Merge branch 'master' into create-ssh-dir-with-better-perms

Author: MarkEWaite

.github/pull_request_template.md

@@ -0,0 +1,21 @@
+name: Jenkins Security Scan
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  workflow_dispatch:
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+jobs:
+  security-scan:
+    uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2
+    with:
+      java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate.
+      # java-version: 21 # Optionally specify what version of Java to set up for the build, or remove to use a recent default.

.github/workflows/jenkins-security-scan.yml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>4.83</version>
+    <version>5.2</version>
     <relativePath />
   </parent>
 
@@ -36,11 +36,6 @@
       <email>rsandell@cloudbees.com</email>
       <url>http://rsandell.com</url>
     </developer>
-    <developer>
-      <id>mramonleon</id>
-      <name>M Ramon Leon</name>
-      <email>rleon@cloudbees.com</email>
-    </developer>
     <developer>
       <id>olamy</id>
       <name>Olivier Lamy</name>
@@ -58,14 +53,17 @@
   </scm>
 
   <properties>
-    <revision>5.0.1</revision>
+    <revision>6.1.1</revision>
     <changelist>-SNAPSHOT</changelist>
     <!-- Character set tests fail unless file.encoding is set -->
     <argLine>-Dfile.encoding=${project.build.sourceEncoding}</argLine>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
     <!-- https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/ -->
-    <jenkins.version>2.440.3</jenkins.version>
-    <jgit.version>6.10.0.202406032230-r</jgit.version>
+    <jenkins.baseline>2.479</jenkins.baseline>
+    <!-- TODO Replace with the standard jenkins.baseline references after LTS requires Java 17  -->
+    <!-- <jenkins.version>${jenkins.baseline}.1</jenkins.version> -->
+    <jenkins.version>${jenkins.baseline}</jenkins.version>
+    <jgit.version>7.0.0.202409031743-r</jgit.version>
     <spotbugs.effort>Max</spotbugs.effort>
     <spotbugs.threshold>Low</spotbugs.threshold>
     <spotless.check.skip>false</spotless.check.skip>
@@ -75,8 +73,8 @@
     <dependencies>
       <dependency>
         <groupId>io.jenkins.tools.bom</groupId>
-        <artifactId>bom-2.440.x</artifactId>
-        <version>3135.v6d6c1f6b_3572</version>
+        <artifactId>bom-${jenkins.baseline}.x</artifactId>
+        <version>3559.vb_5b_81183b_d23</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -216,7 +214,7 @@
     <dependency>
       <groupId>io.github.sparsick.testcontainers.gitserver</groupId>
       <artifactId>testcontainers-gitserver</artifactId>
-      <version>0.8.0</version>
+      <version>0.10.0</version>
       <scope>test</scope>
       <exclusions>
         <exclusion>
@@ -238,13 +236,13 @@
     <dependency>
       <groupId>nl.jqno.equalsverifier</groupId>
       <artifactId>equalsverifier</artifactId>
-      <version>3.16.1</version>
+      <version>3.17.1</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.awaitility</groupId>
       <artifactId>awaitility</artifactId>
-      <version>4.2.1</version>
+      <version>4.2.2</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -274,7 +272,7 @@
     <dependency>
       <groupId>org.testcontainers</groupId>
       <artifactId>testcontainers</artifactId>
-      <version>1.19.8</version>
+      <version>1.20.3</version>
       <scope>test</scope>
     </dependency>
   </dependencies>

pom.xml

@@ -1,5 +1,6 @@
 package hudson.plugins.git;
 
+import java.io.Serial;
 import java.util.Objects;
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.Ref;
@@ -8,6 +9,7 @@
  * Represents a git branch.
  */
 public class Branch extends GitObject {
+    @Serial
     private static final long serialVersionUID = 1L;
 
     /**
@@ -39,7 +41,7 @@ private static String strip(String name) {
      */
     @Override
     public String toString() {
-        return String.format("Branch %s(%s)", name, getSHA1String());
+        return "Branch %s(%s)".formatted(name, getSHA1String());
     }
 
