Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28687

spring version (2.5.x) is ancient and not compatable with many new libraries

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The spring version 2.5 used in core is very old and this makes it problematic when trying to integrate jenkins with another component, or integrating components within jenkins as most things have moved way passed 2.5 to 4.x.

      Note - this may also require an upgrade of groovy.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Actually, you didn't explain they were false positives

            I didn't use this term, true. Still, quoting my previous response:

            crypto-util is a library by the Jenkins project. The CVE points to Erlang Open Telecom Platform and is pretty obviously unrelated

            and

            "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02…" (and you can stop reading right there)

            and

            the class was introduced in Spring 3.0.


            You deflected and said it wasn't your problem.  … It's clearly out of date. Rather than attacking the requestor, could you address the request?

            The outdated component is clearly a problem. It is however not a problem in the way you brought up – having these security vulnerabilities. I'm not attacking you, I point out that what you wrote specifically doesn't look like a problem.

            As far as I'm concerned (and since you keep bringing up my employer in an unrelated issue tracker, I'm not speaking on behalf of CloudBees), it's simply a matter of effort to benefit. It's almost certain that many plugins will break and require adaptation. And "not getting false positive security scanner findings" isn't the kind of benefit I would want to see for months of effort. In fact, if the issue description is correct and we'd have to update Groovy, it would almost certainly introduce new security vulnerabilities (via Script Security).

            Show
            danielbeck Daniel Beck added a comment - Actually, you didn't explain they were false positives I didn't use this term, true. Still, quoting my previous response: crypto-util is a library by the Jenkins project. The CVE points to Erlang Open Telecom Platform and is pretty obviously unrelated and "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02…" (and you can stop reading right there) and the class was introduced in Spring 3.0. You deflected and said it wasn't your problem.  … It's clearly out of date. Rather than attacking the requestor, could you address the request? The outdated component is clearly a problem. It is however not a problem in the way you brought up – having these security vulnerabilities. I'm not attacking you, I point out that what you wrote specifically doesn't look like a problem. As far as I'm concerned (and since you keep bringing up my employer in an unrelated issue tracker, I'm not speaking on behalf of CloudBees), it's simply a matter of effort to benefit. It's almost certain that many plugins will break and require adaptation. And "not getting false positive security scanner findings" isn't the kind of benefit I would want to see for months of effort. In fact, if the issue description is correct and we'd have to update Groovy, it would almost certainly introduce new security vulnerabilities (via Script Security).
            Hide
            jremitz Jake Remitz added a comment -

            drats, should have had more coffee... EVERYONE has a cloudbees id. facepalm - sorry for the obvious confusion on my part.

            I never really expected this to be a quick thing, just hoping it would be fuel for the fire. I read the initial response as "deal with it" instead of something constructive. The issue is nearly 5 years old and it's still relevant (needing updates). So despite the months of effort, it's probably worth it to stay modern and supported across the board with various dependencies. Tech debt is just going to keep piling on. Oh well I suppose. Anyways... thanks for the insight. I'm not disagreeing with any of the above, but i'm hoping the initial response doesn't distract from the goal that there are underlying implications for not maintaining the framework. This is just one, however small.

            Show
            jremitz Jake Remitz added a comment - drats, should have had more coffee... EVERYONE has a cloudbees id. facepalm - sorry for the obvious confusion on my part. I never really expected this to be a quick thing, just hoping it would be fuel for the fire. I read the initial response as "deal with it" instead of something constructive. The issue is nearly 5 years old and it's still relevant (needing updates). So despite the months of effort, it's probably worth it to stay modern and supported across the board with various dependencies. Tech debt is just going to keep piling on. Oh well I suppose. Anyways... thanks for the insight. I'm not disagreeing with any of the above, but i'm hoping the initial response doesn't distract from the goal that there are underlying implications for not maintaining the framework. This is just one, however small.
            Hide
            teilo James Nord added a comment -

            so I guess we can close this now Jesse Glick

            Show
            teilo James Nord added a comment - so I guess we can close this now Jesse Glick
            Show
            teilo James Nord added a comment - https://www.jenkins.io/blog/2020/11/10/spring-xstream/
            Hide
            jglick Jesse Glick added a comment -

            Yup, never saw this one.

            Show
            jglick Jesse Glick added a comment - Yup, never saw this one.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              teilo James Nord
              Votes:
              5 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: