[JENKINS-54601] Include security fixes from 1.9.40 in 1.7.24.X #3
Conversation
No custom Dockerfile yet was needed for this. But we can easily introduce one if the necessary environment gets more complex/custom.
Add script to make it easier to get a working JDK7 environment
…-client into JENKINS-54601
varyvol
changed the title
run-maven-env.sh
Outdated
|
|
||
| if [ -f "$MAVEN_SETTINGS_SECURITY" ] | ||
| then | ||
| echo "Using $MAVEN_SETTINGS_SECURITY file found." |
There was a problem hiding this comment.
Better remove 'Using' or 'found'? It sounds weird to me 'Using settings-security.xml file found'
There was a problem hiding this comment.
Code looks to me and also it's picked from https://github.com/AsyncHttpClient/async-http-client/
I have no enough context to review it from a functional PoV
RELEASE.adoc
Outdated
| = How to release this in Jenkins environment | ||
|
|
||
| See the `run-maven.sh` shell script to run a Docker container with the right environment. | ||
| Then, if you already have the right Maven settings.xml files, you should be able to |
There was a problem hiding this comment.
NIT: Maven settings.xml files-> maven settings*.xml files or maven settings files or maven setting.xml file if you are referring only to this one
| @@ -467,6 +447,17 @@ public boolean isValid() { | |||
| * @return the {@link HostnameVerifier} | |||
| */ | |||
| public HostnameVerifier getHostnameVerifier() { | |||
| if (hostnameVerifier == null) { | |||
| synchronized (this) { | |||
| if (hostnameVerifier == null) | |||
There was a problem hiding this comment.
IMO, since this repo is to fix security vulnerabilities and we are backporting the fix, I wouldn't change the code to ease future backports
There was a problem hiding this comment.
Yes, I prefer not to touch code that is coming from the library directly.
There was a problem hiding this comment.
+1 to @varyvol and @fcojfernandez in this case
| /** | ||
| * Set the maximum time in millisecond an {@link com.ning.http.client.AsyncHttpClient} can wait when connecting to a remote host | ||
| * | ||
| * @param defaultConnectionTimeOutInMs the maximum time in millisecond an {@link com.ning.http.client.AsyncHttpClient} can wait when connecting to a remote host |
There was a problem hiding this comment.
change the param name to connectTimeout
| /** | ||
| * Set the maximum time in millisecond an {@link com.ning.http.client.AsyncHttpClient} can stay idle. | ||
| * | ||
| * @param defaultIdleConnectionTimeoutInMs |
| @@ -1043,6 +1051,11 @@ public Builder setMaxConnectionLifeTimeInMs(int maxConnectionLifeTimeInMs) { | |||
| return this; | |||
| } | |||
|
|
|||
| public Builder setAcceptAnyCertificates(boolean acceptAnyCertificate) { | |||
There was a problem hiding this comment.
This is coming from the library directly, that's why.
Co-Authored-By: varyvol <[email protected]>
Co-Authored-By: varyvol <[email protected]>
There was a problem hiding this comment.
Although it is a formally breaking change, I do not see any usages of changed classes inside the jenkinsci organization. It does not fully guarantee that there will be no impact on Jenkins, because any transitive dependency within GitHub may also include dependency on Asynch HTTP Client. And we cannot be 100% for sure.
Why do I request changes in this pull request?
- The README.md in the repository is confusing. The changed is not tested on Travis CI as the README suggests. I either request setting up a flow on Travis/Jenkins or removing the the mention of CI
- RELEASE.adoc is not linked from README.adoc. IMO README.adoc is confusing, because it has not been updated after the fork. I recommend to just deleting the existing content and adding a small readme explaining reasons of the fork and what's inside
It would be also great if you could add a summary of how this change was tested (to the PR description).
| @@ -467,6 +447,17 @@ public boolean isValid() { | |||
| * @return the {@link HostnameVerifier} | |||
| */ | |||
| public HostnameVerifier getHostnameVerifier() { | |||
| if (hostnameVerifier == null) { | |||
| synchronized (this) { | |||
| if (hostnameVerifier == null) | |||
There was a problem hiding this comment.
+1 to @varyvol and @fcojfernandez in this case
| * @param sslEngineFactory the {@link SSLEngineFactory} for secure connection | ||
| * @return a {@link Builder} | ||
| */ | ||
| public Builder setSSLEngineFactory(SSLEngineFactory sslEngineFactory) { |
There was a problem hiding this comment.
Was unable to find usages in Jenkins plugins. I am OK with that though I would recommend to keep a method stub which would be throwing an explicit RuntimeException that the method is removed
| @@ -165,11 +166,6 @@ public AsyncHttpClientConfigBean setSslContext(SSLContext sslContext) { | |||
| return this; | |||
| } | |||
|
|
|||
| public AsyncHttpClientConfigBean setSslEngineFactory(SSLEngineFactory sslEngineFactory) { | |||
| /** | ||
| * Factory that creates an {@link SSLEngine} to be used for a single SSL connection. | ||
| */ | ||
| public interface SSLEngineFactory { |
| @@ -15,101 +15,43 @@ | |||
| */ | |||
| package com.ning.http.util; | |||
There was a problem hiding this comment.
I was unable to find any usages of this class inside the jenkinsci org. Fine with me
|
Maybe we should also rename this repository to |
|
@oleg-nenashev I've updated the README file. |
| @@ -9,31 +9,18 @@ | |||
| <groupId>com.ning</groupId> | |||
There was a problem hiding this comment.
Would be nice to update the parent POM to the Jenkins Parent POM to make it follow the jenkins release flow standards. https://github.com/jenkinsci/pom
|
@oleg-nenashev used https. |
|
Yes, but unsure on the answer. I thought that was already contemplated on the HOSTING request. I can raise a ticket if that is the usual naming pattern. Anyway I guess this is independent from the PR. |
Yes, it is independent. Would be nice to discuss it before the release |
JENKINS-54601
Both PCT and OSS ATH was executed without any detected failure.
@batmat @oleg-nenashev @dwnusbaum @stephenc