Merge branch 'release/v2.452.4-1' into main

CHANGELOG.md

@@ -6,6 +6,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v2.452.4-1] - 2024-08-26
+### Changed
+- Upgrade Jenkins to 2.452.4
+- Use OpenJDK 17 as default JVM (#161)
+  - Update docs for "Building with custom OpenJDK versions"
+
+### Removed
+- OpenJDK 8 is no longer supported on jenkins controller node - please use dedicated agents to build legacy projects
+
+### Security
+- Fix CVE-2024-43044
+
 ## [v2.452.2-2] - 2024-08-15
 ### Changed
 - [#166] Upgrade OpenJDK to 11.0.24-1

Dockerfile

@@ -1,8 +1,8 @@
 # cesi/scm
-FROM registry.cloudogu.com/official/java:11.0.24-1
+FROM registry.cloudogu.com/official/java:17.0.12-1
 
 LABEL NAME="official/jenkins" \
-      VERSION="2.452.2-2" \
+      VERSION="2.452.4-1" \
       maintainer="[email protected]"
 
     # jenkins home configuration
@@ -12,15 +12,15 @@ ENV JENKINS_HOME=/var/lib/jenkins \
     # mark as webapp for nginx
     SERVICE_TAGS=webapp \
     # jenkins version
-    JENKINS_VERSION=2.452.2 \
-    SHA256_JENKINS_WAR="360efc8438db9a4ba20772981d4257cfe6837bf0c3fb8c8e9b2253d8ce6ba339" \
+    JENKINS_VERSION=2.452.4 \
+    SHA256_JENKINS_WAR="eddec1d771e04b009a7027facd02bb79762057b9a393c09ad62509e234a91ae9" \
     # glibc for alpine version
     GLIBC_VERSION=2.35-r1 \
     SHA256_GLIB_APK="276f43ce9b2d5878422bca94ca94e882a7eb263abe171d233ac037201ffcaf06" \
     SHA256_GLIB_BIN_APK="ee13b7e482f92142d2bec7c4cf09ca908e6913d4782fa35691cad1d9c23f179a" \
     SHA256_GLIB_I18N_APK="94c6f9ed13903b59d5c524c0c2ec9a24ef1a4c2aaa93a8a158465a9e819a8065" \
     # additional java version for legacy builds
-    ADDITIONAL_OPENJDK8_VERSION="8.402.06-r0"
+    ADDITIONAL_OPENJDK11_VERSION="11.0.24_p8-r0"
 
 
 # Jenkins is ran with user `jenkins`, uid = 1000
@@ -37,7 +37,7 @@ RUN set -o errexit \
  # coreutils and ttf-dejavu is required because of java.awt.headless problem:
  # - https://wiki.jenkins.io/display/JENKINS/Jenkins+got+java.awt.headless+problem
  && apk add --no-cache coreutils ttf-dejavu openssh-client git subversion mercurial curl gcompat \
- && apk add openjdk8="$ADDITIONAL_OPENJDK8_VERSION" \
+ && apk add openjdk11="$ADDITIONAL_OPENJDK11_VERSION" \
  # could use ADD but this one does not check Last-Modified header
  # see https://github.com/docker/docker/issues/8331
  && curl -L https://mirrors.jenkins-ci.org/war-stable/${JENKINS_VERSION}/jenkins.war -o /jenkins.war \

docs/development/plugin_compatibility_de.md

@@ -0,0 +1,22 @@
+# Plugin-Kompatibilitätsliste
+
+Diese Liste dient der Dokumentation der Kompatibilität der einzelnen Plugins, die derzeit in Jenkins verwendet werden.
+
+## Mit Dogu installierte Plugins
+
+| Plugin                            | Version              | Aktiviert | Getestet mit JDK 11 | Getestet mit JDK 17 | Getestet mit JDK 21 | Funktional getestet |
+|-----------------------------------|----------------------|-----------|---------------------|---------------------|---------------------|---------------------|
+| Mailer Plugin                     | 472.vf7c289a_4b_420  | j         | j                   | j                   | j                   | n                   |
+| CAS Plugin                        | 1.6.3                | j         | n                   | n                   | n                   | j                   |
+| Git                               | 5.2.1                | j         | n                   | j                   | j                   | n                   |
+| Mercurial                         | 1260.vdfb_723cdcc81  | j         | n                   | n                   | n                   | j                   |
+| Subversion                        | 1256.vee91953217b_6  | j         | n                   | j                   | j                   | n                   |
+| SCM Manager                       | 1.9.3                | j         | j                   | j                   | n                   | n                   |
+| Pipeline (Workflow Aggregator)    | 596.v8c21c963d92d    | j         | n                   | j                   | j                   | n                   |
+| Matrix Auth                       | 3.2.2                | j         | n                   | j                   | j                   | n                   |
+| Maven Plugin                      | 3.23                 | j         | n                   | j                   | n                   | n                   |
+| Credentials Binding Plugin        | 657.v2b_19db_7d6e6d  | j         | n                   | j                   | n                   | n                   |
+| SSH Build Agents plugin           | 2.948.vb_8050d697fec | j         | n                   | j                   | j                   | n                   |
+| Pipeline: GitHub Groovy Libraries | 42.v0739460cda_c4    | j         | n                   | n                   | j                   | n                   |
+| Authorize Project                 | 1.7.1                | j         | n                   | j                   | j                   | n                   |
+| Pipeline: Stage View Plugin       | 2.34                 | j         | n                   | n                   | j                   | n                   |

docs/development/plugin_compatibility_en.md

@@ -0,0 +1,22 @@
+# Plugin compatibility list
+
+This list serves as documentation of the compatibility of individual plugins that are currently used in Jenkins.
+
+## Plugins installed with Dogu
+
+| Plugin                            | Version              | Enabled | Test JDK 11 | Test JDK 17 | Test JDK 21 | Test Functional |
+|-----------------------------------|----------------------|---------|-------------|-------------|-------------|-----------------|
+| Mailer Plugin                     | 472.vf7c289a_4b_420  | y       | y           | y           | y           | n               |
+| CAS Plugin                        | 1.6.3                | y       | n           | n           | n           | y               |
+| Git                               | 5.2.1                | y       | n           | y           | y           | n               |
+| Mercurial                         | 1260.vdfb_723cdcc81  | y       | n           | n           | n           | y               |
+| Subversion                        | 1256.vee91953217b_6  | y       | n           | y           | y           | n               |
+| SCM Manager                       | 1.9.3                | y       | y           | y           | n           | n               |
+| Pipeline (Workflow Aggregator)    | 596.v8c21c963d92d    | y       | n           | y           | y           | n               |
+| Matrix Auth                       | 3.2.2                | y       | n           | y           | y           | n               |
+| Maven Plugin                      | 3.23                 | y       | n           | y           | n           | n               |
+| Credentials Binding Plugin        | 657.v2b_19db_7d6e6d  | y       | n           | y           | n           | n               |
+| SSH Build Agents plugin           | 2.948.vb_8050d697fec | y       | n           | y           | y           | n               |
+| Pipeline: GitHub Groovy Libraries | 42.v0739460cda_c4    | y       | n           | n           | y           | n               |
+| Authorize Project                 | 1.7.1                | y       | n           | y           | y           | n               |
+| Pipeline: Stage View Plugin       | 2.34                 | y       | n           | n           | y           | n               |

docs/development/upgrade_guide_de.md

@@ -0,0 +1,5 @@
+# Basis-Image aktualisieren
+
+Wenn das Basis-Image aktualisiert werden muss und sich die Java-Version ändert, benötigt Jenkins immer noch die vorherige openjdk-Version
+um Legacy-Builds zu unterstützen. Laden Sie die alte openjdk-Version mit `apk add openjdk<major version>=<version>` in
+der Dockerdatei herunter und erweitern Sie die Version im openjdk-Installationsgroovy-Skript `init100NORMjdkautoinstall.groovy`.

docs/gui/release_notes_de.md

@@ -4,6 +4,15 @@ Im Folgenden finden Sie die Release Notes für das Jenkins-Dogu.
 
 Technische Details zu einem Release finden Sie im zugehörigen [Changelog](https://docs.cloudogu.com/de/docs/dogus/jenkins/CHANGELOG/).
 
+## Release 2.452.4-1
+* Das Dogu bietet nun die Jenkins-Version 2.452.4 an. Die Release Notes von Jenkins finden Sie [hier](https://www.jenkins.io/changelog-stable/2.452.4/).
+* Die Standard JVM im Jenkins ist nun JDK17. JDK11 wird weiterhin unterstützt, mehr Informationen finden Sie [hier](https://docs.cloudogu.com/de/docs/dogus/jenkins/operations/Building_with_custom_Java/).
+* Der CVE [CVE-2024-43044](https://nvd.nist.gov/vuln/detail/CVE-2024-43044) wird mit dem Update behoben.
+
+### Breaking Changes
+* Durch das Upgrade auf JDK17 müssen die Build Nodes (Agents) ebenfalls auf JDK17 geupdated werden. Weitere Informationen finden Sie [hier](https://www.jenkins.io/doc/book/platform-information/upgrade-java-to-17/#jvm-version-on-agents).
+* JDK8 wird vom Jenkins Dogu nicht mehr unterstützt. Hierdurch können keine Projekte mehr mit Java-Version 8 auf dem Jenkins Dogu selbst gebaut werden. Bitte verwenden Sie dedizierte Build Nodes (Agents) falls Sie Java-Version 8 weiterhin nutzen wollen.
+
 ## Release 2.452.2-2
 * Behebung von kritischem CVE-2024-41110 in Bibliotheksabhängigkeiten. Diese Schwachstelle konnte jedoch nicht aktiv ausgenutzt werden.
 

docs/gui/release_notes_en.md

@@ -4,6 +4,15 @@ Below you will find the release notes for the Jenkins Dogu.
 
 Technical details on a release can be found in the corresponding [Changelog](https://docs.cloudogu.com/en/docs/dogus/jenkins/CHANGELOG/).
 
+## Release 2.452.4-1
+* The Dogu now provides the Jenkins version 2.452.4. You can find the Jenkins release notes [here](https://www.jenkins.io/changelog-stable/2.452.4/).
+* The default JVM in Jenkins is now JDK17. JDK8 and JDK11 are still supported, for more information see [here](https://docs.cloudogu.com/en/docs/dogus/jenkins/operations/Building_with_custom_Java/).
+* The CVE [CVE-2024-43044](https://nvd.nist.gov/vuln/detail/CVE-2024-43044) will be fixed with this update.
+
+### Breaking Changes
+* By upgrading to JDK17, the build nodes (agents) must also be updated to JDK17. Further information can be found [here](https://www.jenkins.io/doc/book/platform-information/upgrade-java-to-17/#jvm-version-on-agents).
+* JDK8 is no longer supported by the Jenkins Dogu. This means that projects with Java version 8 can no longer be built on the Jenkins Dogu itself. Please use dedicated build nodes (agents) if you want to continue using Java version 8.
+
 ## Release 2.452.2-2
 * Fix of critical CVE-2024-41110 in library dependencies. This vulnerability could not be actively exploited, though.
 

docs/operations/Building_with_custom_Java_de.md

@@ -4,15 +4,15 @@ title: "Bauen mit speziellen OpenJDK-Versionen"
 
 # Bauen mit speziellen OpenJDK-Versionen
 
-Seit Jenkins Dogu Version 2.361.1 ist die Standard-OpenJDK-Version 11 oder 17. Wenn Sie weiterhin ältere OpenJDK z.B. 8 oder 11 für Ihre Builds verwenden möchten, gehen Sie wie folgt vor.
+Seit dem Jenkins Dogu in Version 2.361.1 ist die Standard-OpenJDK-Version 11 oder 17. Wenn Sie weiterhin ältere OpenJDK-Versionen z.B. 11 für Ihre Builds verwenden möchten, gehen Sie wie folgt vor.
 
 ## Projekt-Builds
 
-In Standard-Java-Build-Projekten können Sie das JDK einfach über die Projektkonfiguration in Jenkins ändern; wählen Sie einfach "OpenJDK-8" oder "OpenJDK-11" in der Kategorie "JDK".
+Für Standard-Java-Build-Projekte können Sie das JDK einfach über die Projektkonfiguration in Jenkins ändern. Wählen Sie hierfürch einfach "OpenJDK-11" in der Kategorie "JDK".
 
 ## Pipeline-Builds
 
-Bei Pipeline-Builds müssen Sie Ihr Pipeline-Skript anpassen, um OpenJDK 8 oder 11 zu verwenden.
+Bei Pipeline-Builds müssen Sie Ihr Pipeline-Skript anpassen, um 11 zu verwenden.
 
 ### Deklarative Syntax
 
@@ -22,7 +22,7 @@ Beispiel
 ```
 stage("Java-Version abrufen"){
   tools {
-    jdk "OpenJDK-8"
+    jdk "OpenJDK-11"
   }
   steps{
     sh 'java -version'
@@ -37,7 +37,7 @@ verwenden, zum Beispiel:
 
 ```
 stage("Java-Version holen")
-  def java_home = tool 'OpenJDK-8'
+  def java_home = tool 'OpenJDK-11'
   steps{
     sh "'${java_home}/bin/java' -version"
   }
@@ -49,7 +49,7 @@ Sie haben auch die Möglichkeit, Docker für Ihre Builds zu verwenden, zum Beisp
 
 ```
 agent {
-  docker { image 'openjdk:8-jdk' }
+  docker { image 'openjdk:11-jdk' }
 }
 steps {
   sh 'java -version'
@@ -58,10 +58,10 @@ steps {
 
 ## Maven-Builds
 
-Um OpenJDK 8 in Ihren Maven-Builds zu verwenden, initialisieren Sie es auf folgende Weise:
+Um OpenJDK 11 in Ihren Maven-Builds zu verwenden, initialisieren Sie es auf folgende Weise:
 
 ```
-def javaHome = tool 'OpenJDK-8'
+def javaHome = tool 'OpenJDK-11'
 Maven mvn = new MavenWrapper(this, javaHome)
 ```
 
@@ -71,15 +71,15 @@ Unter Verwendung der [ces-build-lib](https://github.com/cloudogu/ces-build-lib)
 Docker bauen:
 
 ```
-Maven mvn = new MavenInDocker(this, "3.5.0-jdk-8")
+Maven mvn = new MavenInDocker(this, "3.5.4-jdk-11")
 mvn ...
 ```
 
 oder
 
 ```
 Maven mvn = new MavenWrapper(this)
-new Docker(this).image('openjdk:8-jdk').mountJenkinsUser().inside{
+new Docker(this).image('openjdk:11-jdk').mountJenkinsUser().inside{
   mvn ...
 }
 ```

docs/operations/Building_with_custom_Java_en.md

@@ -4,15 +4,14 @@ title: "Building with custom OpenJDK versions"
 
 # Building with custom OpenJDK versions
 
-Since Jenkins Dogu version 2.361.1, the default OpenJDK version is 11 or 17. If you still want to use older OpenJDK e.g. 8 or 11 for your builds do the following.
+Since Jenkins Dogu version 2.361.1, the default OpenJDK version is 11 or 17. If you still want to use older OpenJDK version e.g. 11 for your builds do the following.
 
 ## Project builds
 
-In standard Java build projects, you can easily change the JDK via the project configuration in Jenkins; select "OpenJDK-8" or "OpenJDK-11" in the "JDK" category.
-
+For standard Java build projects, you can easily change the JDK via the project configuration in Jenkins. To do this, simply select "OpenJDK-11" in the "JDK" category.
 ## Pipeline builds
 
-Pipeline builds require you to customize your pipeline script to use OpenJDK 8 or 11.
+Pipeline builds require you to customize your pipeline script to use OpenJDK 11.
 
 ### Declarative syntax
 
@@ -22,7 +21,7 @@ For example:
 ```
 stage("Get Java version"){
   tools {
-    jdk "OpenJDK-8"
+    jdk "OpenJDK-11"
   }
   steps{
     sh 'java -version'
@@ -37,7 +36,7 @@ For example:
 
 ```
 stage("Get Java version")
-  def java_home = tool 'OpenJDK-8'
+  def java_home = tool 'OpenJDK-11'
   steps{
     sh "'${java_home}/bin/java' -version"
   }
@@ -49,7 +48,7 @@ You also have the option to use Docker for your builds, for example:
 
 ```
 agent {
-  docker { image 'openjdk:8-jdk' }
+  docker { image 'openjdk:11-jdk' }
 }
 steps {
   sh 'java -version'
@@ -58,10 +57,10 @@ steps {
 
 ## Maven builds
 
-To use OpenJDK 8 in your Maven builds, initialize it in the following way:
+To use OpenJDK 11 in your Maven builds, initialize it in the following way:
 
 ```
-def javaHome = tool 'OpenJDK-8'
+def javaHome = tool 'OpenJDK-11'
 Maven mvn = new MavenWrapper(this, javaHome)
 ```
 
@@ -70,15 +69,15 @@ Maven mvn = new MavenWrapper(this, javaHome)
 Using the [ces-build-lib](https://github.com/cloudogu/ces-build-lib), you can easily build your Maven project in Docker:
 
 ```
-Maven mvn = new MavenInDocker(this, "3.5.0-jdk-8")
+Maven mvn = new MavenInDocker(this, "3.5.4-jdk-11")
 mvn ...
 ```
 
 or
 
 ```
 Maven mvn = new MavenWrapper(this)
-new Docker(this).image('openjdk:8-jdk').mountJenkinsUser().inside{
+new Docker(this).image('openjdk:11-jdk').mountJenkinsUser().inside{
   mvn ...
 }
 ```

dogu.json

@@ -1,6 +1,6 @@
 {
   "Name": "official/jenkins",
-  "Version": "2.452.2-2",
+  "Version": "2.452.4-1",
   "DisplayName": "Jenkins CI",
   "Description": "Jenkins Continuous Integration Server",
   "Category": "Development Apps",

resources/upgrade-notification.sh

@@ -32,3 +32,10 @@ if [ "2.249.3-1" == "$(printf "%s\\n2.249.3-1" "${TO_VERSION}" | sort | head -n1
    printf "\nYou are upgrading the Jenkins dogu to version 2.249.3-1 or higher. DO NOT change the CES global admin group at the same time!"
    printf "\nIf you have changed the global admin group (via /config/_global/admin_group etcd key), restart the Jenkins dogu before upgrading it!"
 fi
+
+# print upgrade notice for jenkins based on java 17
+if [ "2.440.3-1" == "$(printf "%s\\n2.440.3-1" "${TO_VERSION}" | sort | head -n1)" ] && [ "2.440.3-1" != "$(printf "%s\\n2.440.3-1" "${FROM_VERSION}" | sort | head -n1)" ]; then
+   printf "\nYou are upgrading the Jenkins dogu to version 2.440.3-1 or higher. There have been changes to the installed jdk version. \\nSince 2.440.3-1, Jenkins is based on OpenJDK version 17. \nLegacy builds using the internal jdk of Jenkins must switch to the configured jdk \"OpenJDK-11\"."
+   printf "\nBe aware that the JVM on all agents must be updated to Java 17 as well."
+   printf "\nFor more information see %s \n\n" "https://www.jenkins.io/doc/book/platform-information/upgrade-java-to-17/#jvm-version-on-agents"
+fi

resources/var/tmp/resources/init.groovy.d/scripts/init030CRITinstallplugins.groovy

@@ -133,6 +133,8 @@ if (updateCenter.isRestartRequiredForCompletion()) {
     jenkins.restart();
 }
 
-if (!isVersionSufficient(currentCasPlugin, MINIMAL_CAS_PLUGIN_VERSION)) {
-    throw new Exception("Installed cas-plugin version " + currentCasPlugin.getVersion() + " is too old. It needs to be at least " + MINIMAL_CAS_PLUGIN_VERSION);
-}
+if (currentCasPlugin != null) {
+    if (!isVersionSufficient(currentCasPlugin, MINIMAL_CAS_PLUGIN_VERSION)) {
+        throw new Exception("Installed cas-plugin version " + currentCasPlugin.getVersion() + " is too old. It needs to be at least " + MINIMAL_CAS_PLUGIN_VERSION);
+    }
+}

resources/var/tmp/resources/init.groovy.d/scripts/init100NORMjdkautoinstall.groovy

@@ -10,10 +10,11 @@ print 'Starting JDK configuration\n'
 
 String JDK_8_NAME = 'OpenJDK-8'
 String JDK_11_NAME = 'OpenJDK-11'
+String JDK_17_NAME = 'OpenJDK-17'
 // add more jdk-entries to the map to install multiple jdks by default
-def requestedJDKVersions = [ (JDK_11_NAME): 'java-11-openjdk', (JDK_8_NAME): 'java-1.8-openjdk'];
+def requestedJDKVersions = [ (JDK_17_NAME): 'java-17-openjdk', (JDK_11_NAME): 'java-11-openjdk'];
 
-// the installations consists of all already installed jdks and all jdks definied in requestedJDKVersions
+// the installations consists of all already installed jdks and all jdks defined in requestedJDKVersions
 def installations = [];
 
 for (jdk in requestedJDKVersions) {
@@ -23,6 +24,7 @@ for (jdk in requestedJDKVersions) {
 }
 
 for (jdk in installedJDKs) {
+    print("Installed JDK configuration ${jdk.getName()}\n")
     // do not add requestedJDKVersions
     if (!(jdk.getName().equals(JDK_11_NAME)) && !(jdk.getName().equals(JDK_8_NAME))) {
         print("Keeping JDK configuration ${jdk.getName()}\n")

resources/var/tmp/resources/init.groovy.d/scripts/init140NORMconfigureLogLevels.groovy

@@ -10,7 +10,7 @@ static Map<String, String> getValuesFromEtcd(String key) {
         def json = new JsonSlurper().parseText(url.text);
         if (json.node.nodes == null) {
             println "no valid logging configuration found"
-            return Map.of();
+            return [:]
         }
         def logLevels = json.node.nodes.stream()
                 .filter({ node -> !node.key.isEmpty() && !parseLoggerName(node.key).isEmpty() && !node.value.isEmpty() })
@@ -19,7 +19,7 @@ static Map<String, String> getValuesFromEtcd(String key) {
     } catch (FileNotFoundException) {
         println "no valid logging configuration found"
     }
-    return Map.of();
+    return [:]
 }
 
 static String parseLoggerName(String registryPath) {