-
Task
-
Resolution: Unresolved
-
Major
-
None
Currently commons-digester 2.1 is triggering some security alerts on scanner.
Digester is not used in core but exposed to some plugins which use it.
With the help of https://github.com/jenkins-infra/usage-in-plugins we found the class
- https://github.com/jenkinsci/BlameSubversion-plugin (last activity 8 years ago...)
- https://github.com/jenkinsci/clearcase-ucm-plugin (last activity 5 years ago...)
- https://github.com/jenkinsci/cmvc-plugin (last activity 9 years ago)
- https://github.com/jenkinsci/config-rotator-plugin (last activity 4 years ago)
- https://github.com/jenkinsci/cvs-plugin (I didn't know this was still used
only used in a test class and using only the wrapper so no impact) (PR:
https://github.com/jenkinsci/cvs-plugin/pull/55)
- https://plugins.jenkins.io/dimensionsscm/ (only using the wrapper so no impact) (PR: https://github.com/jenkinsci/dimensionsscm-plugin/pull/15)
- https://plugins.jenkins.io/genexus/ (only using the wrapper so no impact)
- https://github.com/jenkinsci/maven-info-plugin (last release 7 years ago, easy change)
- https://plugins.jenkins.io/plasticscm-mergebot/ (import previous Digester package so need some package change but easy change) (PR
https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2)
- https://plugins.jenkins.io/plasticscm-plugin/ (import previous Digester package so need some package change but easy change) (PR
https://github.com/jenkinsci/plasticscm-plugin/pull/40 )
- https://plugins.jenkins.io/subversion/ (import previous Digester package so need some package change but easy change) (PR https://github.com/jenkinsci/subversion-plugin/pull/254 )
- https://github.com/jenkinsci/synergy_scm-plugin (last activity 6 years ago) (PR https://github.com/jenkinsci/synergy_scm-plugin/pull/17 )
- https://github.com/jenkinsci/teamconcert-plugin (only using the wrapper so no impact) (PR
https://github.com/jenkinsci/teamconcert-plugin/pull/20 )
- https://plugins.jenkins.io/zos-connector/ (import previous Digester package so need some package change but easy change) (PR
https://github.com/jenkinsci/zos-connector-plugin/pull/12 )
A draft PR has been opened here https://github.com/jenkinsci/jenkins/pull/5320 for discussion.
I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)
No objections from me. All plugins are ether barely used or easily patchable