.github/workflows/jenkins-security-scan.yml

@@ -0,0 +1,21 @@
+name: Jenkins Security Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  workflow_dispatch:
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+jobs:
+  security-scan:
+    uses: jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2
+    with:
+      java-cache: 'maven' # Optionally enable use of a build dependency cache. Specify 'maven' or 'gradle' as appropriate.
+      # java-version: 21 # Optionally specify what version of Java to set up for the build, or remove to use a recent default.

pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>4.81</version>
+    <version>5.7</version>
     <relativePath />
   </parent>
 
@@ -32,16 +32,18 @@
   <properties>
     <revision>3</revision>
     <changelist>999999-SNAPSHOT</changelist>
-    <jenkins.version>2.426.3</jenkins.version>
+    <!-- https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/ -->
+    <jenkins.baseline>2.479</jenkins.baseline>
+    <jenkins.version>${jenkins.baseline}.1</jenkins.version>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
   </properties>
 
   <dependencyManagement>
     <dependencies>
       <dependency>
         <groupId>io.jenkins.tools.bom</groupId>
-        <artifactId>bom-2.426.x</artifactId>
-        <version>2555.v3190a_8a_c60c6</version>
+        <artifactId>bom-${jenkins.baseline}.x</artifactId>
+        <version>4136.vca_c3202a_7fd1</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -60,7 +62,6 @@
     <dependency>
       <groupId>io.jenkins.plugins</groupId>
       <artifactId>eddsa-api</artifactId>
-      <version>0.3.0-4.v84c6f0f4969e</version>
     </dependency>
     <dependency>
       <groupId>org.jenkins-ci.modules</groupId>

src/main/java/org/jenkinsci/main/modules/cli/auth/ssh/UserPropertyImpl.java

@@ -5,6 +5,7 @@
 import hudson.model.UserProperty;
 import hudson.model.UserPropertyDescriptor;
 import hudson.model.User;
+import hudson.model.userproperty.UserPropertyCategory;
 import hudson.util.FormValidation;
 
 import java.io.BufferedReader;
@@ -58,15 +59,9 @@ public String getDisplayName() {
             return "SSH Public Keys";
         }
 
-        //        @Override
-        //        public @NonNull UserPropertyCategory getUserPropertyCategory() {
-        //            return UserPropertyCategory.get(UserPropertyCategory.Security.class);
-        //        }
-
-        // replace with above method when bumping core to version including:
-        // https://github.com/jenkinsci/jenkins/pull/7268
-        public String getUserPropertyCategoryAsString() {
-            return "security";
+        @Override
+        public @NonNull UserPropertyCategory getUserPropertyCategory() {
+            return UserPropertyCategory.get(UserPropertyCategory.Security.class);
         }
 
         public UserProperty newInstance(User user) {

src/main/java/org/jenkinsci/main/modules/sshd/PublicKeyAuthenticatorImpl.java

@@ -4,9 +4,9 @@
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.model.User;
 import jenkins.security.SecurityListener;
-import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.userdetails.UserDetails;
-import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.apache.sshd.server.auth.pubkey.PublickeyAuthenticator;
 import org.apache.sshd.server.session.ServerSession;
 import org.jenkinsci.main.modules.cli.auth.ssh.PublicKeySignatureWriter;
@@ -41,7 +41,7 @@ public boolean authenticate(String username, PublicKey key, ServerSession sessio
             return false;
         }
 
-        SecurityListener.fireAuthenticated(user.getUserDetailsForImpersonation());
+        SecurityListener.fireAuthenticated2(user.getUserDetailsForImpersonation2());
         return true;
     }
 
@@ -70,7 +70,7 @@ public boolean authenticate(String username, PublicKey key, ServerSession sessio
 
     private @CheckForNull UserDetails verifyUserUsingSecurityRealm(@NonNull User user) {
         try {
-            return user.getUserDetailsForImpersonation();
+            return user.getUserDetailsForImpersonation2();
         } catch (UsernameNotFoundException e) {
             LOGGER.log(Level.FINE, e, () -> user.getId() + " is not a real user according to SecurityRealm");
             return null;

src/main/java/org/jenkinsci/main/modules/sshd/SSHD.java

@@ -34,7 +34,7 @@
 import org.apache.sshd.server.SshServer;
 import org.apache.sshd.server.auth.UserAuthFactory;
 import org.jenkinsci.main.modules.instance_identity.InstanceIdentity;
-import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerRequest2;
 
 /**
  * @author Kohsuke Kawaguchi
@@ -240,7 +240,7 @@ public synchronized void stop() throws IOException, InterruptedException {
     }
 
     @Override
-    public boolean configure(StaplerRequest req, JSONObject json) throws FormException {
+    public boolean configure(StaplerRequest2 req, JSONObject json) throws FormException {
         setPort(new ServerTcpPort(json.getJSONObject("port")).getPort());
         return true;
     }

src/main/resources/org/jenkinsci/main/modules/sshd/PortAdvertiser/httpHeaders.groovy

@@ -2,4 +2,4 @@ package org.jenkinsci.main.modules.sshd.PortAdvertiser;
 
 def v = my.endpoint;
 if (v!=null)
-    response.addHeader("X-SSH-Endpoint",v);
+    response2.addHeader("X-SSH-Endpoint",v);

src/test/java/org/jenkinsci/main/modules/cli/auth/ssh/CLITest.java

@@ -54,13 +54,13 @@
 import org.kohsuke.stapler.HttpResponses.HttpResponseException;
 import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerProxy;
-import org.kohsuke.stapler.StaplerRequest;
-import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.kohsuke.stapler.StaplerResponse2;
 
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
@@ -234,11 +234,11 @@ public static final class NoJenkinsAction extends CrumbExclusion implements Unpr
         }
 
         @Override public Object getTarget() {
-            doDynamic(Stapler.getCurrentRequest(), Stapler.getCurrentResponse());
+            doDynamic(Stapler.getCurrentRequest2(), Stapler.getCurrentResponse2());
             return this;
         }
 
-        public void doDynamic(StaplerRequest req, StaplerResponse rsp) {
+        public void doDynamic(StaplerRequest2 req, StaplerResponse2 rsp) {
             rsp.setStatus(200);
         }
 
@@ -297,15 +297,15 @@ public static final class CliProxyAction extends CrumbExclusion implements Unpro
         }
 
         @Override public Object getTarget() {
-            throw doDynamic(Stapler.getCurrentRequest(), Stapler.getCurrentResponse());
+            throw doDynamic(Stapler.getCurrentRequest2(), Stapler.getCurrentResponse2());
         }
 
-        public HttpResponseException doDynamic(StaplerRequest req, StaplerResponse rsp) {
+        public HttpResponseException doDynamic(StaplerRequest2 req, StaplerResponse2 rsp) {
             final String url = req.getRequestURIWithQueryString().replaceFirst("/cli-proxy", "");
             // Custom written redirect so no traces of Jenkins are present in headers
             return new HttpResponseException() {
                 @Override
-                public void generateResponse(StaplerRequest req, StaplerResponse rsp, Object node) throws IOException, ServletException {
+                public void generateResponse(StaplerRequest2 req, StaplerResponse2 rsp, Object node) throws IOException, ServletException {
                     rsp.setHeader("Location", url);
                     rsp.setContentType("text/html");
                     rsp.setStatus(HttpURLConnection.HTTP_MOVED_TEMP);

src/test/java/org/jenkinsci/main/modules/sshd/SSHDTest.java

@@ -3,15 +3,14 @@
 import hudson.Functions;
 import hudson.security.AbstractPasswordBasedSecurityRealm;
 import hudson.security.GroupDetails;
-import org.acegisecurity.AccountExpiredException;
-import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.CredentialsExpiredException;
-import org.acegisecurity.DisabledException;
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.LockedException;
-import org.acegisecurity.userdetails.User;
-import org.acegisecurity.userdetails.UserDetails;
-import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.springframework.security.authentication.AccountExpiredException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.authentication.CredentialsExpiredException;
+import org.springframework.security.authentication.DisabledException;
+import org.springframework.security.authentication.LockedException;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.apache.sshd.client.SshClient;
 import org.apache.sshd.client.future.ConnectFuture;
 import org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier;
@@ -26,7 +25,6 @@
 import org.junit.Test;
 import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
-import org.springframework.dao.DataAccessException;
 
 import java.io.IOException;
 import java.net.InetSocketAddress;
@@ -154,12 +152,12 @@ private static KeyPair generateKeys(hudson.model.User user) throws NoSuchAlgorit
     @Issue("JENKINS-55813")
     private static class InvalidUserTypesRealm extends AbstractPasswordBasedSecurityRealm {
         @Override
-        protected UserDetails authenticate(String user, String pass) throws AuthenticationException {
-            return loadUserByUsername(user);
+        protected UserDetails authenticate2(String user, String pass) throws AuthenticationException {
+            return loadUserByUsername2(user);
         }
 
         @Override
-        public UserDetails loadUserByUsername(String user) throws UsernameNotFoundException, DataAccessException {
+        public UserDetails loadUserByUsername2(String user) throws UsernameNotFoundException {
             switch (user) {
                 case "disabled":
                     throw new DisabledException(user);
@@ -174,12 +172,12 @@ public UserDetails loadUserByUsername(String user) throws UsernameNotFoundExcept
                     throw new LockedException(user);
 
                 default:
-                    return new User(user, "", true, true, true, true, new GrantedAuthority[0]);
+                    return new User(user, "", true, true, true, true, List.of());
             }
         }
 
         @Override
-        public GroupDetails loadGroupByGroupname(String group) throws UsernameNotFoundException, DataAccessException {
+        public GroupDetails loadGroupByGroupname2(String groupname, boolean fetchMembers) throws UsernameNotFoundException {
             throw new UnsupportedOperationException();
         }
     }