Update to commons-beanutils:1.9.4 without disabling the protection

[daniel-beck]

This pull request attempts to update to commons-beanutils:1.9.4 without disabling the additional protection it offers around the class attribute.

It seems in my (fairly limited so far) testing that the problem is st:include's class attribute. So this pull request renames the attribute to clazz (and keeps the existing setter for compatibility).

This PR additionally proposes a workaround that applies when Jelly files are being parsed and the resulting tags are created: For the st:include tag, when the class attribute would be set, instead set clazz. This attempts to take care of all existing code that sets the class attribute for this tag.

I am unsure how best to go about ensuring this doesn't cause a lot of problems. While this fix looks fairly safe, it may also be incomplete. In the short term, #209 seems like the safer approach.

CC @basil

[basil]

Looks great!

[rsandell]

We've had riskier workarounds in the past.

[jeffret-b]

This makes good sense and is the best proposal about how to move forward and upgrade to the new version. We can't just allow ourselves to remain on the old version and be blocked from continuing forward.

Hopefully this will work. If it doesn't there is a sufficient amount of escape hatches and configuration to allow people with other scenarios to continue while we correct anything additional that might arise.

[basil]

This looks great! Very nice change.

[oleg-nenashev]

Looks right. Kudos to the Jelly team and @jstrachan for such extensibility

[MRamonLeon]

Who's able to merge this PR @daniel-beck, @oleg-nenashev? It has enough approvals for a few days already. The permission updater repo doesn't mention any maintainer: https://github.com/jenkins-infra/repository-permissions-updater/blob/master/permissions/component-stapler.yml

[daniel-beck]

The permission updater repo doesn't mention any maintainer

That's explained in the linked file in a comment.

@jglick Please hold off releasing for another week until we've merged in changes from the upcoming security update (merging is fine though).

[jglick]

Just let me know when you want a release.

[batmat]

Why can't we just release and hold-off updating this into Jenkins Core?
We do not understand the rationale here. Thanks!

[daniel-beck]

Because there's a privately staged new release of Stapler. That release you're asking for would never be in a core update anyway (and if it were it'd be a pretty big regression over next week's core release for absolutely no reason).