failed or were skipped, but neglected to give the context of which tests passed.

Messages now reflect tests that were failed, skipped, and passed.
Integrate with disply-url-api (STICKY-169): Links to build pages did not honor the Notification URL set in /me/configure.

These links now append display/redirect so as to show either the Classic or Blue Ocean view. More targeted links, such as test results, continue to go straight to Classic view.
CloudBees logo download for use from GitHub App wizard (STICKY-603): The wizard to create a new GitHub App advised you to set a logo, but did not offer a sample or give any guidance.

You are now suggested to use a CloudBees logo, which is offered for download. This is a 200×200 PNG with transparency suitable for the purpose.
Updates to EndBuildError markdown in SCM Reporting plugin (STICKY-461): The text displayed as the summary in the Checks tab for a failing Pipeline step was confusing.

This text has been reformatted.

The Docker Commons plugin and Configuration as Code (FNDJEN-2152): This plugin now supports Configuration as Code.
The CloudBees Docker Hub/Registry Notification plugin and Configuration as Code (FNDJEN-2153): This plugin now supports Configuration as Code.

Resolved issues

Enable Delete Token button when the Slack token becomes invalid (STICKY-619): If the configured Slack token was invalid, it was not possible to delete it, disconnecting from Slack. The Delete button was disabled.

With this fix, users can remove the both valid and invalid Slack tokens.
Broken docs link (STICKY-651): A link to documentation on the SCM Id field was broken.

We added the missing slash to the URL and the link now works.
Clear failing commit statuses from a previous build of the same commit (STICKY-251): If one build of a given commit reported some failing statuses, but a subsequent rebuild passed without reporting the same statuses, the commit (or whole pull request) could be left with stale failing statuses.

With this fix, at the end of a build, CloudBees will now supersede any stale statuses from previous builds of the same commit with a neutral notation.
Teams administration page displays only the first 100 Teams (CTR-2089): With this fix, the number of Teams displayed limit has been extended to 150. The Teams list in the Team switcher in Masters has been also extended to 150.

Security Realm idStrategy issue (CTR-1784): While the authorization strategy for the operations center was not case-sensitive for the username field, the Team Masters were case-sensitive and had to match exactly what was entered on the Team administration page used to add users. This meant that a user recorded in lower-case was able to sign on with upper-case letters to the operations center but was not recognized in the Team Master.

With this fix, Team Masters allow users to sign on with different character cases when using an authorization strategy that is not case sensitive for UserId or external GroupId.
ConnectedMaster ping thread is not implemented (CTR-2075): The ConnectedMaster ping thread is not implemented which meant that the operations center was not able to detect that a connection to a Master was broken.

With this fix, we implement the ping thread to identify and cleanup disconnected Masters.
RBAC: Empty group members are interpreted as anonymous (CTR-786): Modifying configuration XML files to specify a group with an empty member name was resulting in any anonymous users automatically considered members of that group.

With this fix, we now sanity check configuration files and filter out empty groups/roles.
Broken link to RBAC group propagated from operations center (CTR-56): On Client Masters with the Role-based access control (RBAC) Authentication Strategy enforced by operations center, the links to the member Groups on the Roles page were broken.

Now the are links direct the user to the Group configuration in operations center.
Move/Copy/Promote Copy with builds dropdown is not easily accessible (CTR-2158): Recent UI updates in Jenkins core caused the Copy with builds button dropdown to be less accessible, only appearing when users selected a small section of the button.

With this fix, we split the button in two separated buttons: Copy with builds and Copy without builds.
RBAC CLI command result in NOOP at master’s root (CTR-1439): When a Master is connected to operations center and the security realm is pushed from operations center, then RBAC groups and roles operations at Master root are not permitted, as those groups and roles come from operations center.

With this fix, RBAC groups and roles operations at Master root are still not permitted, but return a better message to the user indicating the situation.
RBAC Groups REST API fails when accessed from a connected Master item (CTR-535): When accessing OC_URL/jobs/[master_name]/groups/api/json an error is shown in the UI.

With this fix, the groups and roles created at item level are correctly returned by the HTTP API.
Accessing /groups page is slow when groups have lots of users or the database is slow (CTR-1530): The load time of the global Groups page was slow when a group had a large number of members.

With this fix, we reduced the amount of data retrieved to render this view.
Deadlock issue in com.cloudbees.opscenter.server.rbac (CTR-458): There was an issue with com.cloudbees.opscenter.server.rbac that produced a deadlock.

When there were a large amount of Masters with read permissions, an issue was occurring with the alerter of licensing issues that caused a deadlock. With this fix, the issue that was causing the deadlock is no longer a problem.
Thread contention in Agent page using custom probe command (CTR-2137): Using the CloudBees Nodes Plus plugin custom probe command in agents may have caused thread contention if the script required a lengthy amount of time running checks.

With this fix, CloudBees has fixed the thread contention issue so that queued threads block waiting for the result of the probe command, ending with all Jenkins dashboard rendering pages blocked.
Fix a memory leak on RBAC node containers (CTR-979): There was a memory leak when a high number of nodes were created and deleted (a common behavior when using clouds to provision ephemeral agents). Node objects were not properly collected by the JVM Garbage Collector.

With this fix, node objects are now stored in a cache with weak keys, so entries are properly garbage collected. Item listeners have been also added, so cache entries are invalidated when items are deleted in Jenkins.
Errors on startup: "The queue was not initialized, the action (enqueue or shutdown) will not take place." (FNDJEN-2037): The CloudBees Analytics Plugin populated the log when the initialization didn’t finish before sending an analytics message.

The message now is provided only once.
Link to CloudBees download in Beekeeper is broken (FNDJEN-2090): A broken link to the downloads page for our fixed line release products has been fixed.

Known issues

None.

Upgrade notes

End-of-life announcement

After assessing the viability of our supported plugins, CloudBees will no longer support the CloudBees Secure Copy Plugin after September 1, 2018.

This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation as well as maintaining existing products that are actively used by customers.

After September 1, 2018 the plugin will lose functionality when upgraded. CloudBees recommends replacing it with Cluster-wide copy artifacts.

For more information regarding this end-of-life announcement, please contact your Customer Success Manager.

Jenkins 2.235 upgrade notes