[JIRA] (JENKINS-61741) Plugin Creation and Addition of Tags
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-61741 Plugin Creation and Addition of Tags Issue Type: Improvement Assignee: Steve Springett Components: dependency-track-plugin Created: 2020-03-30 11:36 Priority: Minor Reporter: Mark Symons Dependency-Track Server allows projects to be provided with tags. This is a very useful way of slicing and dicing projects by team, customer, environment, etc. eg /projects/?tag=java It would be useful if the Jenkins Dependency-Track plugin supported the specification of tags. The ability to add an existing tag or to create and add a new tag might be best controlled by permissions, something requested in Dependency-Track Issue #586. For instance, I would prefer to see a build fail with a permissions issue (and a good error message) when attempting to use a tag that does not already exist in DT. The implementation should also support lowercasing of tags (see also Dependency-Track Issue #238 so that when JAVA is specified in the plugin, what is actually used in DT is java. Add Comment
[JIRA] (JENKINS-57697) [Error Handling] Error message not saying what fails
Title: Message Title Mark Symons edited a comment on JENKINS-57697 Re: [Error Handling] Error message not saying what fails Per Dependency-Track issue [HTTP 500 response from Lookup API|https://github.com/DependencyTrack/dependency-track/issues/498], when using: * Dependency-Track v3.6.0 * Jenkins pipeline with synchronous mode enabled * dependency-track plugin 2. 2 1 .0 (but *thinking* the plugin was 2.2.0 with support for Lookup API).{noformat}14:28:56 [DependencyTrack] Publishing artifact to Dependency-Track - https://dependency-track..com14:28:56 [DependencyTrack] The artifact was successfully published14:29:06 [DependencyTrack] Polling Dependency-Track for BOM processing status14:29:06 [DependencyTrack] Processing findings14:29:06 [DependencyTrack] An error occurred while retrieving findings - HTTP response code: 500 Server Error{noformat} Enhancement in plugin would be to: * Include the plugin version in Jenkins console logging. This alone would have made it clear that the version was too low in this case,* Include more info on what is being queried for retrieving findings ie, project uuid. This would make it easier to match things up with DT server logs. Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.199635.1558945857000.4218.1574247901136%40Atlassian.JIRA.
[JIRA] (JENKINS-57697) [Error Handling] Error message not saying what fails
Title: Message Title Mark Symons commented on JENKINS-57697 Re: [Error Handling] Error message not saying what fails Per Dependency-Track issue HTTP 500 response from Lookup API, when using: Dependency-Track v3.6.0 Jenkins pipeline with synchronous mode enabled dependency-track plugin 2.2.0 (but thinking the plugin was 2.2.0 with support for Lookup API). 14:28:56 [DependencyTrack] Publishing artifact to Dependency-Track - https://dependency-track..com 14:28:56 [DependencyTrack] The artifact was successfully published 14:29:06 [DependencyTrack] Polling Dependency-Track for BOM processing status 14:29:06 [DependencyTrack] Processing findings 14:29:06 [DependencyTrack] An error occurred while retrieving findings - HTTP response code: 500 Server Error Enhancement in plugin would be to: Include the plugin version in Jenkins console logging. This alone would have made it clear that the version was too low in this case, Include more info on what is being queried for retrieving findings ie, project uuid. This would make it easier to match things up with DT server logs. Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
[JIRA] (JENKINS-59379) Update jackson-databind to 2.9.9.3
Title: Message Title Mark Symons commented on JENKINS-59379 Re: Update jackson-databind to 2.9.9.3 Submitted pull request: https://github.com/jenkinsci/java-client-api/pull/427 Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201935.1568544591000.3883.1568563260681%40Atlassian.JIRA.
[JIRA] (JENKINS-59379) Update jackson-databind to 2.9.9.3
Title: Message Title Mark Symons updated an issue Jenkins / JENKINS-59379 Update jackson-databind to 2.9.9.3 Change By: Mark Symons Update {{jackson-databind}} from 2.9.9 to 2.9.9.3This is to address four separate CVEs, two of which are critical: * [CVE-2019-14379|https://nvd.nist.gov/vuln/detail/2019-14379] (9.8) * [CVE-2019-14439|https://nvd.nist.gov/vuln/detail/2019-14439] (7.5) * [CVE-2019-12384|https://nvd.nist.gov/vuln/detail/2019-12384] (5.9) * [CVE-2019-12814|https://nvd.nist.gov/vuln/detail/2019-12814] (5.9)As {{java-client-api}} uses three separate jackson modules, I suggest addressing problem by using {{jackson-bom}}POM import (2.9.9.20190807) in {{ dependencyManagement }} . Add Comment This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this
[JIRA] (JENKINS-59379) Update jackson-databind to 2.9.9.3
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-59379 Update jackson-databind to 2.9.9.3 Issue Type: Bug Assignee: Karl-Heinz Marbaise Components: java-client-api Created: 2019-09-15 10:49 Labels: security Priority: Critical Reporter: Mark Symons Update jackson-databind from 2.9.9 to 2.9.9.3 This is to address four separate CVEs, two of which are critical: CVE-2019-14379 (9.8) CVE-2019-14439 (7.5) CVE-2019-12384 (5.9) CVE-2019-12814 (5.9) As java-client-api uses three separate jackson modules, I suggest addressing problem by using {{jackson-bom}}POM import (2.9.9.20190807) in dependencyManagement. Add Comment
[JIRA] (JENKINS-57697) [Error Handling] Error message not saying what fails
Title: Message Title Mark Symons commented on JENKINS-57697 Re: [Error Handling] Error message not saying what fails From Dependency-Track Issue #388 Current Behavior: After upgrade of Dependency-Track from v3.4.1 to v3.5.0, the treatment of Auto-Created Projects With Empty Name has changed, per fixes for #279 In v3.5.0, a pipeline jobs now fails when the name element in maven POM is empty and the configuration is for autocreate. From Jenkins console: [Pipeline] dependencyTrackPublisher 14:26:54 [DependencyTrack] Publishing artifact to Dependency-Track - https://dependency-track.card.co.uk 14:26:54 [DependencyTrack] Invalid payload submitted to server Then... 14:29:09 [INFO] 14:29:09 [INFO] BUILD SUCCESS 14:29:09 [INFO] Then Finished: FAILURE The problem with this is that there is no ERROR or WARNING anywhere in the console that indicates where the problem occurred. One has to read the entire output in order to see that the problem lies with publishing the BOM. Secondly, the "Invalid payload" text is not very helpful. The developer whose project this was was totally in the dark.. it was only because I remembered logging #279 that I deduced the cause (which was then fixed in no time at all). Thus, a couple of man-hours were expended. Steps to Reproduce: Using cyclonedx-maven-plugin 1.4.1, generate a BOM for a maven project where name element is missing. Publish to Dependency-Track v3.5.0 using autocreate in a pipeline. Expected Behavior: 1. The HTTP 400 response from the server should explain what went wrong (something that might be useful in other use cases?). Per RFC 7231: The 4xx (Client Error) class of status code indicates that the client seems to have erred. Except when responding to a HEAD request, the server SHOULD send a representation containing an explanation of the error situation, and whether it is a temporary or permanent condition. 2. The Dependency-Track plugin should be able to parse this explanation and display it in the console. ie "name element missing". Alternatively, maybe the plugin should error before even trying to connect to the server? 3. The error should cause the pipeline to fail in a way that is easier to audit (although I am not a pipeline expert... is this a problem that should be part of the pipeline logic itself?). Environment: Dependency-Track Version: 3.5.0 Distribution: [ Executable WAR] BOM Format & Version: 1.1 (cyclonedx-maven-plugin v1.4.1) Dependency-Track Plugin
[JIRA] (JENKINS-56908) Provide a "Test Connection" button to plugin configuration
Title: Message Title Mark Symons updated an issue Jenkins / JENKINS-56908 Provide a "Test Connection" button to plugin configuration Change By: Mark Symons Attachment: job-import-test-connection.png Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-51746) Job Import Plugin does not import jobs
Title: Message Title Mark Symons edited a comment on JENKINS-51746 Re: Job Import Plugin does not import jobs I ran into exactly this problem today with plugin v3 . 2 .. . when trying to actually use the plugin, the page would just refresh (without displaying an error) whenever "query!" was clicked.For me, the problem turned out to be with credentials... the correct permissions had not been set up on the remote Jenkins server.I have logged an enhancement JENKINS-56908 to "Provide a "Test Connection" button to plugin configuration" Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-51746) Job Import Plugin does not import jobs
Title: Message Title Mark Symons commented on JENKINS-51746 Re: Job Import Plugin does not import jobs I ran into exactly this problem today... when trying to actually use the plugin, the page would just refresh (without displaying an error) whenever "query!" was clicked. For me, the problem turned out to be with credentials... the correct permissions had not been set up on the remote Jenkins server. I have logged an enhancement JENKINS-56908 to "Provide a "Test Connection" button to plugin configuration" Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-56908) Provide a "Test Connection" button to plugin configuration
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-56908 Provide a "Test Connection" button to plugin configuration Issue Type: Improvement Assignee: Unassigned Components: job-import-plugin Created: 2019-04-05 11:56 Priority: Minor Reporter: Mark Symons Add a "Test Connection" button to the plugin configuration (Manage Jenkins -> Configure System) so that the administrator can get immediate feedback on various connectivity issues: DNS (URL cannot be resolved) Firewall (or other connectivity) problem Invalid port specification Invalid credentials A "Test Connection" button is provided by other plugins such as Slack-Notification and Dependency-Track. Add Comment
[JIRA] (JENKINS-55926) Support for Multiple Dependency-Track Servers
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-55926 Support for Multiple Dependency-Track Servers Issue Type: Improvement Assignee: Steve Springett Components: dependency-track-plugin Created: 2019-02-02 15:58 Environment: dependency-track-plugin 2.1.0 Jenkins 2.150.2 Dependency-Track Server 3.4.0 Priority: Minor Reporter: Mark Symons dependency-track-plugin 2.1.0 allow configuration of (and connection to) a single Dependency-Track server. It would be useful if the plugin allowed configuration of additional servers. ie, similar to way that SonarQube Scanner for Jenkins works. If implemented, then the various job types would need to be able to specify which server to use. Use cases: Testing of a new Dependency-Track Server. eg 3.5 Beta. Running publish more than once in a job. eg, once to an internal DT server and then to a customer-facing DT server.
[JIRA] (JENKINS-55661) Extend test connection functionality to account for server-side permissions
Title: Message Title Mark Symons commented on JENKINS-55661 Re: Extend test connection functionality to account for server-side permissions There's a couple more ways in which test connectivity can be improved. I assume that catering for one or both of the following in "Test Connection" would also benefit logging in running jobs. Connection Timeout: Provide IP Test Button reports Exception message. This clearly shows that the connection has timed out, but nothing more that would help with diagnostics. Including the IP address would help in situations where DNS (or HOSTS file) is misconfigured. Use case: Jenkins server in one cloud provider and DT server in another. Connection between the two is via a jump server (SSH tunnelling), meaning that DNS gives the incorrect IP address for connecting. Without IP address info (ie, how Jenkins is resolving the DT server hostname) it's not easy to work out why things are not working. There are variations on this use case... for instance, the DT address might resolve differently in internal and external DNS, and Jenkins is using the wrong DNS server. Connection Succesful but Unexpected Respose: Provide Response Information If succesful configuration of DT server URL in Jenkins requires provision of a port number (eg using a proxy or jumper server) then port number will sometimes be wrong... resulting in connection to the "the wrong thing" (in my case, it was a SonarQube server) and an error response. "Test Connection" is currently reporting an (instant) fail but is not providing any additional information. ie, content of HTTP 404 or 405 (or whatever), Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-55661) Extend test connection functionality to account for server-side permissions
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-55661 Extend test connection functionality to account for server-side permissions Issue Type: Improvement Assignee: Steve Springett Components: dependency-track-plugin Created: 2019-01-17 18:20 Priority: Minor Reporter: Mark Symons Dependency-Track Plugin connection to Dependency-Track server is managed via "Configure System" and is provided with a Test Connection button. The test connection functionality should be enhanced to account for server-side permissions eg whether or not PROJECT_CREATION_UPLOAD permission exists when "Auto Create Projects" is checked in Jenkins. Add Comment
[JIRA] (JENKINS-55632) Endless "Polling Dependency-Track for BoM processing status"
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-55632 Endless "Polling Dependency-Track for BoM processing status" Issue Type: Bug Assignee: Steve Springett Components: dependency-track-plugin Created: 2019-01-17 01:17 Environment: dependency-track-plugin v2.0.2 Jenkins v2.150.1 Dependency-Track Server v3.4.0 Priority: Major Reporter: Mark Symons During times when Dependency-Track server is experiencing maxed-out CPU usage, the dependency-track-plugin (operating in synchronous mode) will endlessly poll the DT server. The Jenkins job will continue running until it is aborted, logging the following to the console: [DependencyTrack] Publishing artifact to Dependency-Track [DependencyTrack] The artifact was successfully published [DependencyTrack] Polling Dependency-Track for BoM processing status [DependencyTrack] Polling Dependency-Track for BoM processing status ... The polling should have a timeout limit and then fail. This was originally reported as part of reporting high CPU usage in DT server (issue #264 and has been re-logged here in order to aid change control. Commits have already been made to address the defect. eg: Added polling timeout
[JIRA] (JENKINS-55627) Display Links to DT Server
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-55627 Display Links to DT Server Issue Type: Improvement Assignee: Steve Springett Components: dependency-track-plugin Created: 2019-01-16 17:34 Priority: Minor Reporter: Mark Symons Dependency-Track plugin should display links from the Jenkins job to the relevent Dependency-Track Server project. Such links would ease process: allow instant navigation from Jenkins to the place where one has to perform auditing and management! The links should be provided independent of whether or not "synchronous publishing mode" is enabled. The links should be provided for pipeline jobs and old-style maven/freestyle jobs. Possibly, the enhancement could be extended via incorporation of badges, should Dependency-Track issue 252 be implemented. I am using the plugin in synchronous mode (as advised in the best practice documentation) and the resulting "Dependency-Track" Results are certainly handsome looking. However, there are no links for the listed CVEs, etc, (links which are provided by the Dependency-Check plugin). Maybe that could be the subject of a separate enhancement issue... but if one could just click a link to DT server then all the info would be available there anyway. The above observations are based on usage of: Dependency-Track Server v3.4.0 Jenkins v2.150.1 cyclonedx-maven-plugin v1.3.1 (and cyclonedx-node-module as well)
[JIRA] (JENKINS-55601) Update documentation with links to JIRA Issue Tracking
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-55601 Update documentation with links to JIRA Issue Tracking Issue Type: Improvement Assignee: Steve Springett Components: dependency-track-plugin Created: 2019-01-15 15:55 Labels: documentation Priority: Minor Reporter: Mark Symons Update README.md with a link to JIRA. Additionally, add link to plugin listing. Perhaps to external references section? Suggest tweaking the link so that it filters by the the link by the dependency-track-plugin component: https://issues.jenkins-ci.org/issues/?jql=component%20%3D%20dependency-track-plugin This would provide visibility into what issues have already been logged. Add Comment
[JIRA] (JENKINS-54944) Add Build Time to Dashboard Portlet
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-54944 Add Build Time to Dashboard Portlet Issue Type: Improvement Assignee: Unassigned Components: dependency-check-jenkins-plugin Created: 2018-11-29 13:03 Priority: Minor Reporter: Mark Symons Dependency-Check Plugin 4.0.0 (and earlier) offers an integration with Dashboard View. Addition of "Build Time" column to portlets such as "Dependency-Check vulnerabilities per project" would be useful as this would allow one to instantly see that a job with high threat has not been built in a while, or simply confirm that all jobs are current, etc. The addition of the column should be optional, in case the user decides that the info is superfluous or that the display looks a bit squashed (eg, when using portlets in the left/right column). The build time is more useful than "Last Success" and "Last Failure" as it provides a single sortable column and because Dependency-Check plugin can generate a report even for a failing build. The Build Time can already be displayed using the "Latest builds" portlet - but the result can be hard to work with when there are lots of jobs (lots of scrolling up and down). Add Comment
[JIRA] (JENKINS-53832) Jenkins 2.138.1 unable to start on CentOS 5
Title: Message Title Mark Symons created an issue Jenkins / JENKINS-53832 Jenkins 2.138.1 unable to start on CentOS 5 Issue Type: Improvement Assignee: Unassigned Components: core Created: 2018-09-28 13:02 Environment: Jenkins 2.138.1 CentOS 5.11 Java 1.8.0_172 Priority: Minor Reporter: Mark Symons Jenkins 2.121.3 works fine on CentOS 5.11 but fails to start after upgrade to 2.38.1: Starting Jenkins Exception in thread "main" java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at Main._main(Main.java:227) at Main.main(Main.java:160) Caused by: java.lang.UnsatisfiedLinkError: /tmp/jna--1712433994/jna6461328951212197580.tmp: /lib64/libc.so.6: version `GLIBC_2. 7' not found (required by /tmp/jna--1712433994/jna6461328951212197580.tmp) at java.lang.ClassLoader$NativeLibrary.load(Native Method) at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1941) at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1824) at java.lang.Runtime.load0(Runtime.java:809) at java.lang.System.load(System.java:1086) at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:947) at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:922) at