• Icon: Task Task
    • Resolution: Unresolved
    • Icon: Major Major
    • core
    • None

      Currently commons-digester 2.1 is triggering some security alerts on scanner. 

      Digester is not used in core but exposed to some plugins which use it.

      With the help of https://github.com/jenkins-infra/usage-in-plugins    we found the class 

      A draft PR has been opened here https://github.com/jenkinsci/jenkins/pull/5320  for discussion.

      I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

       

       

          [JENKINS-65161] Remove commons-digester from Core

          Olivier Lamy created issue -

          Oleg Nenashev added a comment -

          No objections from me. All plugins are ether barely used or easily patchable 

          Oleg Nenashev added a comment - No objections from me. All plugins are ether barely used or easily patchable 
          Olivier Lamy made changes -
          Description Original: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact)
           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change)
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          New: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
          https://github.com/jenkinsci/cvs-plugin/pull/55)

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change)
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          Olivier Lamy made changes -
          Description Original: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
          https://github.com/jenkinsci/cvs-plugin/pull/55)

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change)
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          New: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: https://github.com/jenkinsci/dimensionsscm-plugin/pull/15)
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change)
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          Olivier Lamy made changes -
          Description Original: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: https://github.com/jenkinsci/dimensionsscm-plugin/pull/15)
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change)
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          New: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
          https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2)

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change)
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          Olivier Lamy made changes -
          Description Original: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
          https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2)

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change)
           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change)
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          New: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2])

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change) (PR 
          https://github.com/jenkinsci/plasticscm-plugin/pull/40 )

           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change)
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          Olivier Lamy made changes -
          Description Original: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2])

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change) (PR 
          https://github.com/jenkinsci/plasticscm-plugin/pull/40 )

           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change)
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          New: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2])

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-plugin/pull/40] )

           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change) (PR [https://github.com/jenkinsci/subversion-plugin/pull/254] )
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          Olivier Lamy made changes -
          Description Original: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2])

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-plugin/pull/40] )

           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change) (PR [https://github.com/jenkinsci/subversion-plugin/pull/254] )
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago)
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          New: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2])

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-plugin/pull/40] )

           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change) (PR [https://github.com/jenkinsci/subversion-plugin/pull/254] )
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago) (PR [https://github.com/jenkinsci/synergy_scm-plugin/pull/17] )
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          Olivier Lamy made changes -
          Description Original: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2])

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-plugin/pull/40] )

           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change) (PR [https://github.com/jenkinsci/subversion-plugin/pull/254] )
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago) (PR [https://github.com/jenkinsci/synergy_scm-plugin/pull/17] )
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact)
           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          New: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2])

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-plugin/pull/40] )

           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change) (PR [https://github.com/jenkinsci/subversion-plugin/pull/254] )
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago) (PR [https://github.com/jenkinsci/synergy_scm-plugin/pull/17] )
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact) (PR 
          https://github.com/jenkinsci/teamconcert-plugin/pull/20 )

           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          Olivier Lamy made changes -
          Description Original: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2])

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-plugin/pull/40] )

           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change) (PR [https://github.com/jenkinsci/subversion-plugin/pull/254] )
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago) (PR [https://github.com/jenkinsci/synergy_scm-plugin/pull/17] )
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact) (PR 
          https://github.com/jenkinsci/teamconcert-plugin/pull/20 )

           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change)

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           
          New: Currently commons-digester 2.1 is triggering some security alerts on scanner. 

          Digester is *not used in core* but exposed to some plugins which use it.

          With the help of [https://github.com/jenkins-infra/usage-in-plugins  |https://github.com/jenkins-infra/usage-in-plugins.]  we found the class 
           * [https://github.com/jenkinsci/BlameSubversion-plugin] (last activity 8 years ago...)
           * [https://github.com/jenkinsci/clearcase-ucm-plugin] (last activity 5 years ago...)
           * [https://github.com/jenkinsci/cmvc-plugin] (last activity 9 years ago)
           * [https://github.com/jenkinsci/config-rotator-plugin] (last activity 4 years ago)
           * [https://github.com/jenkinsci/cvs-plugin] (I didn't know this was still used :) only used in a test class and using only the wrapper so no impact) (PR: 
           [https://github.com/jenkinsci/cvs-plugin/pull/55])

           * [https://plugins.jenkins.io/dimensionsscm/] (only using the wrapper so no impact) (PR: [https://github.com/jenkinsci/dimensionsscm-plugin/pull/15])
           * [https://plugins.jenkins.io/genexus/] (only using the wrapper so no impact)
           * [https://github.com/jenkinsci/maven-info-plugin] (last release 7 years ago, easy change)
           * [https://plugins.jenkins.io/plasticscm-mergebot/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-mergebot-plugin/pull/2])

           * [https://plugins.jenkins.io/plasticscm-plugin/] (import previous Digester package so need some package change but easy change) (PR 
           [https://github.com/jenkinsci/plasticscm-plugin/pull/40] )

           * [https://plugins.jenkins.io/subversion/] (import previous Digester package so need some package change but easy change) (PR [https://github.com/jenkinsci/subversion-plugin/pull/254] )
           * [https://github.com/jenkinsci/synergy_scm-plugin] (last activity 6 years ago) (PR [https://github.com/jenkinsci/synergy_scm-plugin/pull/17] )
           * [https://github.com/jenkinsci/teamconcert-plugin] (only using the wrapper so no impact) (PR 
           [https://github.com/jenkinsci/teamconcert-plugin/pull/20] )

           * [https://plugins.jenkins.io/zos-connector/] (import previous Digester package so need some package change but easy change) (PR 
          https://github.com/jenkinsci/zos-connector-plugin/pull/12 )

          A draft PR has been opened here [https://github.com/jenkinsci/jenkins/pull/5320]  for discussion.

          I would personally remove it from core and make some PRs on plugins using it (except very old plugins not anymore maintained)

           

           

            olamy Olivier Lamy
            olamy Olivier Lamy
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: