Major Security and Accessibility Updates in CloudBees CI and Jenkins 

Cleaning up technical debt is a challenge that all software products need to face one day and this is no different for Jenkins and CloudBees CI. But when it comes to bringing better security and accessibility to our customers, we do not shy away from the amount of work that needs to be done. Today, I'm happy to announce that we are releasing a rejuvenated CloudBees CI with updates to three key libraries and an important cleanup of the UI code. 

With time, software accumulates technical debt. It is a huge undertaking to replace obsolete and/or forked third-party libraries or old HTML code that, over time, have become omnipresent. However, in an era where Dependabot is offering updates to libraries released just hours before and responsive web design is a basic requirement, we saw the urgent need to roll up our sleeves and tackle these necessary changes head-on: 

• Replace the Acegi Security library used for authentication by Spring Security

• Unfork the XStream library used to read and write XML configuration files and switch to the upstream library in a more standard usage mode

• Upgrade the jQuery library used in UI elements and remove the dependency altogether where possible

• Update configuration UI pages for a wide range of screen sizes by using ‘div’ instead of ‘table’ layout

The Acegi Security library, which formed the basis of the CloudBees CI security system, is largely based on 13 year-old code. When you run security scans on CloudBees CI and it hits 13-year-old libraries, this invariably triggers serious warnings. The security team has long proven that there are no exploitable vulnerabilities here. But, however well-founded the explanation was, this was something we decided to solve at the root. Acegi Security has now been replaced with an up-to-date version of Spring Security. Additionally, the Spring Framework libraries required by Spring Security have been updated. Full technical details are available here: Spring Security Framework JEP-227.

The XStream serialization library is used to convert most of CloudBees CI’s configuration to and from XML. The XStream library was forked at the outset of Jenkins back when it was called Hudson, because at the time - the mid 2000s - it did not meet the nascent project’s requirements. Similar to Acegi Security, having severely out of date libraries in our code base triggers serious warnings during security scans. Using a forked version of a library also means that we do not benefit from updates from OSS which improve things like the functionality, performance and security profile of the feature. We have now migrated back to the commonly maintained open source version of XStream. Full technical details are available at Unforking XStream JEP-228.

jQuery is a UI library that is used throughout Jenkins and CloudBees CI. This was a messy situation since many different versions of jQuery were in use. Both core Jenkins and some plugins introduced their own versions of jQuery into the overall code base. Many of these versions were years out of date. We are quite certain that vulnerabilities associated with the out of date jQuery libraries are not exploitable. However, due to the dynamic nature of JavaScript, it is almost impossible to prove this categorically. We have now upgraded everything to the latest version of jQuery and removed the dependency altogether when possible. 

Using HTML table elements for layout purposes has long been frowned upon in web development. The HTML div element has been recommended for this purpose since the early 2000s. Jenkins and CloudBees CI relied heavily upon HTML tables for layout purposes. The effort to migrate configuration pages away from tables improves the responsiveness and usability of the forms. As plugins in Jenkins can contribute fragments to configuration pages, we also tested and fixed all the plugins in the CloudBees Assurance Program and even some popular community plugins to make sure that they work well with the new form layout.

The four changes mentioned here have been released in weekly Jenkins releases beginning with Jenkins 2.264. Community experiences with Jenkins weekly releases have helped CloudBees engineers prepare for the CloudBees CI release to CloudBees customers. Jenkins community users benefit from faster fixes and CloudBees customers benefit from exploratory testing in the community.  Developers in the Jenkins community have made great contributions to this release.  We’re grateful for the Jenkins developers and the Jenkins weekly users and their interactions with community developers and CloudBees developers. The 12 weeks of preparation for the March release have been busy and productive. 

Today, all these changes are absorbed into the new Jenkins LTS and the March 2021 release of CloudBees CI for our customers. This way CloudBees is confident that our customers will receive a high quality release.

A lot of people have been involved with this work. Two key developers from CloudBees side were Jesse Glick and Félix Queiruga. Besides them, Wadeck Follonier and the whole CloudBees CI engineering team have made significant contributions to these efforts. 

We would also like to make a huge shout out to the community and the Jenkins project, especially Tim Jacomb, Raihaan Shouhell and the many plugin developers and testers who have contributed to making these challenging changes possible.