Merge remote-tracking branch 'upstream/master'

Author: solonovamax

.github/workflows/jenkins-security-scan.yml

@@ -0,0 +1,21 @@
+name: Jenkins Security Scan
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  workflow_dispatch:
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+jobs:
+  security-scan:
+    uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2
+    with:
+      java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate.
+      # java-version: 21 # Optionally specify what version of Java to set up for the build, or remove to use a recent default.

pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>4.81</version>
+    <version>4.88</version>
     <relativePath />
   </parent>
 
@@ -33,7 +33,7 @@
     <changelist>999999-SNAPSHOT</changelist>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
     <hpi.compatibleSinceVersion>2.2.0</hpi.compatibleSinceVersion>
-    <jenkins.version>2.414.3</jenkins.version>
+    <jenkins.version>2.440.3</jenkins.version>
     <useBeta>true</useBeta>
     <spotless.check.skip>false</spotless.check.skip>
   </properties>
@@ -42,8 +42,8 @@
     <dependencies>
       <dependency>
         <groupId>io.jenkins.tools.bom</groupId>
-        <artifactId>bom-2.414.x</artifactId>
-        <version>2718.v7e8a_d43b_3f0b_</version>
+        <artifactId>bom-2.440.x</artifactId>
+        <version>3234.v5ca_5154341ef</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -107,7 +107,7 @@
     <dependency>
       <groupId>org.awaitility</groupId>
       <artifactId>awaitility</artifactId>
-      <version>4.2.1</version>
+      <version>4.2.2</version>
       <scope>test</scope>
     </dependency>
     <dependency>

src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java

@@ -295,23 +295,22 @@ public static StandardCredentials lookupScanCredentials(
             @CheckForNull String repoOwner) {
         if (Util.fixEmpty(scanCredentialsId) == null) {
             return null;
-        } else {
-            StandardCredentials c = CredentialsMatchers.firstOrNull(
-                    CredentialsProvider.lookupCredentials(
-                            StandardUsernameCredentials.class,
-                            context,
-                            context instanceof Queue.Task
-                                    ? ((Queue.Task) context).getDefaultAuthentication()
-                                    : ACL.SYSTEM,
-                            githubDomainRequirements(apiUri)),
-                    CredentialsMatchers.allOf(
-                            CredentialsMatchers.withId(scanCredentialsId), githubScanCredentialsMatcher()));
-            if (c instanceof GitHubAppCredentials && repoOwner != null) {
-                return ((GitHubAppCredentials) c).withOwner(repoOwner);
-            } else {
-                return c;
-            }
         }
+        StandardCredentials c = CredentialsMatchers.firstOrNull(
+                CredentialsProvider.lookupCredentialsInItem(
+                        StandardUsernameCredentials.class,
+                        context,
+                        context instanceof Queue.Task
+                                ? ((Queue.Task) context).getDefaultAuthentication2()
+                                : ACL.SYSTEM2,
+                        githubDomainRequirements(apiUri)),
+                CredentialsMatchers.allOf(
+                        CredentialsMatchers.withId(scanCredentialsId), githubScanCredentialsMatcher()));
+
+        if (c instanceof GitHubAppCredentials && repoOwner != null) {
+            c = ((GitHubAppCredentials) c).withOwner(repoOwner);
+        }
+        return c;
     }
 
     /**

src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java

@@ -191,7 +191,7 @@ private static class CredentialsTokenProvider extends TokenProvider {
         private final GitHubAppCredentials credentials;
 
         CredentialsTokenProvider(GitHubAppCredentials credentials) {
-            super(credentials.appID, credentials.privateKey.getPlainText());
+            super(credentials.getAppID(), credentials.getPrivateKey().getPlainText());
             this.credentials = credentials;
         }
 
@@ -284,17 +284,17 @@ private static long getExpirationSeconds(GHAppInstallationToken appInstallationT
 
     @NonNull
     String actualApiUri() {
-        return Util.fixEmpty(apiUri) == null ? "https://api.github.com" : apiUri;
+        return Util.fixEmpty(getApiUri()) == null ? "https://api.github.com" : getApiUri();
     }
 
     private AppInstallationToken getToken(GitHub gitHub) {
         synchronized (this) {
             try {
                 if (cachedToken == null || cachedToken.isStale()) {
-                    LOGGER.log(Level.FINE, "Generating App Installation Token for app ID {0}", appID);
+                    LOGGER.log(Level.FINE, "Generating App Installation Token for app ID {0}", getAppID());
                     cachedToken = generateAppInstallationToken(
-                            gitHub, appID, privateKey.getPlainText(), actualApiUri(), owner);
-                    LOGGER.log(Level.FINER, "Retrieved GitHub App Installation Token for app ID {0}", appID);
+                            gitHub, getAppID(), getPrivateKey().getPlainText(), actualApiUri(), getOwner());
+                    LOGGER.log(Level.FINER, "Retrieved GitHub App Installation Token for app ID {0}", getAppID());
                 }
             } catch (Exception e) {
                 if (cachedToken != null && !cachedToken.isExpired()) {
@@ -304,14 +304,14 @@ private AppInstallationToken getToken(GitHub gitHub) {
                     LOGGER.log(
                             Level.WARNING,
                             "Failed to generate new GitHub App Installation Token for app ID "
-                                    + appID
+                                    + getAppID()
                                     + ": cached token is stale but has not expired",
                             e);
                 } else {
                     throw e;
                 }
             }
-            LOGGER.log(Level.FINEST, "Returned GitHub App Installation Token for app ID {0}", appID);
+            LOGGER.log(Level.FINEST, "Returned GitHub App Installation Token for app ID {0}", getAppID());
 
             return cachedToken;
         }
@@ -328,7 +328,7 @@ public Secret getPassword() {
     @NonNull
     @Override
     public String getUsername() {
-        return appID;
+        return getAppID();
     }
 
     @Override
@@ -338,9 +338,9 @@ public boolean isUsernameSecret() {
 
     @NonNull
     public synchronized GitHubAppCredentials withOwner(@NonNull String owner) {
-        if (this.owner != null) {
-            if (!owner.equals(this.owner)) {
-                throw new IllegalArgumentException("Owner mismatch: " + this.owner + " vs. " + owner);
+        if (this.getOwner() != null) {
+            if (!owner.equals(this.getOwner())) {
+                throw new IllegalArgumentException("Owner mismatch: " + this.getOwner() + " vs. " + owner);
             }
             return this;
         }
@@ -349,8 +349,8 @@ public synchronized GitHubAppCredentials withOwner(@NonNull String owner) {
         }
         return byOwner.computeIfAbsent(owner, k -> {
             GitHubAppCredentials clone =
-                    new GitHubAppCredentials(getScope(), getId(), getDescription(), appID, privateKey);
-            clone.apiUri = apiUri;
+                    new GitHubAppCredentials(getScope(), getId(), getDescription(), getAppID(), getPrivateKey());
+            clone.apiUri = getApiUri();
             clone.owner = owner;
             return clone;
         });
@@ -359,7 +359,7 @@ public synchronized GitHubAppCredentials withOwner(@NonNull String owner) {
     @NonNull
     @Override
     public Credentials forRun(Run<?, ?> context) {
-        if (owner != null) {
+        if (getOwner() != null) {
             return this;
         }
         Job<?, ?> job = context.getParent();
@@ -498,7 +498,7 @@ long getTokenStaleEpochSeconds() {
      *   <li>The agent need not be able to contact GitHub.
      * </ul>
      */
-    private Object writeReplace() {
+    protected Object writeReplace() {
         if (
         /* XStream */ Channel.current() == null) {
             return this;
@@ -523,12 +523,12 @@ private static final class DelegatingGitHubAppCredentials extends BaseStandardCr
         DelegatingGitHubAppCredentials(GitHubAppCredentials onMaster) {
             super(onMaster.getScope(), onMaster.getId(), onMaster.getDescription());
             JenkinsJVM.checkJenkinsJVM();
-            appID = onMaster.appID;
+            appID = onMaster.getAppID();
             JSONObject j = new JSONObject();
             j.put("appID", appID);
-            j.put("privateKey", onMaster.privateKey.getPlainText());
+            j.put("privateKey", onMaster.getPrivateKey().getPlainText());
             j.put("apiUri", onMaster.actualApiUri());
-            j.put("owner", onMaster.owner);
+            j.put("owner", onMaster.getOwner());
             tokenRefreshData = Secret.fromString(j.toString()).getEncryptedValue();
 
             // Check token is valid before sending it to the agent.
@@ -541,7 +541,7 @@ private static final class DelegatingGitHubAppCredentials extends BaseStandardCr
                 LOGGER.log(
                         Level.FINEST,
                         "Checking App Installation Token for app ID {0} before sending to agent",
-                        onMaster.appID);
+                        onMaster.getAppID());
                 onMaster.getPassword();
             } catch (Exception e) {
                 LOGGER.log(

src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMBuilder.java

@@ -124,7 +124,6 @@ public GitHubSCMBuilder(
         if (repoUrl != null) {
             withBrowser(new GithubWeb(repoUrl));
         }
-        withCredentials(credentialsId(), null);
     }
 
     /**
@@ -189,7 +188,9 @@ public final RepositoryUriResolver uriResolver() {
      *     {@code null} to detect the the protocol based on the credentialsId. Defaults to HTTP if
      *     credentials are {@code null}. Enables support for blank SSH credentials.
      * @return {@code this} for method chaining.
+     * @deprecated Use {@link #withCredentials(String)} and {@link #withResolver(RepositoryUriResolver)}
      */
+    @Deprecated
     @NonNull
     public GitHubSCMBuilder withCredentials(String credentialsId, RepositoryUriResolver uriResolver) {
         if (uriResolver == null) {
@@ -200,6 +201,12 @@ public GitHubSCMBuilder withCredentials(String credentialsId, RepositoryUriResol
         return withCredentials(credentialsId);
     }
 
+    @NonNull
+    public GitHubSCMBuilder withResolver(RepositoryUriResolver uriResolver) {
+        this.uriResolver = uriResolver;
+        return this;
+    }
+
     /**
      * Returns a {@link RepositoryUriResolver} according to credentials configuration.
      *
@@ -215,12 +222,12 @@ public static RepositoryUriResolver uriResolver(
             return HTTPS;
         } else {
             StandardCredentials credentials = CredentialsMatchers.firstOrNull(
-                    CredentialsProvider.lookupCredentials(
+                    CredentialsProvider.lookupCredentialsInItem(
                             StandardCredentials.class,
                             context,
                             context instanceof Queue.Task
-                                    ? ((Queue.Task) context).getDefaultAuthentication()
-                                    : ACL.SYSTEM,
+                                    ? ((Queue.Task) context).getDefaultAuthentication2()
+                                    : ACL.SYSTEM2,
                             URIRequirementBuilder.create()
                                     .withHostname(RepositoryUriResolver.hostnameFromApiUri(apiUri))
                                     .build()),