• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core

      Spring Security 5.8.14 will be included in Jenkins 2.473 and later as part of pull request 9634.

      I propose that we backport it to Jenkins 2.462.2 so that we reduce the risk of warnings from scanners.

      Since the update is not yet included in a weekly release, it is not yet eligible for a backport. I've opened this issue so that the backport idea can be discussed.

      Benefits of a backport

      Most recent release as end of life arrives - The backport will assure that we are using the most recent version of Spring Security 5.8.x as we approach the 31 Aug 2024 end of life of Spring Security 5.8.x. That will reduce the risk of complaints from scanners that we are using an outdated 5.8.x version.

      Low risk - The 5.8.14 Spring Security changelog includes a dependency updates, 2 documentation fixes, and a fix in an area that Jenkins does not use.

      Risks of a backport

      Undetected issues - There could be undetected issues in the Spring Security that cause issues. I believe the risk of undetected issues is low.

      Limited testing - Since it will arrive in a weekly release 20 Aug 2024, it will be available in a weekly before the 2.462.2 release candidate is created on 21 Aug 2024, but it will have limited testing. I believe the two weeks of the release candidate testing and the weekly releases that will precede 2.462.2 will give good confidence that the new release is safe to include in Jenkins 2.462.2 on 4 Sep 2024.

          [JENKINS-73648] Backport Spring Security 5.8.14 into 2.462.2

          Mark Waite created issue -
          Mark Waite made changes -
          Labels Original: 2.462.2-fixed New: lts-candidate
          Mark Waite made changes -
          Description Original: Spring Framework 5.3.39 will be included in Jenkins 2.473 and later as part of [pull request 9612|https://github.com/jenkinsci/jenkins/pull/9612].

          I propose that we backport it to Jenkins 2.462.2 so that we reduce the risk of warnings from scanners.

          Since the update is not yet included in a weekly release, it is not yet eligible for a backport. I've opened this issue so that the backport idea can be discussed. Basil Crow stated in a [GitHub comment|https://github.com/jenkinsci/jenkins/pull/9612#issuecomment-2289828052] that he does not feel strongly either way about a backport.

          h3. Benefits of a backport

          *Most recent release as end of life arrives* - The backport will assure that we are using the most recent version of Spring Framework 5.3.x as we approach the [31 Aug 2024 end of life of Spring Framework 5.3.x|https://spring.io/blog/2024/03/01/support-timeline-announcement-for-spring-framework-6-0-x-and-5-3-x]. That will reduce the risk of complaints from scanners that we are using an outdated 5.3.x version.

          *Low risk* - The [5.3.38 Spring Framework changelog|https://github.com/spring-projects/spring-framework/releases/tag/v5.3.38] includes a backported new feature that is not used by Jenkins and 6 bug fixes. As far as I can tell, none of the bug fixes apply to Jenkins. 5 of the 6 bug fixes are known to be in areas that are not used by Jenkins (spring web and automated tests). The 1 bug fix that might involve Jenkins is a backport of [ConversionService cannot convert primitive array to array of Object|https://github.com/spring-projects/spring-framework/issues/33212]. I found no usage of a Spring ConversionService in a GitHub search of the jenkinsci GitHub organization.

          *Low risk* - The [5.3.39 Spring Framework changelog|https://github.com/spring-projects/spring-framework/releases/tag/v5.3.39] includes a single entry that does not affect Jenkins.

          h3. Risks of a backport

          *Undetected issues* - There could be undetected issues in the Spring Framework that cause issues. I believe the risk of undetected issues is low. We updated from Spring Framework 5.3.36 to 5.3.37 in 2.462.1 and have not had any issue reports related to that upgrade.

          *Limited testing* - Since it will arrive in a weekly release 20 Aug 2024, it will be available in a weekly before the 2.462.2 release candidate is created on 21 Aug 2024, but it will have limited testing. I believe the two weeks of the release candidate testing and the weekly releases that will precede 2.462.2 will give good confidence that the new release is safe to include in Jenkins 2.462.2 on 4 Sep 2024.
          New: Spring Security 5.8.14 will be included in Jenkins 2.473 and later as part of [pull request 9634|https://github.com/jenkinsci/jenkins/pull/9634].

          I propose that we backport it to Jenkins 2.462.2 so that we reduce the risk of warnings from scanners.

          Since the update is not yet included in a weekly release, it is not yet eligible for a backport. I've opened this issue so that the backport idea can be discussed.

          h3. Benefits of a backport

          *Most recent release as end of life arrives* - The backport will assure that we are using the most recent version of Spring Security 5.8.x as we approach the [31 Aug 2024 end of life of Spring Security 5.8.x|https://spring.io/blog/2024/03/01/support-timeline-announcement-for-spring-framework-6-0-x-and-5-3-x]. That will reduce the risk of complaints from scanners that we are using an outdated 5.8.x version.

          *Low risk* - The [5.8.14 Spring Security changelog|https://github.com/spring-projects/spring-security/releases/tag/5.8.14] includes a dependency updates, 2 documentation fixes, and a fix in an area that Jenkins does not use.

          h3. Risks of a backport

          *Undetected issues* - There could be undetected issues in the Spring Security that cause issues. I believe the risk of undetected issues is low.

          *Limited testing* - Since it will arrive in a weekly release 20 Aug 2024, it will be available in a weekly before the 2.462.2 release candidate is created on 21 Aug 2024, but it will have limited testing. I believe the two weeks of the release candidate testing and the weekly releases that will precede 2.462.2 will give good confidence that the new release is safe to include in Jenkins 2.462.2 on 4 Sep 2024.
          Mark Waite made changes -
          Released As New: https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.473
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Mark Waite made changes -
          Labels Original: lts-candidate New: 2.462.2-fixed
          Mark Waite made changes -
          Remote Link New: This issue links to "PR-9636 - Backport Spring Security 5.8.14 into 2.462.2 LTS (Web Link)" [ 29944 ]
          Mark Waite made changes -
          Remote Link New: This issue links to "PR-9634 - Upgrade to Spring Security 5.8.14 in weekly 2.473 (Web Link)" [ 29945 ]
          Mark Waite made changes -
          Status Original: Resolved [ 5 ] New: Closed [ 6 ]

            Unassigned Unassigned
            markewaite Mark Waite
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: