[JEP-233] Blog post about Guava library upgrade (#4640)

Co-authored-by: Liam Newman <bitwiseman@gmail.com>
jenkins-infra · Nov 9, 2021 · bca105e · bca105e
1 parent 65a30c3
commit bca105e
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 0 deletions.
diff --git a/content/_data/authors/basil.adoc b/content/_data/authors/basil.adoc
@@ -0,0 +1,8 @@
+---
+name: "Basil Crow"
+github: basil
+twitter: bcrow
+linkedin: basilcrow
+---
+Basil is a long-time Jenkins user and contributor, a Jenkins core maintainer, and the maintainer of the plugin:email-ext[Email Extension], plugin:timestamper[Timestamper], and plugin:swarm[Swarm] plugins (among others).
+Basil enjoys working on open source software in his free time.
diff --git a/content/blog/2021/11/2021-11-09-guava-upgrade.adoc b/content/blog/2021/11/2021-11-09-guava-upgrade.adoc
@@ -0,0 +1,73 @@
+---
+layout: post
+title: "Guava library upgrade (breaking changes!)"
+tags:
+- jenkins
+- core
+- developer
+- announcement
+author: basil
+description: >
+  Jenkins has upgraded the Guava library to the latest version.
+  As a result, plugins must be upgraded for compatibility.
+opengraph:
+  image: /images/post-images/2021-11-guava-upgrade/guava-upgrade-opengraph.png
+---
+
+image:/images/post-images/2021-11-guava-upgrade/guava-upgrade.png[Guava Upgrade, role=center]
+
+== Summary
+
+Jenkins bundles https://guava.dev/[Guava], a core Java library from Google.
+Beginning with Jenkins 2.320 (released on November 10, 2021), Jenkins has upgraded the Guava library from
+link:https://github.com/google/guava/releases/tag/v11.0.1[11.0.1] (released on January 9, 2012) to
+link:https://github.com/google/guava/releases/tag/v31.0.1[31.0.1] (released on September 27, 2021).
+Plugins have already been prepared to support the new version of Guava in link:https://issues.jenkins.io/issues/?jql=labels%20in%20(JEP-233)[JEP-233].
+**Use the Plugin Manager to upgrade all plugins before _and_ after upgrading to Jenkins 2.320.**
+
+== Motivation
+
+Many security-conscious organizations using, or planning to use, Jenkins run off-the-shelf security scanners to look for known vulnerabilities.
+These commonly flag the obsolete Guava library as susceptible to a serialization-related vulnerability (https://github.com/google/guava/wiki/CVE-2018-10237[CVE-2018-10237]) and recommend upgrading.
+While Jenkins uses link:/blog/2018/03/15/jep-200-lts/[JEP-200] to form an explicit list of allowed classes for deserialization,
+and the two Guava classes affected by CVE-2018-10237 are not and will never be added to the list,
+it is time-consuming for the link:/security/team/[security team] to respond to purported security reports
+and for users to justify exemptions from policy to use Jenkins anyway.
+
+Furthermore, the decade-old version of Guava has long been a maintenance burden for Jenkins developers.
+In a world where Dependabot offers upgrades to libraries released just hours before,
+it is unpleasant to be working with dependencies that are many years old.
+
+For more information, see https://github.com/jenkinsci/jep/blob/master/jep/233/README.adoc[JEP-233].
+
+== Upgrading
+
+The vast majority of plugins have already been prepared to support the new version of Guava in link:https://issues.jenkins.io/issues/?jql=labels%20in%20(JEP-233)[JEP-233].
+Jenkins users need only upgrade plugins to compatible versions as documented in the "Released As" field in Jira.
+**It is critical to use the Plugin Manager to upgrade all plugins before _and_ after upgrading to Jenkins 2.320.**
+Failure to upgrade plugins to compatible versions may result in `ClassNotFoundException`, `NoClassDefFoundError`, or other low-level Java errors.
+
+== Reporting issues
+
+If you find a regression in a plugin, please file a bug report in Jira:
+
+* link:https://issues.jenkins.io/issues/?jql=labels%20in%20(JEP-233)%20and%20status%20not%20in%20(resolved%2C%20closed)[Open JEP-233 issues]
+
+When reporting an issue, include the following information:
+
+. Use the `JEP-233` label.
+. Provide the _complete_ list of installed plugins as suggested in the link:/doc/book/system-administration/diagnosing-errors/#how-to-report-a-bug[bug reporting guidelines].
+. Provide the _complete_ stack trace, if relevant.
+. Provide steps to reproduce the issue _from scratch_ on a minimal Jenkins installation; the scenario should fail when the steps are followed on Jenkins 2.320 or later and pass when the steps are followed on Jenkins 2.319 or earlier.
+
+If you maintain a Jenkins plugin with an open JEP-233 issue,
+then please check if there is a pull request awaiting merge or release.
+If you use an unmaintained Jenkins plugin with an open JEP-233 issue,
+consider stepping up and link:/doc/developer/plugin-governance/adopt-a-plugin/[adopting the plugin] to release a compatible version.
+
+== Conclusion
+
+We expect to see a bit of disruption from these changes
+but hope that in the long run they will save time for core and plugin developers
+and lead to a more secure and stable tool.
+Please reach out on the link:/mailing-lists/[developers' list] with any questions or suggestions.
diff --git a/content/images/post-images/2021-11-guava-upgrade/guava-upgrade-opengraph.png b/content/images/post-images/2021-11-guava-upgrade/guava-upgrade-opengraph.png
diff --git a/content/images/post-images/2021-11-guava-upgrade/guava-upgrade.png b/content/images/post-images/2021-11-guava-upgrade/guava-upgrade.png