-
Improvement
-
Resolution: Not A Defect
-
Major
-
None
Core still bundles a patched version of the deprecated Commons HttpClient 3.x library for use by plugins. This frequently confuses security scanners and is a maintenance liability. For this reason, we would like to remove this library from Jenkins core in jenkinsci/jenkins#7312.
A systematic search of the plugin corpus was conducted in October 2022; this search revealed that a number of plugins have usages of Commons HttpClient 3.x. For compatibility with a future version of Jenkins core in which this library is removed, these plugins should either migrate their usage of Commons HttpClient 3.x to the Apache HttpComponents Client 4.x API plugin or Java 11 native HTTP client; or otherwise they should declare an explicit dependency on the Commons HttpClient 3.x API plugin.
This plugin's identified usage of Commons HttpClient 3.x:
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/auth/AuthScope via org/apache/commons/vfs2/provider/http/HttpClientFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HeaderElement via org/apache/commons/vfs2/provider/http/HttpFileContentInfoFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/Header via org/apache/commons/vfs2/provider/http/HttpFileContentInfoFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/Header via org/apache/commons/vfs2/provider/http/HttpFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HostConfiguration via org/apache/commons/vfs2/provider/http/HttpClientFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpClient via org/apache/commons/vfs2/provider/http/HttpClientFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpClient via org/apache/commons/vfs2/provider/http/HttpFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpClient via org/apache/commons/vfs2/provider/http/HttpFileProvider.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpClient via org/apache/commons/vfs2/provider/http/HttpFileSystem.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpClient via org/apache/commons/vfs2/provider/http/HttpRandomAccessContent.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpClient via org/apache/commons/vfs2/provider/webdav/WebdavFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpClient via org/apache/commons/vfs2/provider/webdav/WebdavFileProvider.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpClient via org/apache/commons/vfs2/provider/webdav/WebdavFileSystem.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpConnectionManager via org/apache/commons/vfs2/provider/http/HttpClientFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpConnectionManager via org/apache/commons/vfs2/provider/http/HttpFileSystem.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpMethodBase via org/apache/commons/vfs2/provider/webdav/WebdavFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpMethodRetryHandler via org/apache/commons/vfs2/provider/webdav/WebdavMethodRetryHandler.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpMethod via org/apache/commons/vfs2/provider/http/HttpFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpMethod via org/apache/commons/vfs2/provider/webdav/WebdavFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpMethod via org/apache/commons/vfs2/provider/webdav/WebdavMethodRetryHandler.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpState via org/apache/commons/vfs2/provider/http/HttpClientFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/HttpStatus via org/apache/commons/vfs2/provider/webdav/WebdavFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/methods/ByteArrayRequestEntity via org/apache/commons/vfs2/provider/webdav/WebdavFileObject$WebdavOutputStream.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/methods/GetMethod via org/apache/commons/vfs2/provider/http/HttpFileObject$HttpInputStream.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/methods/GetMethod via org/apache/commons/vfs2/provider/http/HttpFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/methods/GetMethod via org/apache/commons/vfs2/provider/http/HttpRandomAccessContent.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/methods/HeadMethod via org/apache/commons/vfs2/provider/http/HttpFileContentInfoFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/methods/HeadMethod via org/apache/commons/vfs2/provider/http/HttpFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/methods/RequestEntity via org/apache/commons/vfs2/provider/webdav/WebdavFileObject$WebdavOutputStream.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/MultiThreadedHttpConnectionManager via org/apache/commons/vfs2/provider/http/HttpClientFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/MultiThreadedHttpConnectionManager via org/apache/commons/vfs2/provider/http/HttpFileSystem.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/params/HttpClientParams via org/apache/commons/vfs2/provider/http/HttpClientFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/params/HttpConnectionManagerParams via org/apache/commons/vfs2/provider/http/HttpClientFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/params/HttpConnectionManagerParams via org/apache/commons/vfs2/provider/http/HttpFileSystemConfigBuilder.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/params/HttpConnectionParams via org/apache/commons/vfs2/provider/http/HttpFileSystemConfigBuilder.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/params/HttpMethodParams via org/apache/commons/vfs2/provider/webdav/WebdavFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/URIException via org/apache/commons/vfs2/provider/http/HttpFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/URIException via org/apache/commons/vfs2/provider/URLFileName.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/URIException via org/apache/commons/vfs2/provider/url/UrlFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/URIException via org/apache/commons/vfs2/provider/webdav/WebdavFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/UsernamePasswordCredentials via org/apache/commons/vfs2/provider/http/HttpClientFactory.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/util/DateUtil via org/apache/commons/vfs2/provider/http/HttpFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/util/DateUtil via org/apache/commons/vfs2/provider/webdav/WebdavFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/util/URIUtil via org/apache/commons/vfs2/provider/http/HttpFileObject.class
RESULT: Plugin checkmarx:2022.3.3 using org/apache/commons/httpclient/util/URIUtil via org/apache/commons/vfs2/provider/URLFileName.class
[JENKINS-69990] Prepare Checkmarx for removal of Commons HttpClient 3.x
Basil Crow
added a comment - https://updates.jenkins.io/download/plugins/checkmarx/2022.3.3/checkmarx.hpi bundles WEB-INF/lib/commons-vfs2-2.2.jar which references HttpClient 3.x classes as mentioned in the issue description. I leave it to you to determine whether this code path is actually exercised in practice in your plugin's use case. Your plugin is 44 MiB in size and probably contains a lot of code that is not executed. If this code path is not exercised then this ticket can be closed.
Basil Crow
added a comment - https://updates.jenkins.io/download/plugins/checkmarx/2022.3.3/checkmarx.hpi bundles WEB-INF/lib/commons-vfs2-2.2.jar which references HttpClient 3.x classes as mentioned in the issue description. I leave it to you to determine whether this code path is actually exercised in practice in your plugin's use case. Your plugin is 44 MiB in size and probably contains a lot of code that is not executed. If this code path is not exercised then this ticket can be closed. Basil Crow
added a comment - Did you determine that this ticket can be closed? 
basil Checkmarx plugin does get Apache HTTPClient higher version via its another direct dependency. So, I am not sure if our plugin is impacted by this change. What could be the way for us to verify if the issue is relevant for our plugin.