Can't update net.sourceforge.htmlunit to latest due to JDK7 enforcer

[tzach....@gmail.com]

Hi All,

According to GitHub Advisory Database, I should update net.sourceforge.htmlunit to at least 2.37.0 in order to fix CVE-2020-5529.

My problem is once I do that and run mvn compile, maven enforcer blocks due to:

[INFO] Restricted to JDK 1.7 yet net.sourceforge.htmlunit:neko-htmlunit:jar:2.42.0:compile contains net/sourceforge/htmlunit/cyberneko/filters/DefaultFilter.class targeted to JDK 1.8

Should I fix the security issue? If so, how should I proceed?

Thanks,

Tzach

[Gavin Mogan]

Update your plugin to use jdk 8. The default pom let's you set that by using a java.level property

Recommended just updating the base plugin pom which does most things for you.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f5938e1c-77c3-4852-a7fd-5712771a016an%40googlegroups.com.

[tzach solomon]

Gavin Mogan, Thanks for the quick response :)
Are you referring to maven.compiler.target property? If so i've set it to 1.8 but still, I get the same error

Thanks,

Tzach

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuvicoasLWB8HLRUmOcSbEk8CmK6SHrn6%2B_u21_3iZUiPQ%40mail.gmail.com.

[Gavin Mogan]

Not sure what to tell you. Check your effective pom. The compiler error says your including jdk8 compiled classes but are compiling with jdk7

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wgLr%2B2Tz0HH_bk2t2fE6OoX%3Dia89-722L5270n4rdJ8p6g%40mail.gmail.com.

[tzach solomon]

I've found the property you talked about, java.level.
I've set it to 8 and now it's working fine :)

But, I'm still afraid this is a breaking update.
I mean, it requires the jenkins to be with JDK 8 while Jenkins 1.6+ only requires JDK 7.

Can someone please help?

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DuuoEVBKpXhXEe8H0%2BWB2FOYJtu%2BMZ6v8c7CmOe7cuFqJA%40mail.gmail.com.

[Mark Waite]

Usually the best technique is to accept that users who update plugins to newer releases are also users who update their Jenkins versions.

Plugin installation statistics can help with your decision of the minimum Jenkins version you should support.  See https://stats.jenkins.io/pluginversions/bitbucket.html for the summary of the installation statistics of the bitbucket plugin.  My reading of it is:

• Over 80% of installations of Bitbucket plugin 1.11.0 are running Jenkins 2.204.1 or newer
• Over 60% of all installations of Bitbucket plugin are running Jenkins 2.204.1 or newer

I chose 2.204.1 as the new basis for the git plugin and git client plugin on the assumption that if they are not updating Jenkins, they probably won't update the plugin even if I release it.  If they are updating Jenkins, then they will probably also update to a new version of the plugin.

Choosing a new Jenkins minimum version is not a breaking change.  Users running older Jenkins versions won't be offered the new release.

You may also find it helpful as a new plugin maintainer to enable the plugin BOM to help manage dependency versions and to enable Dependabot and Release Drafter to remove some of the "rote work" of maintaining dependencies.  Dependency management is a good beginning, continuing in plugin BOM , 

 Dependabot (video). and Release Drafter (video).

Mark Waite

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAC19wg%2BxuKCL6bgFaMy3OZL%3D5kkEeRZ68WS336h%3DCNziycgZYQ%40mail.gmail.com.

[tzach solomon]

Wow, big thanks Mark :)

I'll follow your links and advice

Again, big thanks :)

Tzach

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEf-rvZgubary1OWeXeLRU-ggdfHQmYjP4_4HfrEtWsdA%40mail.gmail.com.