Can't update net.sourceforge.htmlunit to latest due to JDK7 enforcer

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't update net.sourceforge.htmlunit to latest due to JDK7 enforcer

tzach solomon
Hi All,

According to GitHub Advisory Database, I should update net.sourceforge.htmlunit to at least 2.37.0 in order to fix CVE-2020-5529.

My problem is once I do that and run mvn compile, maven enforcer blocks due to:
[INFO] Restricted to JDK 1.7 yet net.sourceforge.htmlunit:neko-htmlunit:jar:2.42.0:compile contains net/sourceforge/htmlunit/cyberneko/filters/DefaultFilter.class targeted to JDK 1.8

Should I fix the security issue? If so, how should I proceed?

Thanks,
Tzach

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f5938e1c-77c3-4852-a7fd-5712771a016an%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Can't update net.sourceforge.htmlunit to latest due to JDK7 enforcer

Gavin Mogan
Update your plugin to use jdk 8. The default pom let's you set that by using a java.level property

Recommended just updating the base plugin pom which does most things for you.

On Sun., Jul. 26, 2020, 10:24 a.m. [hidden email], <[hidden email]> wrote:
Hi All,

According to GitHub Advisory Database, I should update net.sourceforge.htmlunit to at least 2.37.0 in order to fix CVE-2020-5529.

My problem is once I do that and run mvn compile, maven enforcer blocks due to:
[INFO] Restricted to JDK 1.7 yet net.sourceforge.htmlunit:neko-htmlunit:jar:2.42.0:compile contains net/sourceforge/htmlunit/cyberneko/filters/DefaultFilter.class targeted to JDK 1.8

Should I fix the security issue? If so, how should I proceed?

Thanks,
Tzach

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f5938e1c-77c3-4852-a7fd-5712771a016an%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuvicoasLWB8HLRUmOcSbEk8CmK6SHrn6%2B_u21_3iZUiPQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Can't update net.sourceforge.htmlunit to latest due to JDK7 enforcer

tzach solomon
Gavin Mogan, Thanks for the quick response :)
Are you referring to maven.compiler.target property? If so i've set it to 1.8 but still, I get the same error

Thanks,
Tzach

On Sun, Jul 26, 2020 at 8:32 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
Update your plugin to use jdk 8. The default pom let's you set that by using a java.level property

Recommended just updating the base plugin pom which does most things for you.

On Sun., Jul. 26, 2020, 10:24 a.m. [hidden email], <[hidden email]> wrote:
Hi All,

According to GitHub Advisory Database, I should update net.sourceforge.htmlunit to at least 2.37.0 in order to fix CVE-2020-5529.

My problem is once I do that and run mvn compile, maven enforcer blocks due to:
[INFO] Restricted to JDK 1.7 yet net.sourceforge.htmlunit:neko-htmlunit:jar:2.42.0:compile contains net/sourceforge/htmlunit/cyberneko/filters/DefaultFilter.class targeted to JDK 1.8

Should I fix the security issue? If so, how should I proceed?

Thanks,
Tzach

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f5938e1c-77c3-4852-a7fd-5712771a016an%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuvicoasLWB8HLRUmOcSbEk8CmK6SHrn6%2B_u21_3iZUiPQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgLr%2B2Tz0HH_bk2t2fE6OoX%3Dia89-722L5270n4rdJ8p6g%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Can't update net.sourceforge.htmlunit to latest due to JDK7 enforcer

Gavin Mogan
Not sure what to tell you. Check your effective pom. The compiler error says your including jdk8 compiled classes but are compiling with jdk7

On Sun, Jul 26, 2020 at 10:38 AM tzach solomon <[hidden email]> wrote:
Gavin Mogan, Thanks for the quick response :)
Are you referring to maven.compiler.target property? If so i've set it to 1.8 but still, I get the same error

Thanks,
Tzach

On Sun, Jul 26, 2020 at 8:32 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
Update your plugin to use jdk 8. The default pom let's you set that by using a java.level property

Recommended just updating the base plugin pom which does most things for you.

On Sun., Jul. 26, 2020, 10:24 a.m. [hidden email], <[hidden email]> wrote:
Hi All,

According to GitHub Advisory Database, I should update net.sourceforge.htmlunit to at least 2.37.0 in order to fix CVE-2020-5529.

My problem is once I do that and run mvn compile, maven enforcer blocks due to:
[INFO] Restricted to JDK 1.7 yet net.sourceforge.htmlunit:neko-htmlunit:jar:2.42.0:compile contains net/sourceforge/htmlunit/cyberneko/filters/DefaultFilter.class targeted to JDK 1.8

Should I fix the security issue? If so, how should I proceed?

Thanks,
Tzach

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f5938e1c-77c3-4852-a7fd-5712771a016an%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuvicoasLWB8HLRUmOcSbEk8CmK6SHrn6%2B_u21_3iZUiPQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgLr%2B2Tz0HH_bk2t2fE6OoX%3Dia89-722L5270n4rdJ8p6g%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuuoEVBKpXhXEe8H0%2BWB2FOYJtu%2BMZ6v8c7CmOe7cuFqJA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Can't update net.sourceforge.htmlunit to latest due to JDK7 enforcer

tzach solomon
I've found the property you talked about, java.level.
I've set it to 8 and now it's working fine :)

But, I'm still afraid this is a breaking update.
I mean, it requires the jenkins to be with JDK 8 while Jenkins 1.6+ only requires JDK 7.

Can someone please help?


On Sun, Jul 26, 2020 at 8:47 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
Not sure what to tell you. Check your effective pom. The compiler error says your including jdk8 compiled classes but are compiling with jdk7

On Sun, Jul 26, 2020 at 10:38 AM tzach solomon <[hidden email]> wrote:
Gavin Mogan, Thanks for the quick response :)
Are you referring to maven.compiler.target property? If so i've set it to 1.8 but still, I get the same error

Thanks,
Tzach

On Sun, Jul 26, 2020 at 8:32 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
Update your plugin to use jdk 8. The default pom let's you set that by using a java.level property

Recommended just updating the base plugin pom which does most things for you.

On Sun., Jul. 26, 2020, 10:24 a.m. [hidden email], <[hidden email]> wrote:
Hi All,

According to GitHub Advisory Database, I should update net.sourceforge.htmlunit to at least 2.37.0 in order to fix CVE-2020-5529.

My problem is once I do that and run mvn compile, maven enforcer blocks due to:
[INFO] Restricted to JDK 1.7 yet net.sourceforge.htmlunit:neko-htmlunit:jar:2.42.0:compile contains net/sourceforge/htmlunit/cyberneko/filters/DefaultFilter.class targeted to JDK 1.8

Should I fix the security issue? If so, how should I proceed?

Thanks,
Tzach

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f5938e1c-77c3-4852-a7fd-5712771a016an%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuvicoasLWB8HLRUmOcSbEk8CmK6SHrn6%2B_u21_3iZUiPQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgLr%2B2Tz0HH_bk2t2fE6OoX%3Dia89-722L5270n4rdJ8p6g%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuuoEVBKpXhXEe8H0%2BWB2FOYJtu%2BMZ6v8c7CmOe7cuFqJA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wg%2BxuKCL6bgFaMy3OZL%3D5kkEeRZ68WS336h%3DCNziycgZYQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Can't update net.sourceforge.htmlunit to latest due to JDK7 enforcer

Mark Waite-2
Usually the best technique is to accept that users who update plugins to newer releases are also users who update their Jenkins versions.

Plugin installation statistics can help with your decision of the minimum Jenkins version you should support.  See https://stats.jenkins.io/pluginversions/bitbucket.html for the summary of the installation statistics of the bitbucket plugin.  My reading of it is:
  • Over 80% of installations of Bitbucket plugin 1.11.0 are running Jenkins 2.204.1 or newer
  • Over 60% of all installations of Bitbucket plugin are running Jenkins 2.204.1 or newer
I chose 2.204.1 as the new basis for the git plugin and git client plugin on the assumption that if they are not updating Jenkins, they probably won't update the plugin even if I release it.  If they are updating Jenkins, then they will probably also update to a new version of the plugin.

Choosing a new Jenkins minimum version is not a breaking change.  Users running older Jenkins versions won't be offered the new release.

You may also find it helpful as a new plugin maintainer to enable the plugin BOM to help manage dependency versions and to enable Dependabot and Release Drafter to remove some of the "rote work" of maintaining dependencies.  Dependency management is a good beginning, continuing in plugin BOM , 
 Dependabot (video). and Release Drafter (video).

Mark Waite

On Sun, Jul 26, 2020 at 11:53 AM tzach solomon <[hidden email]> wrote:
I've found the property you talked about, java.level.
I've set it to 8 and now it's working fine :)

But, I'm still afraid this is a breaking update.
I mean, it requires the jenkins to be with JDK 8 while Jenkins 1.6+ only requires JDK 7.

Can someone please help?


On Sun, Jul 26, 2020 at 8:47 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
Not sure what to tell you. Check your effective pom. The compiler error says your including jdk8 compiled classes but are compiling with jdk7

On Sun, Jul 26, 2020 at 10:38 AM tzach solomon <[hidden email]> wrote:
Gavin Mogan, Thanks for the quick response :)
Are you referring to maven.compiler.target property? If so i've set it to 1.8 but still, I get the same error

Thanks,
Tzach

On Sun, Jul 26, 2020 at 8:32 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
Update your plugin to use jdk 8. The default pom let's you set that by using a java.level property

Recommended just updating the base plugin pom which does most things for you.

On Sun., Jul. 26, 2020, 10:24 a.m. [hidden email], <[hidden email]> wrote:
Hi All,

According to GitHub Advisory Database, I should update net.sourceforge.htmlunit to at least 2.37.0 in order to fix CVE-2020-5529.

My problem is once I do that and run mvn compile, maven enforcer blocks due to:
[INFO] Restricted to JDK 1.7 yet net.sourceforge.htmlunit:neko-htmlunit:jar:2.42.0:compile contains net/sourceforge/htmlunit/cyberneko/filters/DefaultFilter.class targeted to JDK 1.8

Should I fix the security issue? If so, how should I proceed?

Thanks,
Tzach

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f5938e1c-77c3-4852-a7fd-5712771a016an%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuvicoasLWB8HLRUmOcSbEk8CmK6SHrn6%2B_u21_3iZUiPQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgLr%2B2Tz0HH_bk2t2fE6OoX%3Dia89-722L5270n4rdJ8p6g%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuuoEVBKpXhXEe8H0%2BWB2FOYJtu%2BMZ6v8c7CmOe7cuFqJA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wg%2BxuKCL6bgFaMy3OZL%3D5kkEeRZ68WS336h%3DCNziycgZYQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEf-rvZgubary1OWeXeLRU-ggdfHQmYjP4_4HfrEtWsdA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Can't update net.sourceforge.htmlunit to latest due to JDK7 enforcer

tzach solomon
Wow, big thanks Mark :)

I'll follow your links and advice
Again, big thanks :)

Tzach

On Sun, Jul 26, 2020 at 9:12 PM Mark Waite <[hidden email]> wrote:
Usually the best technique is to accept that users who update plugins to newer releases are also users who update their Jenkins versions.

Plugin installation statistics can help with your decision of the minimum Jenkins version you should support.  See https://stats.jenkins.io/pluginversions/bitbucket.html for the summary of the installation statistics of the bitbucket plugin.  My reading of it is:
  • Over 80% of installations of Bitbucket plugin 1.11.0 are running Jenkins 2.204.1 or newer
  • Over 60% of all installations of Bitbucket plugin are running Jenkins 2.204.1 or newer
I chose 2.204.1 as the new basis for the git plugin and git client plugin on the assumption that if they are not updating Jenkins, they probably won't update the plugin even if I release it.  If they are updating Jenkins, then they will probably also update to a new version of the plugin.

Choosing a new Jenkins minimum version is not a breaking change.  Users running older Jenkins versions won't be offered the new release.

You may also find it helpful as a new plugin maintainer to enable the plugin BOM to help manage dependency versions and to enable Dependabot and Release Drafter to remove some of the "rote work" of maintaining dependencies.  Dependency management is a good beginning, continuing in plugin BOM , 
 Dependabot (video). and Release Drafter (video).

Mark Waite

On Sun, Jul 26, 2020 at 11:53 AM tzach solomon <[hidden email]> wrote:
I've found the property you talked about, java.level.
I've set it to 8 and now it's working fine :)

But, I'm still afraid this is a breaking update.
I mean, it requires the jenkins to be with JDK 8 while Jenkins 1.6+ only requires JDK 7.

Can someone please help?


On Sun, Jul 26, 2020 at 8:47 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
Not sure what to tell you. Check your effective pom. The compiler error says your including jdk8 compiled classes but are compiling with jdk7

On Sun, Jul 26, 2020 at 10:38 AM tzach solomon <[hidden email]> wrote:
Gavin Mogan, Thanks for the quick response :)
Are you referring to maven.compiler.target property? If so i've set it to 1.8 but still, I get the same error

Thanks,
Tzach

On Sun, Jul 26, 2020 at 8:32 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
Update your plugin to use jdk 8. The default pom let's you set that by using a java.level property

Recommended just updating the base plugin pom which does most things for you.

On Sun., Jul. 26, 2020, 10:24 a.m. [hidden email], <[hidden email]> wrote:
Hi All,

According to GitHub Advisory Database, I should update net.sourceforge.htmlunit to at least 2.37.0 in order to fix CVE-2020-5529.

My problem is once I do that and run mvn compile, maven enforcer blocks due to:
[INFO] Restricted to JDK 1.7 yet net.sourceforge.htmlunit:neko-htmlunit:jar:2.42.0:compile contains net/sourceforge/htmlunit/cyberneko/filters/DefaultFilter.class targeted to JDK 1.8

Should I fix the security issue? If so, how should I proceed?

Thanks,
Tzach

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f5938e1c-77c3-4852-a7fd-5712771a016an%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuvicoasLWB8HLRUmOcSbEk8CmK6SHrn6%2B_u21_3iZUiPQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgLr%2B2Tz0HH_bk2t2fE6OoX%3Dia89-722L5270n4rdJ8p6g%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuuoEVBKpXhXEe8H0%2BWB2FOYJtu%2BMZ6v8c7CmOe7cuFqJA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wg%2BxuKCL6bgFaMy3OZL%3D5kkEeRZ68WS336h%3DCNziycgZYQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEf-rvZgubary1OWeXeLRU-ggdfHQmYjP4_4HfrEtWsdA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wg%2B6A23W4927YJc7xwwM95H0AD3f4V%3DLrwB6YtS0q8DcuA%40mail.gmail.com.