     /**

src/main/java/hudson/plugins/git/Branch.java

@@ -28,7 +28,9 @@
  */
 @Deprecated
 public class GitAPI extends CliGitAPIImpl {
+    @Serial
     private static final long serialVersionUID = 1L;
+
     private final GitClient jgit;
 
     /**

src/main/java/hudson/plugins/git/GitAPI.java

@@ -1,11 +1,14 @@
 package hudson.plugins.git;
 
+import java.io.Serial;
+
 /**
  * Records exception information related to git operations. This exception is
  * used to encapsulate command line git errors, JGit errors, and other errors
  * related to git operations.
  */
 public class GitException extends RuntimeException {
+    @Serial
     private static final long serialVersionUID = 1L;
 
     /**

src/main/java/hudson/plugins/git/GitException.java

@@ -1,10 +1,13 @@
 package hudson.plugins.git;
 
+import java.io.Serial;
+
 /**
  * Exception which reports failure to lock a git repository. Lock failures are
  * a special case and may indicate that a retry attempt might succeed.
  */
 public class GitLockFailedException extends GitException {
+    @Serial
     private static final long serialVersionUID = 1L;
 
     /**

src/main/java/hudson/plugins/git/GitLockFailedException.java

@@ -1,6 +1,7 @@
 package hudson.plugins.git;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import java.io.Serial;
 import java.io.Serializable;
 import java.util.Objects;
 import org.eclipse.jgit.lib.ObjectId;
@@ -14,6 +15,7 @@
 @ExportedBean(defaultVisibility = 999)
 public class GitObject implements Serializable {
 
+    @Serial
     private static final long serialVersionUID = 1L;
 
     final ObjectId sha1;

src/main/java/hudson/plugins/git/GitObject.java

@@ -17,6 +17,7 @@
 import hudson.util.FormValidation;
 import java.io.File;
 import java.io.IOException;
+import java.io.Serial;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -27,7 +28,7 @@
 import org.jenkinsci.Symbol;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
-import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerRequest2;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
@@ -53,6 +54,7 @@ public GitTool(String name, String home, List<? extends ToolProperty<?>> propert
     /** Constant <code>DEFAULT="Default"</code> */
     public static final transient String DEFAULT = "Default";
 
+    @Serial
     private static final long serialVersionUID = 1;
 
     /**
@@ -153,7 +155,7 @@ public String getDisplayName() {
         }
 
         @Override
-        public boolean configure(StaplerRequest req, JSONObject json) {
+        public boolean configure(StaplerRequest2 req, JSONObject json) {
             setInstallations(req.bindJSONToList(clazz, json.get("tool")).toArray(new GitTool[0]));
             save();
             return true;

src/main/java/hudson/plugins/git/GitTool.java

@@ -138,7 +138,7 @@ public interface IGitAPI extends GitClient {
      * @param remoteRepository remote configuration from which refs will be retrieved
      * @throws java.lang.InterruptedException if interrupted.
      */
-    void fetch(RemoteConfig remoteRepository) throws InterruptedException;
+    void fetch(RemoteConfig remoteRepository) throws GitException, InterruptedException;
 
     /**
      * Retrieve commits from default remote.
@@ -281,7 +281,7 @@ public interface IGitAPI extends GitClient {
      * @return a {@link org.eclipse.jgit.lib.ObjectId} object.
      * @throws java.lang.InterruptedException if interrupted.
      */
-    ObjectId mergeBase(ObjectId sha1, ObjectId sha2) throws InterruptedException;
+    ObjectId mergeBase(ObjectId sha1, ObjectId sha2) throws GitException, InterruptedException;
 
     /**
      * showRevision.
@@ -304,5 +304,5 @@ public interface IGitAPI extends GitClient {
      */
     @Restricted(NoExternalUse.class)
     @Deprecated
-    String getAllLogEntries(String branch) throws InterruptedException;
+    String getAllLogEntries(String branch) throws GitException, InterruptedException;
 }