• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core

      Spring Framework 5.3.39 will be included in Jenkins 2.473 and later as part of pull request 9612.

      I propose that we backport it to Jenkins 2.462.2 so that we reduce the risk of warnings from scanners.

      Since the update is not yet included in a weekly release, it is not yet eligible for a backport. I've opened this issue so that the backport idea can be discussed. Basil Crow stated in a GitHub comment that he does not feel strongly either way about a backport.

      Benefits of a backport

      Most recent release as end of life arrives - The backport will assure that we are using the most recent version of Spring Framework 5.3.x as we approach the 31 Aug 2024 end of life of Spring Framework 5.3.x. That will reduce the risk of complaints from scanners that we are using an outdated 5.3.x version.

      Low risk - The 5.3.38 Spring Framework changelog includes a backported new feature that is not used by Jenkins and 6 bug fixes. As far as I can tell, none of the bug fixes apply to Jenkins. 5 of the 6 bug fixes are known to be in areas that are not used by Jenkins (spring web and automated tests). The 1 bug fix that might involve Jenkins is a backport of ConversionService cannot convert primitive array to array of Object. I found no usage of a Spring ConversionService in a GitHub search of the jenkinsci GitHub organization.

      Low risk - The 5.3.39 Spring Framework changelog includes a single entry that does not affect Jenkins.

      Risks of a backport

      Undetected issues - There could be undetected issues in the Spring Framework that cause issues. I believe the risk of undetected issues is low. We updated from Spring Framework 5.3.36 to 5.3.37 in 2.462.1 and have not had any issue reports related to that upgrade.

      Limited testing - Since it will arrive in a weekly release 20 Aug 2024, it will be available in a weekly before the 2.462.2 release candidate is created on 21 Aug 2024, but it will have limited testing. I believe the two weeks of the release candidate testing and the weekly releases that will precede 2.462.2 will give good confidence that the new release is safe to include in Jenkins 2.462.2 on 4 Sep 2024.

          [JENKINS-73622] Backport Spring Framework 5.3.39 into 2.462.2

          James Howe added a comment -

          I found no usage of a Spring ConversionService in a GitHub search of the jenkinsci GitHub organization.

          This is not a reliable way to tell whether a Spring component is used. Core beans like that are automatically created and used throughout the framework. The ConversionService is used by most web controller and data access methods to convert arguments and return types.

          James Howe added a comment - I found no usage of a Spring ConversionService in a GitHub search of the jenkinsci GitHub organization. This is not a reliable way to tell whether a Spring component is used. Core beans like that are automatically created and used throughout the framework. The ConversionService is used by most web controller and data access methods to convert arguments and return types.

          Mark Waite added a comment - - edited

          This is not a reliable way to tell whether a Spring component is used. Core beans like that are automatically created and used throughout the framework. The ConversionService is used by most web controller and data access methods to convert arguments and return types.

          Thanks for the comment, jameshowe. Do you oppose the proposed change, support the proposed change, or are indifferent to the proposed change?

          I don't plan to do any further searches or other research for this proposed change. I'm focused on the Spring Security 6 upgrade that arrived in Jenkins 2.475 and is expected to be in the 30 Oct 2024 Jenkins LTS baseline. If others object to the proposed change, they can express their objections in this issue.

          Mark Waite added a comment - - edited This is not a reliable way to tell whether a Spring component is used. Core beans like that are automatically created and used throughout the framework. The ConversionService is used by most web controller and data access methods to convert arguments and return types. Thanks for the comment, jameshowe . Do you oppose the proposed change, support the proposed change, or are indifferent to the proposed change? I don't plan to do any further searches or other research for this proposed change. I'm focused on the Spring Security 6 upgrade that arrived in Jenkins 2.475 and is expected to be in the 30 Oct 2024 Jenkins LTS baseline. If others object to the proposed change, they can express their objections in this issue.

          James Howe added a comment -

          I do not oppose the change, just the methodolgy.

          You need to do some runtime coverage collection, or just assume that every Spring change could affect you. Simply searching your own code does not work.

          James Howe added a comment - I do not oppose the change, just the methodolgy. You need to do some runtime coverage collection, or just assume that every Spring change could affect you. Simply searching your own code does not work.

            Unassigned Unassigned
            markewaite Mark Waite
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: