Merge branch 'master' into INFRA-2615

README.adoc

@@ -30,6 +30,7 @@ The generator pulls information from:
 * link:resources/[Local resource files in this repository]
   - GitHub topic whitelist (`resources/allowed-github-topics.properties`)
   - Artifact ignore list (`resources/artifact-ignores.properties`)
+  - Deprecations (`resources/deprecations.properties`)
   - Label assignments (`resources/label-definitions.properties`)
   - Security warnings (`resources/warnings.json`)
   - Plugin URL overrides (`resources/wiki-overrides.properties`)
@@ -58,7 +59,7 @@ To add the label `matrix` for your plugin, you would add either `matrix` or `jen
 
 ==== Resource File
 
-As an alternative to the above, plugin labels can be defined in the file https://github.com/jenkins-infra/update-center2/edit/master/src/main/resources/label-definitions.properties[`label-definitions.properties`] in this repository.
+As an alternative to the above, plugin labels can be defined in the file https://github.com/jenkins-infra/update-center2/edit/master/src/main/resources/label-definitions.properties[`resources/label-definitions.properties`] in this repository.
 
 This is the preferable approach when a plugin isn't in the `jenkinsci` GitHub organization, or a GitHub repository contains multiple plugins whose labels should be different.
 
@@ -74,6 +75,29 @@ This requirement no longer exists, but it may still be useful to define a docume
 The file `resources/wiki-overrides.properties` defines these wiki page overrides.
 
 
+=== Deprecations
+
+// TODO Once https://github.com/jenkinsci/jenkins/pull/4073 is merged, specify which version is the first one.
+Plugins are considered _deprecated_ by Jenkins when either the update site metadata does one or both of the following:
+
+* Uses the label `deprecated` for the plugin.
+  This can be done via GitHub repository topics, or the `resources/label-definitions.properties` described above.
+  Jenkins will use the plugin URL as the reference URL for the deprecation notice.
+* Lists an entry with the plugin ID as key in the top-level `deprecations` map in `update-center.json`.
+  This can be done through entries in the https://github.com/jenkins-infra/update-center2/edit/master/src/main/resources/deprecations.properties[`resources/deprecations.properties`] file.
+  The value from the properties file will be used as the URL for the deprecation notice in Jenkins.
+  This entry and URL take precedence over a `deprecated` label, i.e. when both are set, the URL from the top-level element shall be used.
+
+These two different approaches to plugin deprecation accomplish complementary goals:
+
+* The label approach is very simple and can easily be done by plugin maintainers themselves via GitHub labels.
+  It is also backward compatible with any earlier version of Jenkins -- it will just show the deprecation as a regular label.
+  Additionally, it doesn't bloat the JSON file size at all, since no special URL is needed.
+* The top-level `deprecations` element allows specifying a URL different from the plugin documentation URL as well as deprecating plugins no longer being distributed.
+  Especially the latter is a common requirement when plugins integrate with services that no longer exist:
+  It makes no sense to continue distributing them, but everyone having them already installed should be informed about it.
+
+
 === Removing plugins from distribution
 
 The update center generator allows to specify that certain plugins, or plugin releases, should not be included in the output.
@@ -86,6 +110,8 @@ There are various reasons to need to do this, such as:
 Both use cases (entire plugins, or specific versions) are controlled via the file `resources/artifact-ignores.properties`.
 See that file for usage examples.
 
+Such plugins typically should get a corresponding deprecation entry in `resources/deprecations.properties`.
+
 
 === Security warnings
 

pom.xml

@@ -8,7 +8,7 @@
 
   <artifactId>update-center2</artifactId>
 
-  <version>3.1-SNAPSHOT</version>
+  <version>3.2.2-SNAPSHOT</version>
   <name>Jenkins Update Center Generator</name>
   <description>Generates update sites for updates.jenkins.io</description>
 
@@ -139,7 +139,7 @@
     <dependency>
       <groupId>org.dom4j</groupId>
       <artifactId>dom4j</artifactId>
-      <version>2.1.1</version>
+      <version>2.1.3</version>
     </dependency>
     <dependency>
       <groupId>org.hamcrest</groupId>

resources/allowed-github-topics.properties

@@ -80,6 +80,7 @@ spotinst
 stash
 test
 textfile
+theme
 trigger
 ui
 upload

resources/artifact-ignores.properties

@@ -28,6 +28,7 @@ cloudbees-registration           # "This feature is no longer relevant." -- http
 cloudbees-disk-usage-simple-plugin # renamed to cloudbees-disk-usage-simple several years ago
 ColumnPack-plugin                # renamed to ColumnsPlugin
 ConfigurationSlicing             # renamed into configurationslicing, and this double causes a check out problem on Windows
+configuration-as-code-support    # deprecated
 convert-to-declarative           # renamed to declarative-pipeline-migration-assistant-plugin
 convert-to-declarative-api       # renamed to declarative-pipeline-migration-assistant-plugin
 copyarchiver                     # superseded by ArtifactDeployer Plugin  -- https://wiki.jenkins-ci.org/display/JENKINS/CopyArchiver+Plugin
@@ -337,10 +338,6 @@ fortify360
 
 # Failed shading Snakeyaml, 1.9 has both shaded and direct dependency inside
 configuration-as-code-1.9
-configuration-as-code-support-1.9
-
-# No Source release of JCasC support 1.19
-configuration-as-code-support-1.19
 
 # Failed release of Google Compute Engine Plugin 3.3.1
 google-compute-engine-3.3.1
@@ -470,3 +467,6 @@ ci-with-toad-devops-toolkit
 
 # Delayed release of Qualys API security module, so suspend until then
 qualys-api-security
+
+# Depublished as agreed with maintainer after SECURITY-1879 in 2020-06-03 security advisory
+play-autotest-plugin

resources/deprecations.properties

@@ -0,0 +1,139 @@
+# This file contains deprecated plugins (keys) and the URL the deprecation notice should link to (value).
+# While plugins can be deprecated through labels, that requires that the plugins continue being published.
+# This file allows marking plugins as deprecated while not publishing them otherwise.
+# Additionally, this file allows referencing deprecation notices outside of (obsolete or non-existing) plugin documentation.
+# Shorten URLs if and only if the URLs are to github.com (git.io) or wiki.jenkins.io. Record the real URL in a comment.
+
+# https://wiki.jenkins.io/display/JENKINS/AppThwack+Plugin
+appthwack = https://wiki.jenkins.io/x/cwchB
+assembla-oauth = https://groups.google.com/d/msg/jenkinsci-dev/TVz-D5etsUM/Knx9zXtEnSwJ
+# https://github.com/jenkins-infra/update-center2/pull/261
+blackduck-hub = https://git.io/JfaQa
+# https://wiki.jenkins.io/display/JENKINS/Black+Duck+Vulnerability+Installer+Plugin
+blackduck-installer = https://wiki.jenkins.io/x/nYHHB
+build-flow-extensions-plugin = https://groups.google.com/d/msg/jenkinsci-dev/YKfydxnpvyE/mMN7LNBoBgAJ
+build-flow-test-aggregator = https://groups.google.com/d/msg/jenkinsci-dev/YKfydxnpvyE/mMN7LNBoBgAJ
+build-flow-toolbox-plugin = https://groups.google.com/d/msg/jenkinsci-dev/YKfydxnpvyE/mMN7LNBoBgAJ
+# https://wiki.jenkins.io/display/JENKINS/Build+Node+Column+Plugin
+build-node-column = https://wiki.jenkins.io/x/1QiMAw
+# https://wiki.jenkins.io/display/JENKINS/Buildcoin+Plugin
+buildcoin-plugin = https://wiki.jenkins.io/x/KoyhAw
+# https://wiki.jenkins.io/display/JENKINS/Buildheroes
+buildheroes = https://wiki.jenkins.io/x/_AD8Aw
+# https://wiki.jenkins.io/display/JENKINS/Caroline+Plugin
+caroline = https://wiki.jenkins.io/x/AwOMAw
+chrome-frame-plugin = https://www.chromium.org/developers/how-tos/chrome-frame-getting-started
+# https://wiki.jenkins.io/display/JENKINS/CIFS-Publisher+Plugin
+cifs = https://wiki.jenkins.io/x/lwC2Ag
+# https://github.com/jenkinsci/clang-scanbuild-plugin/commit/a6d57b67f6fbd0a9893ecf6436c54ecb670d5829
+clang-scanbuild-plugin = https://git.io/JfaQr
+# https://wiki.jenkins.io/display/JENKINS/Cloudbees+Deployer+Plugin
+cloudbees-deployer-plugin = https://wiki.jenkins.io/x/24RoAw
+# https://github.com/jenkins-infra/update-center2/pull/179
+cloudbees-disk-usage-simple-plugin = https://git.io/JfaQN
+# https://wiki.jenkins.io/display/JENKINS/CloudBees+Jenkins+Enterprise
+cloudbees-enterprise-plugins = https://wiki.jenkins.io/x/3gX8Aw
+# https://wiki.jenkins.io/display/JENKINS/CloudBees+Registration+Plugin
+cloudbees-registration = https://wiki.jenkins.io/x/z4FLB
+# https://github.com/jenkins-infra/update-center2/pull/299
+codescan = https://git.io/JfaQb
+# https://github.com/jenkinsci/configuration-as-code-plugin/releases/tag/configuration-as-code-1.18
+configuration-as-code-support = https://git.io/JfaHz
+# https://wiki.jenkins.io/display/JENKINS/CopyArchiver+Plugin
+copyarchiver = https://wiki.jenkins.io/x/ywJAAg
+# https://wiki.jenkins.io/display/JENKINS/CppUnit+Plugin
+cppunit = https://wiki.jenkins.io/x/6oE5Ag
+# https://github.com/jenkins-infra/update-center2/commit/e5a138873113d0e2d6af59d5699215a1835c15b7
+dockerhub = https://git.io/JfaQF
+# https://wiki.jenkins.io/display/JENKINS/Emotional+Hudson+Plugin
+emotional-hudson = https://wiki.jenkins.io/x/C4DX
+# https://github.com/jenkins-infra/update-center2/pull/257
+external-scheduler = https://git.io/JfaQ5
+externalresource-dispatcher = https://groups.google.com/d/msg/jenkinsci-dev/YKfydxnpvyE/mMN7LNBoBgAJ
+# https://wiki.jenkins.io/display/JENKINS/Gerrit+Plugin
+gerrit = https://wiki.jenkins.io/x/9ICVAg
+# https://wiki.jenkins.io/display/JENKINS/Girls+Plugin
+girls = https://wiki.jenkins.io/x/OAWbAg
+# https://wiki.jenkins.io/display/JENKINS/Gitorious+Plugin
+gitorious = https://wiki.jenkins.io/x/ngDiAw
+# https://wiki.jenkins.io/display/JENKINS/Hudson+Google+Desktop+Gadget
+google-desktop-gadget = https://wiki.jenkins.io/x/E4A3AQ
+# https://wiki.jenkins.io/display/JENKINS/Google+Code+Plugin
+googlecode = https://wiki.jenkins.io/x/DQC7
+# https://wiki.jenkins.io/display/JENKINS/Hall+Plugin
+hall-jenkins = https://wiki.jenkins.io/x/qQghB
+# https://wiki.jenkins.io/display/JENKINS/HockeyApp+Plugin
+hockeyapp = https://wiki.jenkins.io/x/7oPPAw
+# https://wiki.jenkins.io/display/JENKINS/iON+Deployer+Plugin
+ion-deployer-plugin = https://wiki.jenkins.io/x/FhOMAw
+# https://wiki.jenkins.io/display/JENKINS/Java.net+Plugin
+javanet = https://wiki.jenkins.io/x/AgDL
+# https://wiki.jenkins.io/display/JENKINS/java.net+uploader+Plugin
+javanet-uploader = https://wiki.jenkins.io/x/ZoAL
+jenkins-tracker = https://issues.jenkins-ci.org/browse/INFRA-1531
+# https://wiki.jenkins.io/display/JENKINS/Jenkow+Activiti+Designer
+jenkow-activiti-designer = https://wiki.jenkins.io/x/ngnqAw
+# https://wiki.jenkins.io/display/JENKINS/Jenkow+Activiti+Explorer
+jenkow-activiti-explorer = https://wiki.jenkins.io/x/yQH8Aw
+# https://wiki.jenkins.io/display/JENKINS/Jenkow+Plugin
+jenkow-plugin = https://wiki.jenkins.io/x/WIuhAw
+# https://github.com/jenkins-infra/update-center2/pull/94
+kanboard-publisher = https://git.io/JfaQH
+# https://wiki.jenkins.io/display/JENKINS/M2+Extra+Steps+Plugin
+m2-extra-steps = https://wiki.jenkins.io/x/FIc5Ag
+# https://wiki.jenkins.io/display/JENKINS/CloudBees+Cloud+Connector+Plugin
+mansion-cloud = https://wiki.jenkins.io/x/YwdRB
+# https://github.com/mwaylabs/jenkins-mcap-eas-plugin#jenkins-mcap-eas-plugin
+mcap-eas-plugin = https://git.io/JfaQ9
+# https://wiki.jenkins.io/display/JENKINS/MyPeople+Plugin
+mypeople = https://wiki.jenkins.io/x/xQRCB
+# https://wiki.jenkins.io/display/JENKINS/Nabaztag+Plugin
+nabaztag = https://wiki.jenkins.io/x/dIEuAg
+# https://wiki.jenkins.io/display/JENKINS/Netio-Plugin
+netio-plugin = https://wiki.jenkins.io/x/7gMHB
+# https://wiki.jenkins.io/display/JENKINS/Node+Offline+Notification+Plugin
+nodeofflinenotification = https://wiki.jenkins.io/x/0IKhAw
+# https://wiki.jenkins.io/display/JENKINS/Notifo+Plugin
+notifo = https://wiki.jenkins.io/x/0ADDAg
+# https://wiki.jenkins.io/display/JENKINS/Origo+Issue+Notifier
+origo-issue-notifier = https://wiki.jenkins.io/x/qgabAg
+# https://github.com/jenkins-infra/update-center2/pull/291
+paranoia = https://git.io/JfaQS
+# https://github.com/jenkinsci/pipeline-editor-plugin
+pipeline-editor = https://git.io/JfaQy
+# https://github.com/jenkins-infra/update-center2/pull/42
+poll-mailbox-trigger = https://git.io/JfaQM
+# https://wiki.jenkins.io/display/JENKINS/Pretest+Commit+Plugin
+pretest-commit = https://wiki.jenkins.io/x/5gB-B
+# https://wiki.jenkins.io/display/JENKINS/pucm+plugin
+PUCM = https://wiki.jenkins.io/x/fIBVAw
+# https://github.com/jenkins-infra/update-center2/pull/13
+rtc = https://git.io/JfaQ1
+# https://wiki.jenkins.io/display/JENKINS/Retry+Failed+Builds+Plugin
+schedule-failed-builds = https://wiki.jenkins.io/x/roM5Ag
+# https://github.com/jenkins-infra/update-center2/commit/5f3f5ae66ea0e819c27d6d1fed9fdb00781f636c
+scis-ad = https://git.io/JfaQX
+scm-branch-pr-filter = https://issues.jenkins-ci.org/browse/INFRA-1358
+# https://github.com/jenkins-infra/update-center2/pull/324
+SCTMExecutor = https://git.io/JfaQP
+# https://wiki.jenkins.io/display/JENKINS/Build+Secret+Plugin
+secret = https://wiki.jenkins.io/x/9ghSAg
+# https://wiki.jenkins.io/display/JENKINS/Setenv+Plugin
+setenv = https://wiki.jenkins.io/x/YAtSAg
+# https://wiki.jenkins.io/pages/viewpage.action?pageId=63930505
+sonatype-ci = https://wiki.jenkins.io/x/iYDPAw
+# https://wiki.jenkins.io/display/JENKINS/TEPCO+Plugin
+tepco = https://wiki.jenkins.io/x/zoBoAw
+# https://wiki.jenkins.io/display/JENKINS/TEPCO+Electric+Power+Usage+Widget
+tepco-epuw = https://wiki.jenkins.io/x/vohoAw
+# https://wiki.jenkins.io/display/JENKINS/Testflight+Plugin
+testflight = https://wiki.jenkins.io/x/pwZ1Aw
+# https://wiki.jenkins.io/display/JENKINS/URL+Change+Trigger
+url-change-trigger = https://wiki.jenkins.io/x/BQBJ
+# https://github.com/jenkins-infra/update-center2/pull/302
+veracode-scanner = https://git.io/JfaQ6
+vessel = https://groups.google.com/d/msg/jenkinsci-dev/L34eAMMWA5o/-AxtRdGsAAAJ
+# https://github.com/jenkinsci/xltestview-plugin/commit/ea034f9929b520e63b9ce15aed9bdb62354146cf
+xltest-plugin = https://git.io/JfaQK
+# https://wiki.jenkins.io/display/JENKINS/ZAProxy+Plugin
+zaproxy = https://wiki.jenkins.io/x/JgCsB

