Considering job-dsl-plugin adoption

[Jerico Pena]

Hello,

I recently created the following ticket to address a CVE with the job-dsl-plugin. I'm considering adopting the plugin in order to address the CVE, but would like to get some input on whether this will be a relatively simple undertaking or if I will be getting into "dependency hell" because this plugin relies on an older version of groovy and spock. Are there any videos or other resources that I could access to get up to speed on the code base? I have a fair amount of experience working with pipelines in groovy, but have never worked with the java-side of jenkins.

https://issues.jenkins.io/browse/JENKINS-73463

I also created this post in the google group but no response(s) so far.

https://groups.google.com/g/job-dsl-plugin/c/dkRLK4JxAVk

Thanks,

Jerico

[Michael Kriese]

I think the easiest solution is to directly reference a fixed ant version, that should override the inherited version

https://mvnrepository.com/artifact/org.apache.ant/ant

[Jamie Tanna]

As current maintainer (who's seeking co-maintainers https://groups.google.com/g/jenkinsci-dev/c/WtNZKVWVlJ0/m/Zbd7SH_GFAAJ) I'd be happy to review a fix and release it, but won't be able to undertake the change.

Regarding adoption /co-maintaining, I'd be happy for you to get involved, as I'm currently not able to balance this (which I unfortunately no longer use for work, nor do I do much JVM stuff in recent years) but note that there's a long backlog of fixes and enhancements raised by the community.

I'd got through a few of them when I started maintaining, but there's still quite a few things to do.

Don't mean to put you off, just want to make sure you're aware going into it! 

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/2a0e475e-19d8-4f16-a62c-8ed8f048a3d0n%40googlegroups.com.

[Basil Crow]

Hi Jerico, and thanks for your interest in adopting this plugin. We would be thrilled to welcome you aboard as a maintainer, and I am available to help with onboarding as needed.

The first step would be for you to update the minimum Jenkins version to a recent release. Please prepare a PR as described in this tutorial and make any necessary changes to get tests to pass. Once these changes are complete, you will be ready to adopt the plugin.

The next step after that is to process recent PRs (reviewing/testing them and then merging them) and then do a release. The following PRs all look like they should be merged/released:

• https://github.com/jenkinsci/job-dsl-plugin/pull/1381
• https://github.com/jenkinsci/job-dsl-plugin/pull/1405
• https://github.com/jenkinsci/job-dsl-plugin/pull/1415
• https://github.com/jenkinsci/job-dsl-plugin/pull/1416

Once you have successfully performed your first release, you will be familiar with the build process and prepared to address the issue you originally came here about. https://github.com/jenkinsci/job-dsl-plugin/blob/master/docs/Testing-DSL-Scripts.md is still using Gradle and needs to be converted to Maven, as the official Jenkins build infrastructure does not support Gradle. Once it is converted to Maven, we can debug whatever issues are remaining against recent versions of Jenkins core.

> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c29a44bd-e57d-4790-8c9f-d475ebe22221n%40googlegroups.com.

[Basil Crow]

Hi Jerico,

Were you still interested in working on Job DSL? I just cut a release
with a few bug fixes and dependency updates. Regarding your issue with
Groovy and Spock:

https://github.com/jenkinsci/job-dsl-plugin/blob/master/docs/Testing-DSL-Scripts.md
is still using Gradle and needs to be converted to Maven, as the
official Jenkins build infrastructure does not support Gradle. Once it
is converted to Maven, we can debug whatever issues are remaining

against recent versions of Jenkins core. I can help review this if you
open a PR.

Basil

On Wed, Aug 7, 2024 at 6:57 AM Jerico Pena <jer...@gmail.com> wrote:
>

[Jerico Pena]

Hi Basil,

I'm still interested but haven't had time to work on it yet. Please feel free to move ahead if I am blocking things. Otherwise I should have time in a little while. Definitely appreciate your support to help me get going.

Best Regards,

Jerico

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjq17SfTQF3ncHZ9j_n4uMReXUU3Yugs67ULUHeANRzrxw%40mail.gmail.com.

[Basil Crow]

On Wed, Aug 28, 2024 at 1:27 PM Jerico Pena <jer...@gmail.com> wrote:
> I'm still interested but haven't had time to work on it yet.

Great; let me know when you have some time. The Job DSL plugin's own
test suite is using an old version of Spock (for the old version of
Groovy delivered by Jenkins core) but a new version of Ant (from the
Jenkins core BOM), and Dependabot reports no CVEs. A simple fix for
you may be to update Jenkins core to a recent version and import the
Jenkins core BOM (org.jenkins-ci.main:jenkins-bom) as described in
https://docs.gradle.org/current/userguide/platforms.html#sub:bom_import
-- if that works, then please file a PR to update the example at
https://github.com/jenkinsci/job-dsl-plugin/blob/master/docs/Testing-DSL-Scripts.md
accordingly.