Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove hard-coded Java version in security scan #36

Merged
merged 1 commit into from
Aug 6, 2024

Conversation

basil
Copy link
Member

@basil basil commented Aug 6, 2024

Hard-coding Java 11 is a bad idea since we plan to EOL it in the next few months.

@basil basil requested a review from a team as a code owner August 6, 2024 20:13
@basil
Copy link
Member Author

basil commented Aug 6, 2024

@strangelookingnerd A number of these YML files are inconsistent. Can you please normalize them to avoid hard-coding a Java version in any of these YML files:

apache-httpcomponents-client-4-api-plugin
      java-version: 21 # What version of Java to set up for the build.
--
asm-api-plugin
      java-version: 11 # What version of Java to set up for the build.
--
authentication-tokens-plugin
      java-version: 21 # What version of Java to set up for the build.
--
blueocean-plugin
      java-version: 21 # What version of Java to set up for the build.
--
branch-api-plugin
      java-version: 21 # What version of Java to set up for the build.
--
cloudbees-folder-plugin
      java-version: 21 # What version of Java to set up for the build.
--
commons-lang3-api-plugin
      java-version: 11
--
commons-text-api-plugin
      java-version: 11
--
configuration-as-code-plugin
      java-version: 21 # What version of Java to set up for the build.
--
credentials-plugin
      java-version: 17 # What version of Java to set up for the build.
--
dashboard-view-plugin
      java-version: 17  # What version of Java to set up for the build.
--
docker-workflow-plugin
      java-version: 21 # What version of Java to set up for the build.
--
eddsa-api-plugin
      java-version: 11 # What version of Java to set up for the build.
--
favorite-plugin
      java-version: 17 # What version of Java to set up for the build.
--
git-client-plugin
      java-version: 21 # What version of Java to set up for the build.
--
git-plugin
      java-version: 21 # What version of Java to set up for the build.
--
git-server-plugin
      java-version: 17 # What version of Java to set up for the build.
--
gson-api-plugin
      java-version: 11 # What version of Java to set up for the build.
--
htmlpublisher-plugin
      java-version: 17 # What version of Java to set up for the build.
--
instance-identity-plugin
      java-version: 17 # What version of Java to set up for the build.
--
javadoc-plugin
      java-version: 21 # What version of Java to set up for the build.
--
joda-time-api-plugin
      java-version: 11 # What version of Java to set up for the build.
--
json-api-plugin
      java-version: 11 # What version of Java to set up for the build.
--
json-path-api-plugin
      java-version: 11 # What version of Java to set up for the build.
--
junit-plugin
      java-version: 21 # What version of Java to set up for the build.
--
kubernetes-credentials-plugin
      java-version: 21 # What version of Java to set up for the build.
--
kubernetes-plugin
      java-version: 21 # What version of Java to set up for the build.
--
mailer-plugin
      java-version: 17 # What version of Java to set up for the build.
--
matrix-project-plugin
      java-version: 17 # What version of Java to set up for the build.
--
metrics-plugin
      java-version: 21 # What version of Java to set up for the build.
--
oauth-credentials-plugin
      java-version: 21 # What version of Java to set up for the build.
--
pipeline-input-step-plugin
      java-version: 21 # What version of Java to set up for the build.
--
pipeline-maven-plugin
      java-version: 11 # What version of Java to set up for the build.
--
saml-plugin
      java-version: 11 # What version of Java to set up for the build.
--
ssh-agent-plugin
      java-version: 11
--
ssh-agents-plugin
      java-version: 17 # What version of Java to set up for the build.
--
support-core-plugin
      java-version: 17 # What version of Java to set up for the build.
--
token-macro-plugin
      java-version: 17 # What version of Java to set up for the build.
--
view-job-filters-plugin
      java-version: 17 # What version of Java to set up for the build.
--
workflow-api-plugin
      java-version: 21 # What version of Java to set up for the build.
--
workflow-job-plugin
      java-version: 21 # What version of Java to set up for the build.

@jonesbusy jonesbusy added the chore label Aug 6, 2024
@jonesbusy jonesbusy merged commit 1460bb7 into jenkinsci:main Aug 6, 2024
15 checks passed
@basil basil deleted the java-version branch August 6, 2024 20:36
@strangelookingnerd
Copy link

@strangelookingnerd A number of these YML files are inconsistent. Can you please normalize them to avoid hard-coding a Java version in any of these YML files:

I will look into it. My template uses the default, however I left the property and its description in place (commented-out). I thought this allows maintainers to change it more easily without consulting the documentation first.
I downgraded some builds because they simply did not run with Java 17 / 21.

@basil
Copy link
Member Author

basil commented Aug 6, 2024

This build obviously didn't need Java 11 to be hard-coded and I suspect almost all of the above are the same. I agree that it is nice to leave the defaults commented out to allow for customization. When there is a customization, the reason for the customization can be provided in a comment. A customization without a reason should not be retained.

@jonesbusy
Copy link
Contributor

Thanks for your PR.

I wanted to open a PR on https://github.com/jenkinsci/plugin-modernizer-tool to perform the cleanup (The GSoC 2024 project on openrewrite)

But it looks there is a bug on the original recipe to comment out a YAML property

openrewrite/rewrite#4392

This was referenced Aug 7, 2024
This was referenced Aug 8, 2024
@basil
Copy link
Member Author

basil commented Aug 8, 2024

Thank you very much! I have merged the PRs for critical plugins. If I have time I will try to go through the remaining long-tail plugins as well.

@a-zitzewitz
Copy link

For the Sonargraph Plugin, if I remove the Java version it defaults to Java 8 and that does not work. Higher Java versions should be ok...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants