-
Task
-
Resolution: Unresolved
-
Major
-
None
Currently commons-digester 2.1 is triggering some security alerts on scanner.
Digester is not used in core but exposed to some plugins which use it.
With the help of https://github.com/jenkins-infra/usage-in-plugins we found the class
- https://github.com/jenkinsci/BlameSubversion-plugin (last activity 8 years ago...)
- https://github.com/jenkinsci/clearcase-ucm-plugin (last activity 5 years ago...)
- https://github.com/jenkinsci/cmvc-plugin (last activity 9 years ago)
- https://github.com/jenkinsci/config-rotator-plugin (last activity 4 years ago)
- https://github.com/jenkinsci/cvs-plugin (I didn't know this was still used
only used in a test class and using only the wrapper so no impact) (PR:
https://github.com/jenkinsci/cvs-plugin/pull/55)
- https://plugins.jenkins.io/dimensionsscm/ (only using the wrapper so no impact) (PR: https://github.com/jenkinsci/dimensionsscm-plugin/pull/15)
- https://plugins.jenkins.io/genexus/ (only using the wrapper so no impact)
- https://github.com/jenkinsci/maven-info-plugin (last release 7 years ago, easy change)
- https://plugins.jenkins.io/plasticscm-mergebot/ (import previous Digester package so need some package change but easy change) (PR
https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2)
- https://plugins.jenkins.io/plasticscm-plugin/ (import previous Digester package so need some package change but easy change) (PR
https://github.com/jenkinsci/plasticscm-plugin/pull/40 )
- https://plugins.jenkins.io/subversion/ (import previous Digester package so need some package change but easy change) (PR https://github.com/jenkinsci/subversion-plugin/pull/254 )
- https://github.com/jenkinsci/synergy_scm-plugin (last activity 6 years ago) (PR https://github.com/jenkinsci/synergy_scm-plugin/pull/17 )
- https://github.com/jenkinsci/teamconcert-plugin (only using the wrapper so no impact) (PR
https://github.com/jenkinsci/teamconcert-plugin/pull/20 )
- https://plugins.jenkins.io/zos-connector/ (import previous Digester package so need some package change but easy change) (PR
https://github.com/jenkinsci/zos-connector-plugin/pull/12 )
A draft PR has been opened here https://github.com/jenkinsci/jenkins/pull/5320 for discussion.
I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)
