Fix CVE 2019 10474 and bump dependencies

[monwolf]

This PR address GHSA-24w5-w6fw-qqx7, updates dependencies and remove getInstance calls

[monwolf]

@MarkEWaite @orctom I can test in the CI, because I upgraded the parent, Jenkins, and the requisites of the java version so if the Jenkinsfile in master isn't upgraded it stills trying with java 8.

Running tests in local is fine:

berni@berni-pc MINGW64 ~/OneDrive/Escritorio/global-post-script-plugin (bugfix/CVE-2019-10474)
$ docker run -it --rm --name my-maven-project -v maven-repo:/root/.m2 -v "$(pwd)":/usr/src/mymaven -w /usr/src/mymaven maven:3-jdk-11 mvn clean install
[INFO] Scanning for projects...
[WARNING] The POM for org.jenkins-ci.tools:maven-hpi-plugin:jar:3.38 is missing, no dependency information available
[WARNING] Failed to build parent project for org.jenkins-ci.plugins:global-post-script:hpi:1.1.6-SNAPSHOT
[INFO]
[INFO] -------------< org.jenkins-ci.plugins:global-post-script >--------------
[INFO] Building Global Post Script Plugin 1.1.6-SNAPSHOT
[INFO] --------------------------------[ hpi ]---------------------------------
[INFO] 
[INFO] --- maven-clean-plugin:3.2.0:clean (default-clean) @ global-post-script ---
[INFO] Deleting /usr/src/mymaven/target
[INFO] 
[INFO] --- maven-hpi-plugin:3.38:validate (default-validate) @ global-post-script ---
[INFO] 
[INFO] --- maven-hpi-plugin:3.38:validate-hpi (default-validate-hpi) @ global-post-script ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.1.0:display-info (display-info) @ global-post-script ---
[INFO] Maven Version: 3.8.6
[INFO] JDK Version: 11.0.16 normalized as: 11.0.16
[INFO] Java Vendor: Oracle Corporation
[INFO] OS Info: Arch: amd64 Family: unix Name: linux Version: 5.4.72-microsoft-standard-wsl2
[INFO]
[INFO] --- maven-enforcer-plugin:3.1.0:enforce (display-info) @ global-post-script ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.1.0:enforce (no-snapshots-in-release) @ global-post-script ---
[INFO]
[INFO] --- gmavenplus-plugin:2.1.0:addTestSources (test-in-groovy) @ global-post-script ---
[INFO] 
[INFO] --- localizer-maven-plugin:1.31:generate (default) @ global-post-script ---
[INFO] 
[INFO] --- maven-resources-plugin:3.3.0:resources (default-resources) @ global-post-script ---
[INFO] Copying 3 resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.10.1:compile (default-compile) @ global-post-script ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 10 source files to /usr/src/mymaven/target/classes
[INFO] /usr/src/mymaven/src/main/java/com/orctom/jenkins/plugin/globalpostscript/ScriptContentLoader.java: Some input files use or override a deprecated API.
[INFO] /usr/src/mymaven/src/main/java/com/orctom/jenkins/plugin/globalpostscript/ScriptContentLoader.java: Recompile with -Xlint:deprecation for details.
[INFO]
[INFO] --- access-modifier-checker:1.30:enforce (default-enforce) @ global-post-script ---
[INFO] 
[INFO] --- maven-hpi-plugin:3.38:insert-test (default-insert-test) @ global-post-script ---
[INFO] 
[INFO] --- gmavenplus-plugin:2.1.0:generateTestStubs (test-in-groovy) @ global-post-script ---
[INFO] No sources specified for stub generation. Skipping.
[INFO] Generated 0 stubs.
[INFO]
[INFO] --- maven-antrun-plugin:3.1.0:run (createTempDir) @ global-post-script ---
[INFO] Executing tasks
[INFO] Executed tasks
[INFO]
[INFO] --- maven-resources-plugin:3.3.0:testResources (default-testResources) @ global-post-script ---
[INFO] Copying 5 resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.10.1:testCompile (default-testCompile) @ global-post-script ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 3 source files to /usr/src/mymaven/target/test-classes
[INFO] 
[INFO] --- maven-hpi-plugin:3.38:test-hpl (default-test-hpl) @ global-post-script ---
[INFO] Generating /usr/src/mymaven/target/test-classes/the.hpl
[INFO] 
[INFO] --- maven-hpi-plugin:3.38:resolve-test-dependencies (default-resolve-test-dependencies) @ global-post-script ---
[INFO] 
[INFO] --- gmavenplus-plugin:2.1.0:compileTests (test-in-groovy) @ global-post-script ---
[INFO] No sources specified for compilation. Skipping.
[INFO]
[INFO] --- maven-hpi-plugin:3.38:test-runtime (default-test-runtime) @ global-post-script ---
[INFO] Setting jenkins.addOpens to --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.desktop/com.sun.beans.introspect=ALL-UNNAMED
[INFO] Setting jenkins.insaneHook to --patch-module=java.base=/usr/src/mymaven/target/patch-modules/org-netbeans-insane-hook.jar --add-exports=java.base/org.netbeans.insane.hook=ALL-UNNAMED
[INFO]
[INFO] --- maven-surefire-plugin:3.0.0-M8:test (default-test) @ global-post-script ---
[INFO] Using auto detected provider org.apache.maven.surefire.junitplatform.JUnitPlatformProvider
[INFO] 
[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
Running tests for org.jenkins-ci.plugins:global-post-script:1.1.6-SNAPSHOT
[INFO] Running InjectedTest
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/root/.m2/repository/org/codehaus/groovy/groovy-all/2.4.21/groovy-all-2.4.21.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Tests run: 6, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 81.919 s - in InjectedTest
[INFO] Running com.orctom.jenkins.plugin.globalpostscript.ScriptTest
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/root/.m2/repository/org/codehaus/groovy/groovy-all/2.4.21/groovy-all-2.4.21.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 2.236 s - in com.orctom.jenkins.plugin.globalpostscript.ScriptTest
[INFO] Running com.orctom.jenkins.plugin.globalpostscript.URLTest
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.044 s - in com.orctom.jenkins.plugin.globalpostscript.URLTest
[INFO] 
[INFO] Results:
[INFO]
[INFO] Tests run: 10, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO] 
[INFO] --- maven-license-plugin:1.15:process (default) @ global-post-script ---
[INFO] Generated /usr/src/mymaven/target/global-post-script/WEB-INF/licenses.xml
[INFO]
[INFO] --- maven-hpi-plugin:3.38:hpi (default-hpi) @ global-post-script ---
[INFO] Generating /usr/src/mymaven/target/global-post-script/META-INF/MANIFEST.MF
[INFO] Checking for attached .jar artifact ...
[INFO] Generating jar /usr/src/mymaven/target/global-post-script.jar
[INFO] Building jar: /usr/src/mymaven/target/global-post-script.jar
[INFO] Exploding webapp...
[INFO] Copy webapp webResources to /usr/src/mymaven/target/global-post-script
[INFO] Assembling webapp global-post-script in /usr/src/mymaven/target/global-post-script
[INFO] Bundling direct dependency plexus-utils-3.0.16.jar
[INFO] Generating hpi /usr/src/mymaven/target/global-post-script.hpi
[INFO] Building jar: /usr/src/mymaven/target/global-post-script.hpi
[INFO] 
[INFO] --- maven-jar-plugin:3.3.0:test-jar (maybe-test-jar) @ global-post-script ---
[INFO] Skipping packaging of the test-jar
[INFO]
[INFO] >>> spotbugs-maven-plugin:4.7.3.0:check (spotbugs) > :spotbugs @ global-post-script >>>
[INFO]
[INFO] --- spotbugs-maven-plugin:4.7.3.0:spotbugs (spotbugs) @ global-post-script ---
[INFO] Fork Value is true
[INFO] Done SpotBugs Analysis....
[INFO]
[INFO] <<< spotbugs-maven-plugin:4.7.3.0:check (spotbugs) < :spotbugs @ global-post-script <<<
[INFO]
[INFO]
[INFO] --- spotbugs-maven-plugin:4.7.3.0:check (spotbugs) @ global-post-script ---
[INFO] BugInstance size is 0
[INFO] Error size is 0
[INFO] No errors/warnings found
[INFO]
[INFO] --- maven-install-plugin:3.1.0:install (default-install) @ global-post-script ---
[INFO] Installing /usr/src/mymaven/pom.xml to /root/.m2/repository/org/jenkins-ci/plugins/global-post-script/1.1.6-SNAPSHOT/global-post-script-1.1.6-SNAPSHOT.pom
[INFO] Installing /usr/src/mymaven/target/global-post-script.hpi to /root/.m2/repository/org/jenkins-ci/plugins/global-post-script/1.1.6-SNAPSHOT/global-post-script-1.1.6-SNAPSHOT.hpi
[INFO] Installing /usr/src/mymaven/target/global-post-script.jar to /root/.m2/repository/org/jenkins-ci/plugins/global-post-script/1.1.6-SNAPSHOT/global-post-script-1.1.6-SNAPSHOT.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:58 min
[INFO] Finished at: 2023-02-07T19:37:55Z
[INFO] ------------------------------------------------------------------------

[MarkEWaite]

Thanks. I'm not seeing any code change that addresses the vulnerability. Will that come later as additional commits to the pull request?

https://github.com/jenkinsci/global-post-script-plugin/pull/12/files#r1144184643 is the fix that I missed earlier.

[MarkEWaite]

The "Choosing a Jenkins version" page recommends 2.361.4 when making the transition to Java 11 and plugin bill of materials.

Suggested change

	<jenkins.version>2.375.2</jenkins.version>
	<jenkins.version>2.361.4</jenkins.version>

[MarkEWaite]

I'm not a maintainer of this plugin. @orctom and @mhmdabdh are maintainers.

I have permission to run the job on ci.jenkins.io with the modified Jenkinsfile. I've done that. You'll see results in https://ci.jenkins.io/job/Plugins/job/global-post-script-plugin/job/PR-12/3/

[MarkEWaite]

This is the fix that I had missed in my earlier comment.

[monwolf]

@orctom and @mhmdabdh could you merge it?

[MarkEWaite]

@orctom and @mhmdabdh could you merge it?

@monwolf I think you should adopt the plugin so that you can merge this fix and your pull request #13 . It seems unlikely that the listed maintainers will become active again after several years of inactivity.

[orctom]

@monwolf please adopt this plugin if possible!

[MarkEWaite]

Thanks very much @orctom !