New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to httpclient5 #197

Open

strangelookingnerd wants to merge 1 commit into jenkinsci:master from strangelookingnerd:migrate_to_httpclient5

Contributor

strangelookingnerd commented Feb 20, 2025 •

edited

Loading

Replaces outdated httpclient4 with the successor httpclient5.

Iam well aware that this is a quite large changeset however I hope that there is still interest in this PR and it will be reviewed.
If there are any questions, please do not hesitate to ping me.

Testing done

mvn clean verify and some manual testing.

Submitter checklist

Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
Ensure that the pull request title represents the desired changelog entry
Please describe what you did
Link to relevant issues in GitHub or Jira
Link to relevant pull requests, esp. upstream and downstream changes
Ensure you have provided tests - that demonstrates feature works or fixes the issue

strangelookingnerd requested a review from a team as a code owner

February 20, 2025 10:25

github-advanced-security bot found potential problems

View reviewed changes

src/main/java/jenkins/plugins/http_request/HttpRequestExecution.java

+                      }
+                  }
+                  private void configureTimeoutAndSsl(HttpClientBuilder clientBuilder) throws NoSuchAlgorithmException, KeyManagementException {

Check warning

Code scanning / Jenkins Security Scan

Jenkins: Generally unsafe method calls Warning

Potentially unsafe invocation of SSLContext#init

src/main/java/jenkins/plugins/http_request/HttpRequestStep.java

-              			}
-              			return items;
-              		}
+                      public ListBoxModel doFillResponseHandleItems() {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in DescriptorImpl#doFillResponseHandleItems

src/main/java/jenkins/plugins/http_request/HttpRequestStep.java

-              			}
-              			return items;
-              		}
+                      public ListBoxModel doFillResponseHandleItems() {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation Warning

Potential CSRF vulnerability: If DescriptorImpl#doFillResponseHandleItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

src/main/java/jenkins/plugins/http_request/HttpRequestStep.java

-              														   @QueryParameter String url) {
-              			return HttpRequest.DescriptorImpl.fillAuthenticationItems(project, url);
-              		}
+                      public ListBoxModel doFillProxyAuthenticationItems(@AncestorInPath Item project,

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation Warning

Potential CSRF vulnerability: If DescriptorImpl#doFillProxyAuthenticationItems connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

src/main/java/jenkins/plugins/http_request/HttpRequestStep.java


		public FormValidation doCheckValidResponseCodes(@QueryParameter String value) {
		public FormValidation doCheckValidResponseCodes(@QueryParameter String value) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in DescriptorImpl#doCheckValidResponseCodes

src/main/java/jenkins/plugins/http_request/HttpRequestStep.java


		public FormValidation doCheckValidResponseCodes(@QueryParameter String value) {
		public FormValidation doCheckValidResponseCodes(@QueryParameter String value) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation Warning

Potential CSRF vulnerability: If DescriptorImpl#doCheckValidResponseCodes connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST

src/main/java/jenkins/plugins/http_request/auth/BasicDigestAuthentication.java


		private final String keyName;
		private final String keyName;

Check warning

Code scanning / Jenkins Security Scan

Jenkins: Plaintext password storage Warning

Field should be reviewed whether it stores a password and is serialized to disk: keyName

src/main/java/jenkins/plugins/http_request/auth/FormAuthentication.java

-              	private final String keyName;
+                  @Serial
+                  private static final long serialVersionUID = -4370238820437831639L;
+                  private final String keyName;

Check warning

Code scanning / Jenkins Security Scan

Jenkins: Plaintext password storage Warning

Field should be reviewed whether it stores a password and is serialized to disk: keyName


          Migrate to httpclient5

62cefd5

* Migrate imports, classes and methods
* Reduce usage of deprecated classes and methods
* Minor code cleanup

strangelookingnerd force-pushed the migrate_to_httpclient5 branch from 0c7abef to 62cefd5 Compare

February 21, 2025 09:16

Contributor Author

strangelookingnerd commented Feb 21, 2025

Jenkins Security Scan alerts are unrelated to these changes and should be adressed in a separate PR.

Contributor

gounthar commented Feb 21, 2025

It looks like the build failure has nothing to do with your code modification:
10:19:45 ExecutionException The forked VM terminated without properly saying goodbye. VM crash or System.exit called?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet