Update dependency org.jenkins-ci:jenkins to v1.130 (#10376)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
jenkinsci · Mar 5, 2025 · 560e57f · 560e57f
1 parent 4c96f3a
commit 560e57f
Show file tree

Hide file tree

Showing 24 changed files with 22 additions and 40 deletions.
diff --git a/cli/src/main/java/hudson/cli/CLI.java b/cli/src/main/java/hudson/cli/CLI.java
@@ -318,7 +318,7 @@ public static int _main(String[] _args) throws Exception {
         throw new AssertionError();
     }
 
-    @SuppressFBWarnings(value = {"PATH_TRAVERSAL_IN", "URLCONNECTION_SSRF_FD"}, justification = "User provided values for running the program.")
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "User provided value for running the program.")
     private static String readAuthFromFile(String auth) throws IOException {
         Path path;
         try {
@@ -329,7 +329,7 @@ private static String readAuthFromFile(String auth) throws IOException {
         return Files.readString(path, Charset.defaultCharset());
     }
 
-    @SuppressFBWarnings(value = {"PATH_TRAVERSAL_IN", "URLCONNECTION_SSRF_FD"}, justification = "User provided values for running the program.")
+    @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "User provided value for running the program.")
     private static File getFileFromArguments(List<String> args) {
         return new File(args.get(1));
     }

diff --git a/core/src/main/java/hudson/DescriptorExtensionList.java b/core/src/main/java/hudson/DescriptorExtensionList.java
@@ -26,6 +26,7 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.model.Describable;
 import hudson.model.Descriptor;
 import hudson.model.Descriptor.FormException;
@@ -274,6 +275,7 @@ protected Descriptor adapt(ExtensionComponent<Descriptor> item) {
     /**
      * Exposed just for the test harness. Clear legacy instances.
      */
+    @SuppressFBWarnings(value = "HSM_HIDING_METHOD", justification = "TODO needs triage")
     public static void clearLegacyInstances() {
         legacyDescriptors.clear();
     }

diff --git a/core/src/main/java/hudson/console/ModelHyperlinkNote.java b/core/src/main/java/hudson/console/ModelHyperlinkNote.java
@@ -1,6 +1,7 @@
 package hudson.console;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.model.Computer;
 import hudson.model.Item;
@@ -66,6 +67,7 @@ public static String encodeTo(Label label) {
         return encodeTo("/" + label.getUrl(), label.getName());
     }
 
+    @SuppressFBWarnings(value = "HSM_HIDING_METHOD", justification = "TODO needs triage")
     public static String encodeTo(String url, String text) {
         return HyperlinkNote.encodeTo(url, text, ModelHyperlinkNote::new);
     }

diff --git a/core/src/main/java/hudson/model/AutoCompletionCandidates.java b/core/src/main/java/hudson/model/AutoCompletionCandidates.java
@@ -25,7 +25,6 @@
 package hudson.model;
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.search.Search;
 import hudson.search.UserSearchProperty;
 import jakarta.servlet.ServletException;
@@ -109,7 +108,6 @@ public static <T extends Item> AutoCompletionCandidates ofJobNames(final Class<T
      *      The nearby contextual {@link ItemGroup} to resolve relative job names from.
      * @since 1.553
      */
-    @SuppressFBWarnings(value = "SBSC_USE_STRINGBUFFER_CONCATENATION", justification = "no big deal")
     public static  <T extends Item> AutoCompletionCandidates ofJobNames(final Class<T> type, final String value, ItemGroup container) {
         final AutoCompletionCandidates candidates = new AutoCompletionCandidates();
         class Visitor extends ItemVisitor {

diff --git a/core/src/main/java/hudson/model/FileParameterValue.java b/core/src/main/java/hudson/model/FileParameterValue.java
@@ -164,7 +164,7 @@ public org.apache.commons.fileupload.FileItem getFile() {
     @Override
     public BuildWrapper createBuildWrapper(AbstractBuild<?, ?> build) {
         return new BuildWrapper() {
-            @SuppressFBWarnings(value = {"FILE_UPLOAD_FILENAME", "NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"}, justification = "TODO needs triage")
+            @SuppressFBWarnings(value = "NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE", justification = "TODO needs triage")
             @Override
             public Environment setUp(AbstractBuild build, Launcher launcher, BuildListener listener) throws IOException, InterruptedException {
                 if (location != null && !location.isEmpty() && file.getName() != null && !file.getName().isEmpty()) {

diff --git a/core/src/main/java/hudson/model/UpdateSite.java b/core/src/main/java/hudson/model/UpdateSite.java
@@ -1088,7 +1088,7 @@ public boolean isRelevant() {
          * {@code false} if it does; and {@code null} when the affected component isn't being offered, or it's a warning
          * for something other than core or a plugin.
          */
-        @SuppressFBWarnings(value = "NP_BOOLEAN_RETURN_NULL")
+        @SuppressFBWarnings(value = "NP_BOOLEAN_RETURN_NULL", justification = "TODO needs triage")
         public Boolean isFixable() {
             final Data data = UpdateSite.this.data;
             if (data == null) {

diff --git a/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java b/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
@@ -62,7 +62,6 @@ public AuthenticationProcessingFilter2(String authenticationGatewayUrl) {
         setPasswordParameter("j_password");
     }
 
-    @SuppressFBWarnings(value = "RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT", justification = "request.getSession(true) does in fact have a side effect")
     @Override
     protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
         if (SystemProperties.getInteger(SecurityRealm.class.getName() + ".sessionFixationProtectionMode", 1) == 2) {

diff --git a/core/src/main/java/hudson/security/BasicAuthenticationFilter.java b/core/src/main/java/hudson/security/BasicAuthenticationFilter.java
@@ -24,7 +24,6 @@
 
 package hudson.security;
 
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.model.User;
 import hudson.util.Scrambler;
 import jakarta.servlet.FilterChain;
@@ -173,7 +172,6 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         d.include(req, rsp);
     }
 
-    @SuppressFBWarnings(value = "UNVALIDATED_REDIRECT", justification = "Redirect is validated as processed.")
     private void prepareRedirect(HttpServletResponse rsp, String path) {
         rsp.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
         rsp.setHeader("Location", path);

diff --git a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
@@ -940,7 +940,6 @@ public Category getCategory() {
     static class JBCryptEncoder implements PasswordHashEncoder {
         // in jBCrypt the maximum is 30, which takes ~22h with laptop late-2017
         // and for 18, it's "only" 20s
-        @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "Accessible via System Groovy Scripts")
         @Restricted(NoExternalUse.class)
         private static int MAXIMUM_BCRYPT_LOG_ROUND = SystemProperties.getInteger(HudsonPrivateSecurityRealm.class.getName() + ".maximumBCryptLogRound", 18);
 
@@ -1135,7 +1134,7 @@ public boolean isPasswordHashed(String password) {
      */
     private static final String ENCODED_INVALID_USER_PASSWORD = PASSWORD_ENCODER.encode(generatePassword());
 
-    @SuppressFBWarnings(value = {"DMI_RANDOM_USED_ONLY_ONCE", "PREDICTABLE_RANDOM"}, justification = "https://github.com/spotbugs/spotbugs/issues/1539 and doesn't need to be secure, we're just not hardcoding a 'wrong' password")
+    @SuppressFBWarnings(value = "PREDICTABLE_RANDOM", justification = "Doesn't need to be secure, we're just not hardcoding a 'wrong' password")
     private static String generatePassword() {
         String password = new Random().ints(20, 33, 127).mapToObj(i -> (char) i)
                 .collect(StringBuilder::new, StringBuilder::appendCodePoint, StringBuilder::append).toString();

diff --git a/core/src/main/java/hudson/slaves/SlaveComputer.java b/core/src/main/java/hudson/slaves/SlaveComputer.java
@@ -1116,10 +1116,14 @@ private static class SlaveInitializer extends MasterToSlaveCallable<Void, Runtim
             this.ringBufferSize = ringBufferSize;
         }
 
-        @Override
         @SuppressFBWarnings(value = "ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD", justification = "field is static for the reason explained in the Javadoc for LogHolder")
-        public Void call() {
+        private void setLogHandler() {
             SLAVE_LOG_HANDLER = new RingBufferLogHandler(ringBufferSize);
+        }
+
+        @Override
+        public Void call() {
+            setLogHandler();
 
             // avoid double installation of the handler. Inbound agents can reconnect to the controller multiple times
             // and each connection gets a different RemoteClassLoader, so we need to evict them by class name,

diff --git a/core/src/main/java/hudson/util/RemotingDiagnostics.java b/core/src/main/java/hudson/util/RemotingDiagnostics.java
@@ -142,7 +142,6 @@ public ClassLoader getClassLoader() {
         }
 
         @Override
-        @SuppressFBWarnings(value = "GROOVY_SHELL", justification = "script console is a feature, not a bug")
         public String call() throws RuntimeException {
             // if we run locally, cl!=null. Otherwise the delegating classloader will be available as context classloader.
             if (cl == null)       cl = Thread.currentThread().getContextClassLoader();
@@ -158,7 +157,7 @@ public String call() throws RuntimeException {
             PrintWriter pw = new PrintWriter(out);
             shell.setVariable("out", pw);
             try {
-                Object output = shell.evaluate(script);
+                Object output = evaluateScript(shell);
                 if (output != null)
                 pw.println("Result: " + output);
             } catch (Throwable t) {
@@ -167,6 +166,11 @@ public String call() throws RuntimeException {
             return out.toString();
         }
 
+        @SuppressFBWarnings(value = "GROOVY_SHELL", justification = "script console is a feature, not a bug")
+        private Object evaluateScript(GroovyShell shell) {
+            return shell.evaluate(script);
+        }
+
         private static final long serialVersionUID = 1L;
     }
 

diff --git a/core/src/main/java/hudson/util/jna/Advapi32.java b/core/src/main/java/hudson/util/jna/Advapi32.java
@@ -32,7 +32,6 @@
  *
  * @author TB
  */
-@SuppressFBWarnings(value = "MS_OOI_PKGPROTECT", justification = "for backward compatibility")
 @SuppressWarnings("UnusedReturnValue")
 public interface Advapi32  extends StdCallLibrary {
   Advapi32 INSTANCE = (Advapi32) Native.load("Advapi32", Advapi32.class, Options.UNICODE_OPTIONS);

diff --git a/core/src/main/java/hudson/util/jna/SHELLEXECUTEINFO.java b/core/src/main/java/hudson/util/jna/SHELLEXECUTEINFO.java
@@ -89,8 +89,6 @@ protected List getFieldOrder() {
                 "hProcess");
     }
 
-    @SuppressFBWarnings(value = {"UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD", "URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD"},
-            justification = "JNA Data Structure")
     public static class DUMMYUNIONNAME_union extends Union {
         public Pointer hIcon;
         public Pointer hMonitor;

diff --git a/core/src/main/java/jenkins/fingerprints/FileFingerprintStorage.java b/core/src/main/java/jenkins/fingerprints/FileFingerprintStorage.java
@@ -334,7 +334,6 @@ private static String messageOfParseException(Throwable throwable) {
     /**
      * Deletes a directory if it's empty.
      */
-    @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE", justification = "https://github.com/spotbugs/spotbugs/issues/756")
     private void deleteIfEmpty(File dir) {
         try {
             if (Files.isDirectory(dir.toPath())) {

diff --git a/core/src/main/java/jenkins/formelementpath/FormElementPathPageDecorator.java b/core/src/main/java/jenkins/formelementpath/FormElementPathPageDecorator.java
@@ -1,14 +1,12 @@
 package jenkins.formelementpath;
 
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.model.PageDecorator;
 import jenkins.util.SystemProperties;
 
 @Extension
 public class FormElementPathPageDecorator extends PageDecorator {
 
-    @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "for script console")
     private static /*almost final */ boolean ENABLED =
             SystemProperties.getBoolean(FormElementPathPageDecorator.class.getName() + ".enabled");
 

diff --git a/core/src/main/java/jenkins/install/SetupWizard.java b/core/src/main/java/jenkins/install/SetupWizard.java
@@ -128,7 +128,6 @@ public SetupWizard() {
      * @since 2.260 (with NoExternalUse)
      */
     @Restricted(NoExternalUse.class)
-    @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "Accessible via System Groovy Scripts")
     private static /* not final */ String ADMIN_INITIAL_API_TOKEN = SystemProperties.getString(ADMIN_INITIAL_API_TOKEN_PROPERTY_NAME);
 
     @NonNull
@@ -212,7 +211,6 @@ public String getDisplayName() {
         }
     }
 
-    @SuppressFBWarnings(value = "UNSAFE_HASH_EQUALS", justification = "only checked against true")
     private void createInitialApiToken(User user) throws IOException, InterruptedException {
         ApiTokenProperty apiTokenProperty = user.getProperty(ApiTokenProperty.class);
 
@@ -763,7 +761,6 @@ public void init(FilterConfig cfg) throws ServletException {
         }
 
         @Override
-        @SuppressFBWarnings(value = "UNVALIDATED_REDIRECT", justification = "TODO needs triage")
         public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
             // Force root requests to the setup wizard
             if (request instanceof HttpServletRequest && !Jenkins.get().getInstallState().isSetupComplete()) {

diff --git a/core/src/main/java/jenkins/security/ApiTokenProperty.java b/core/src/main/java/jenkins/security/ApiTokenProperty.java
@@ -26,7 +26,6 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.Util;
 import hudson.model.Descriptor.FormException;
@@ -89,7 +88,6 @@ public class ApiTokenProperty extends UserProperty {
      *
      * @since 1.638
      */
-    @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "Accessible via System Groovy Scripts")
     private static /* not final */ boolean SHOW_LEGACY_TOKEN_TO_ADMINS =
             SystemProperties.getBoolean(ApiTokenProperty.class.getName() + ".showTokenToAdmins");
 
@@ -102,7 +100,6 @@ public class ApiTokenProperty extends UserProperty {
      *
      * @since 2.129
      */
-    @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "Accessible via System Groovy Scripts")
     private static /* not final */ boolean ADMIN_CAN_GENERATE_NEW_TOKENS =
             SystemProperties.getBoolean(ApiTokenProperty.class.getName() + ".adminCanGenerateNewTokens");
 
@@ -175,7 +172,6 @@ public boolean hasLegacyToken() {
 
     @NonNull
     @Restricted(NoExternalUse.class)
-    @SuppressFBWarnings(value = "UNSAFE_HASH_EQUALS", justification = "Used to prevent use of pre-2013 API tokens, then returning the API token value")
     /*package*/ String getApiTokenInsecure() {
         if (apiToken == null) {
             return Messages.ApiTokenProperty_NoLegacyToken();

diff --git a/core/src/main/java/jenkins/security/apitoken/ApiTokenStore.java b/core/src/main/java/jenkins/security/apitoken/ApiTokenStore.java
@@ -304,7 +304,6 @@ private boolean isLegacyToken(@NonNull String token) {
      * @param tokenUuid The identifier of the token, could be retrieved directly from the {@link HashedToken#getUuid()}
      * @return the revoked token corresponding to the given {@code tokenUuid} if one was found, otherwise {@code null}
      */
-    @SuppressFBWarnings(value = "UNSAFE_HASH_EQUALS", justification = "Only used during revocation.")
     public synchronized @CheckForNull HashedToken revokeToken(@NonNull String tokenUuid) {
         for (Iterator<HashedToken> iterator = tokenList.iterator(); iterator.hasNext(); ) {
             HashedToken token = iterator.next();

diff --git a/core/src/main/java/jenkins/util/JSONSignatureValidator.java b/core/src/main/java/jenkins/util/JSONSignatureValidator.java
@@ -245,7 +245,6 @@ private boolean digestMatches(byte[] digest, String providedDigest) {
     }
 
 
-    @SuppressFBWarnings(value = {"NP_LOAD_OF_KNOWN_NULL_VALUE", "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE"}, justification = "https://github.com/spotbugs/spotbugs/issues/756")
     protected Set<TrustAnchor> loadTrustAnchors(CertificateFactory cf) throws IOException {
         // if we trust default root CAs, we end up trusting anyone who has a valid certificate,
         // which isn't useful at all

diff --git a/core/src/main/java/jenkins/util/ScriptListener.java b/core/src/main/java/jenkins/util/ScriptListener.java
@@ -26,7 +26,6 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import groovy.lang.Binding;
 import hudson.ExtensionPoint;
 import hudson.model.User;
@@ -141,7 +140,6 @@ class ListenerWriter extends Writer {
         private final String correlationId;
         private final User user;
 
-        @SuppressFBWarnings("EI_EXPOSE_REP2")
         public ListenerWriter(Writer writer, Object feature, Object context, String correlationId, User user) {
             this.writer = writer;
             this.feature = feature;
@@ -182,7 +180,6 @@ class ListenerOutputStream extends OutputStream {
         private final String correlationId;
         private final User user;
 
-        @SuppressFBWarnings("EI_EXPOSE_REP2")
         public ListenerOutputStream(OutputStream os, Charset charset, Object feature, Object context, String correlationId, User user) {
             this.os = os;
             this.charset = charset;

diff --git a/core/src/main/java/jenkins/util/io/PathRemover.java b/core/src/main/java/jenkins/util/io/PathRemover.java
@@ -25,7 +25,6 @@
 package jenkins.util.io;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Functions;
 import hudson.Util;
 import java.io.IOException;
@@ -135,8 +134,6 @@ private PausingGCRetryStrategy(int maxRetries, boolean gcAfterFailedRemove, long
             this.waitBetweenRetries = waitBetweenRetries;
         }
 
-        @SuppressFBWarnings(value = "DM_GC", justification = "Garbage collection happens only when "
-                + "GC_AFTER_FAILED_DELETE is true. It's an experimental feature in Jenkins.")
         private void gcIfEnabled() {
             /* If the Jenkins process had the file open earlier, and it has not
              * closed it then Windows won't let us delete it until the Java object

diff --git a/core/src/main/java/jenkins/widgets/HistoryPageFilter.java b/core/src/main/java/jenkins/widgets/HistoryPageFilter.java
@@ -67,7 +67,6 @@ public class HistoryPageFilter<T> {
     public boolean hasDownPage = false; // there are older builds than on this page
     @SuppressFBWarnings(value = "URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD", justification = "read by Stapler")
     public long nextBuildNumber;
-    @SuppressFBWarnings(value = "URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD", justification = "read by Stapler")
     public HistoryWidget widget;
 
     public long newestOnPage = Long.MIN_VALUE; // see updateNewestOldest()

diff --git a/core/src/main/java/org/jenkins/ui/symbol/Symbol.java b/core/src/main/java/org/jenkins/ui/symbol/Symbol.java
@@ -2,7 +2,6 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Functions;
 import hudson.PluginWrapper;
 import hudson.Util;
@@ -91,7 +90,6 @@ public static String get(@NonNull SymbolRequest request) {
     }
 
 
-    @SuppressFBWarnings(value = {"NP_LOAD_OF_KNOWN_NULL_VALUE", "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE"}, justification = "Spotbugs doesn't grok try-with-resources")
     private static String loadSymbol(String namespace, String name) {
         String markup = PLACEHOLDER_SVG;
         ClassLoader classLoader = getClassLoader(namespace);

diff --git a/pom.xml b/pom.xml
@@ -28,7 +28,7 @@ THE SOFTWARE.
   <parent>
     <groupId>org.jenkins-ci</groupId>
     <artifactId>jenkins</artifactId>
-    <version>1.129</version>
+    <version>1.130</version>
     <relativePath />
   </parent>