resources/warnings.json

@@ -6975,7 +6975,7 @@
     "versions": [
       {
         "lastVersion": "0.5",
-        "pattern": ".*"
+        "pattern": "(0[.][3-5])(|[.-].+)"
       }
     ]
   },
@@ -7974,5 +7974,122 @@
         "pattern": "(1[.]1[2-9]|1[.]2[0-9]|1[.]3[0-9]|1[.]4[0-3])(|[.-].+)"
       }
     ]
+  },
+  {
+    "id": "SECURITY-1200",
+    "type": "plugin",
+    "name": "swarm",
+    "message": "CSRF vulnerability and improper permission checks",
+    "url": "https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1200",
+    "versions": [
+      {
+        "lastVersion": "3.20",
+        "pattern": "([12]|3[.]1[0-9]|3[.]20|3[.][3-9])(|[.-].+)"
+      }
+    ]
+  },
+  {
+    "id": "SECURITY-1582",
+    "type": "plugin",
+    "name": "project-inheritance",
+    "message": "Missing permission check",
+    "url": "https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1582",
+    "versions": [
+      {
+        "lastVersion": "19.08.02",
+        "pattern": ".*"
+      }
+    ]
+  },
+  {
+    "id": "SECURITY-1726",
+    "type": "plugin",
+    "name": "svn-partial-release-mgr",
+    "message": "XSS vulnerability",
+    "url": "https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1726",
+    "versions": [
+      {
+        "lastVersion": "1.0.1",
+        "pattern": ".*"
+      }
+    ]
+  },
+  {
+    "id": "SECURITY-1766",
+    "type": "plugin",
+    "name": "selenium",
+    "message": "Complete lack of CSRF protection can lead to OS command injection",
+    "url": "https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1766",
+    "versions": [
+      {
+        "lastVersion": "3.141.59",
+        "pattern": ".*"
+      }
+    ]
+  },
+  {
+    "id": "SECURITY-1837",
+    "type": "plugin",
+    "name": "compact-columns",
+    "message": "Stored XSS vulnerability",
+    "url": "https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1837",
+    "versions": [
+      {
+        "lastVersion": "1.11",
+        "pattern": "(1[.]1[01]|1[.][6-9])(|[.-].+)"
+      }
+    ]
+  },
+  {
+    "id": "SECURITY-1841",
+    "type": "plugin",
+    "name": "echarts-api",
+    "message": "Stored XSS vulnerability",
+    "url": "https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1841",
+    "versions": [
+      {
+        "lastVersion": "4.7.0-3",
+        "pattern": "(4[.]6|4[.]7[.]0[-][1-3])(|[.-].+)"
+      }
+    ]
+  },
+  {
+    "id": "SECURITY-1842",
+    "type": "plugin",
+    "name": "echarts-api",
+    "message": "Stored XSS vulnerability",
+    "url": "https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1842",
+    "versions": [
+      {
+        "lastVersion": "4.7.0-3",
+        "pattern": "(4[.]6|4[.]7[.]0[-][1-3])(|[.-].+)"
+      }
+    ]
+  },
+  {
+    "id": "SECURITY-1866",
+    "type": "plugin",
+    "name": "script-security",
+    "message": "Stored XSS vulnerability",
+    "url": "https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1866",
+    "versions": [
+      {
+        "lastVersion": "1.72",
+        "pattern": "(1[.][0-9]|1[.]1[0-9]|1[.]2[0-9]|1[.]3[013456789]|1[.]4[0-9]|1[.]5[0-9]|1[.]6[012345789]|1[.]66[.][1-3]|1[.]7[0-2])(|[.-].+)|(1[.]66)"
+      }
+    ]
+  },
+  {
+    "id": "SECURITY-1879",
+    "type": "plugin",
+    "name": "play-autotest-plugin",
+    "message": "OS command injection vulnerability",
+    "url": "https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1879",
+    "versions": [
+      {
+        "lastVersion": "1.0.2",
+        "pattern": ".*"
+      }
+    ]
   }
 ]

resources/wiki-overrides.properties

@@ -74,12 +74,12 @@ pipeline-model-declarative-agent=https://github.com/jenkinsci/pipeline-model-def
 # Deprecated plugins (replaced by warnings-ng)
 pmd=https://github.com/jenkinsci/pmd-plugin
 dry=https://github.com/jenkinsci/dry-plugin
-findbugs=https://github.com/jenkinsci/findbugs-plugin 
-analysis-core=https://github.com/jenkinsci/analysis-core-plugin 
-analysis-collector=https://github.com/jenkinsci/analysis-collector-plugin 
+findbugs=https://github.com/jenkinsci/findbugs-plugin
+analysis-core=https://github.com/jenkinsci/analysis-core-plugin
+analysis-collector=https://github.com/jenkinsci/analysis-collector-plugin
 warnings=https://github.com/jenkinsci/warnings-plugin
 tasks=https://github.com/jenkinsci/tasks-plugin
-checkstyle=https://github.com/jenkinsci/checkstyle-plugin 
+checkstyle=https://github.com/jenkinsci/checkstyle-plugin
 
 # JS Libs plugins
 ace-editor=https://github.com/jenkinsci/js-libs/blob/master/ace-editor/README.md