Problem

Jenkins core ships an outdated release of Jetty that is affected by CVE-2023-40167. Some flawed security scanners will incorrectly complain about that CVE. It is easier to update the dependency than to explain why Jenkins is not affected by that CVE.

Solution

Upgrade Jetty from its current release to the latest release (at the time of this writing, 10.0.16)

Success criteria

The success criteria for this ticket are as follows:

• Winstone released with Jetty 10.0.16 - Jenkins 2.422 and later (GitHub commit)
• Maven HPI Plugin released with Jetty 10.0.16 - HPI plugin 3.49 released Sep 5, 2023 (GitHub commit)
• Jenkins core upgraded to the abovementioned release of Winstone - Jenkins 2.422 and later (GitHub commit)
• jetty-maven-plugin in core upgraded to the same version of Jetty as the abovementioned release of Winstone - Jenkins 2.422 and later (GitHub commit)
• Weekly release shipped with all of the above changes
• Stapler released with Jetty 10.0.16 - Stapler 1814.vdc9dd5217ee2 released Sep 24, 2023(GitHub release)
• Jenkins Test Harness (JTH) released with Jetty 10.0.16 - committed Sep 4, 2023 but unreleased (GitHub commit)
• Plugin parent POM upgraded to the abovementioned releases of Jenkins Test Harness (JTH) and Maven HPI Plugin