405 Method Not Allowed - Deploy to staging

[kudos-dude]

I received a pull request for something that I would like to get in for the `dependency-check-plugin`

I have the feature branch made, and I am attempting to run the maven "deploy to stage" process, but I'm receiving this error:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy) on project dependency-check-jenkins-plugin: Failed to deploy artifacts: Could not transfer artifact org.jenkins-ci.plugins:dependency-check-jenk
ins-plugin:hpi:5.1.2-20211118.144452-1 from/to maven.jenkins-ci.org (https://repo.jenkins-ci.org/org.owasp:dependency-check-plugin): Transfer failed for https://repo.jenkins-ci.org/org.owasp:dependency-check-plugin/org/jenkins-ci/plugins/dependency-check

-jenkins-plugin/5.1.2-SNAPSHOT/dependency-check-jenkins-plugin-5.1.2-20211118.144452-1.hpi 405 Method Not Allowed

Any idea how to get around this?

[Gavin Mogan]

afaik there's no staging repo.

it'll not allow snapshots to be released.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/23259127-e2ac-4922-b862-3d1e434187bdn%40googlegroups.com.

[Daniel Beck]

The staging procedure is unique to security updates prepared in private. That does not apply here, so none of the instructions related to security fixes should be used.

Do a normal release:prepare release:perform as with any other release you create.

[kudos-dude]

Getting a 401 now. I'm assuming this has something to do with my `settings.xml` file?

Does someone have an example one for deploying to Jenkins-CI?

[Daniel Beck]

On Fri, Nov 19, 2021 at 3:56 PM kudos-dude <weston...@gmail.com> wrote:

Getting a 401 now. I'm assuming this has something to do with my `settings.xml` file?

Does someone have an example one for deploying to Jenkins-CI?

https://www.jenkins.io/doc/developer/publishing/releasing-manually/#artifactory-credentials-for-maven

[kudos-dude]

I've created my `settings.xml` file based off the article above. It includes my Jenkins credentials that allows me to sign in to all other Jenkins related logins (encrypted login/password created via `mvn --encrypt-password`. Tried various server id's including `maven.jenkins-ci.org` and `org.jenkins-ci-plugins`). Still getting a 401.

Could this be because I'm not within the `jenkins-ci` group within Github? I believe that I'm doing everything correctly here, so not sure what I'm missing.

[Daniel Beck]

On Fri, Nov 19, 2021 at 4:45 PM kudos-dude <weston...@gmail.com> wrote:

I've created my `settings.xml` file based off the article above. It includes my Jenkins credentials that allows me to sign in to all other Jenkins related logins (encrypted login/password created via `mvn --encrypt-password`.

Please try following the instructions to obtain the encrypted password.

[kudos-dude]

I'm using my Jenkins credentials to login to the Artifactory, but getting a invalid login response.

Is this a separate registration process?

I apologize needing to be walked through this. I thought I had this setup in the beginning, but that was a while ago.

[Mark Waite]

If the setup was before September 4, 2021, then you'll need to reset your password through https://beta.accounts.jenkins.io or https://accounts.jenkins.io .  Jenkins account passwords were reset as a result of the Confluence instance attack.

If you need to reset your password, I suspect that you'll find it won't work.  Your email address in the accounts.jenkins.io system will not be able to send you email because it is not a valid email address.  If you need a password reset, please send email to mark.earl.waite at gmail (that's me).  I'll have you perform some validation steps to confirm your identity, then send you the updated password.

Mark Waite

[kudos-dude]

I have successfully pushed the release to `repo.jenkins-ci.org`. It is reflected in JFrog.

How long will it take before this becomes available in the Plugin Manager? Should it be instant?

[Mark Waite]

Not quite instant, but usually within 10-15 minutes.

I usually check by opening https://updates.jenkins.io .  On that page there is a link to a page that has links to the latest releases.  Find your plugin, copy the URL, then paste it into a separate browser tab with '?mirrorlist' appended.

Thus, in my case, I copy https://updates.jenkins.io/latest/git.hpi on then the URL is https://updates.jenkins.io/latest/git.hpi?mirrorlist

--

You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a67e2829-cfa2-4c94-9f32-ba08f6b652e1n%40googlegroups.com.

[kudos-dude]

It looks like I've gotten the release out correctly in JFrog, but the updated release is still not showing up in the `updates.jenkins.io`. Any ideas?

For reference, the 5.1.2 release is the latest

[Daniel Beck]

On Fri, Dec 3, 2021 at 10:15 PM kudos-dude <weston...@gmail.com> wrote:

It looks like I've gotten the release out correctly in JFrog, but the updated release is still not showing up in the `updates.jenkins.io`. Any ideas?

Last update was several hours ago, as you can see in the file timestamps. I'm looking into it, and expect it to be updated in half an hour or so.

[Gavin Mogan]

 curl -qLs https://updates.jenkins.io/update-center.actual.json | jq '.plugins["dependency-check-jenkins-plugin"] | {version,releaseTimestamp,buildDate}'
{
  "version": "5.1.2",
  "releaseTimestamp": "2021-12-03T15:39:13.00Z",
  "buildDate": "Dec 03, 2021"

}

What are you expecting?

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4c4153f0-b732-4c6c-b69b-6507f831cf6en%40googlegroups.com.

[kudos-dude]

I see it in the Update Center now. Didn't see the Check Now button down at the bottom

[kudos-dude]

Still have the security notice on the plugin after the update. How does that end up removed?

[Daniel Beck]

On Sat, Dec 4, 2021 at 12:00 AM kudos-dude <weston...@gmail.com> wrote:

Still have the security notice on the plugin after the update. How does that end up removed?

https://www.jenkins.io/security/plugins/#followup 

[Gavin Mogan]

I know there's been some issues with spam (DB and I both find each others emails in spam).

@kudos-dude, did you get his reply about how to follow up?

Also someone was asking if the CVE was fixed (I assume so) - https://community.jenkins.io/t/owasp-dependency-check-plugin-warning-security-2488-cve-2021-43577/950/2

Also Also, if you create a github release for the new version, it'll show up in the releases tab

[kudos-dude]

The CVE fix was in the 5.1.2 version that I pushed out, which is now available in the Update Center.

I did follow up via a Jira ticket here, though haven't received any traction there:
https://issues.jenkins.io/browse/INFRA-3148