Merge branch 'master' into progressive-rendering-fix

Author: dukhlov

.github/workflows/announce-lts-rc.yml

@@ -17,7 +17,7 @@ jobs:
           discourse-author-username: jenkins-release-bot
           discourse-category: 23
       - name: Post on mailing list
-        uses: dawidd6/action-send-mail@6e71c855c9a091d80a519621b9fd3e8d252ca40c # v7
+        uses: dawidd6/action-send-mail@afe978662944c6805dd197bac88b27acb0bda55a # v8
         with:
           server_address: smtp.gmail.com
           server_port: 465

core/src/main/java/hudson/Functions.java

@@ -170,6 +170,7 @@
 import jenkins.model.details.Detail;
 import jenkins.model.details.DetailFactory;
 import jenkins.model.details.DetailGroup;
+import jenkins.telemetry.impl.PasswordMasking;
 import jenkins.util.SystemProperties;
 import org.apache.commons.jelly.JellyContext;
 import org.apache.commons.jelly.JellyTagException;
@@ -2256,32 +2257,64 @@ public String getPasswordValue(Object o) {
         if (o instanceof Secret || Secret.BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE) {
             if (req != null) {
                 if (NON_RECURSIVE_PASSWORD_MASKING_PERMISSION_CHECK) {
+                    List<Ancestor> ancestors = req.getAncestors();
+                    String closestAncestor = ancestors.isEmpty() ? "unknown" :
+                        ancestors.getLast().getObject().getClass().getName();
+
                     Item item = req.findAncestorObject(Item.class);
                     if (item != null && !item.hasPermission(Item.CONFIGURE)) {
+                        PasswordMasking.recordMasking(
+                            item.getClass().getName(),
+                            closestAncestor,
+                            getJellyViewsInformationForCurrentRequest()
+                        );
                         return "********";
                     }
                     Computer computer = req.findAncestorObject(Computer.class);
                     if (computer != null && !computer.hasPermission(Computer.CONFIGURE)) {
+                        PasswordMasking.recordMasking(
+                            computer.getClass().getName(),
+                            closestAncestor,
+                            getJellyViewsInformationForCurrentRequest()
+                        );
                         return "********";
                     }
                 } else {
                     List<Ancestor> ancestors = req.getAncestors();
+                    String closestAncestor = ancestors.isEmpty() ? "unknown" :
+                        ancestors.getLast().getObject().getClass().getName();
+
                     for (Ancestor ancestor : Iterators.reverse(ancestors)) {
                         Object type = ancestor.getObject();
                         if (type instanceof Item item) {
                             if (!item.hasPermission(Item.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    item.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;
                         }
                         if (type instanceof Computer computer) {
                             if (!computer.hasPermission(Computer.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    computer.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;
                         }
                         if (type instanceof View view) {
                             if (!view.hasPermission(View.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    view.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;

core/src/main/java/jenkins/telemetry/impl/PasswordMasking.java

@@ -0,0 +1,110 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2026, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.telemetry.impl;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import java.time.LocalDate;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicLong;
+import jenkins.telemetry.Telemetry;
+import net.sf.json.JSONArray;
+import net.sf.json.JSONObject;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Telemetry implementation gathering information about password field masking.
+ */
+@Extension
+@Restricted(NoExternalUse.class)
+public class PasswordMasking extends Telemetry {
+
+    private static final Map<String, AtomicLong> maskingCounts = new ConcurrentHashMap<>();
+
+    /**
+     * Records when password masking occurs.
+     *
+     * @param className the class name of the object
+     * @param closestAncestor the closest ancestor class name
+     * @param jellyView the Jelly view where masking occurred
+     */
+    public static void recordMasking(String className, String closestAncestor, String jellyView) {
+        if (Telemetry.isDisabled()) {
+            return;
+        }
+
+        String key = className + "|" + closestAncestor + "|" + jellyView;
+        maskingCounts.computeIfAbsent(key, k -> new AtomicLong(0)).incrementAndGet();
+    }
+
+    @NonNull
+    @Override
+    public String getDisplayName() {
+        return "Password field masking";
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getStart() {
+        return LocalDate.of(2026, 1, 26);
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getEnd() {
+        return LocalDate.of(2026, 7, 26);
+    }
+
+    @Override
+    public JSONObject createContent() {
+        JSONArray events = new JSONArray();
+        for (Map.Entry<String, AtomicLong> entry : maskingCounts.entrySet()) {
+            String[] parts = entry.getKey().split("\\|", 3);
+            if (parts.length == 3) {
+                String className = parts[0];
+                String closestAncestor = parts[1];
+                String jellyView = parts[2];
+                long count = entry.getValue().longValue();
+
+                JSONObject event = new JSONObject();
+                event.put("className", className);
+                event.put("closestAncestor", closestAncestor);
+                event.put("jellyView", jellyView);
+                event.put("count", count);
+                events.add(event);
+            }
+        }
+
+        maskingCounts.clear();
+
+        JSONObject payload = new JSONObject();
+        payload.put("components", buildComponentInformation());
+        payload.put("masking", events);
+
+        return payload;
+    }
+}

core/src/main/resources/hudson/PluginWrapper/index.jelly

@@ -0,0 +1,29 @@
+<!--
+The MIT License
+
+Copyright (c) 2026 Somil Jain
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core"
+         xmlns:st="jelly:stapler">
+    <st:redirect url="thirdPartyLicenses"/>
+</j:jelly>

core/src/main/resources/jenkins/telemetry/impl/PasswordMasking/description.jelly

@@ -0,0 +1,16 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core">
+    This trial collects detailed information about password field masking when users lack Configure permission on Items, Computers, or Views:
+    <ul>
+        <li>The class name</li>
+        <li>The closest ancestor class name</li>
+        <li>The Jelly view hierarchy where masking occurred</li>
+        <li>The frequency of each combination</li>
+    </ul>
+    <p>
+        This masking behavior is a fallback that should normally be rare, as views rendering content for users without Configure permission should use read-only mode instead.
+    </p>
+    <p>
+        Additionally, this trial collects the list of installed plugins, their version, and the version of Jenkins.
+    </p>
+</j:jelly>

package.json

@@ -29,12 +29,12 @@
     "@eslint/js": "9.39.2",
     "babel-loader": "10.0.0",
     "clean-webpack-plugin": "4.0.0",
-    "css-loader": "7.1.2",
+    "css-loader": "7.1.3",
     "css-minimizer-webpack-plugin": "7.0.4",
     "eslint": "9.39.2",
     "eslint-config-prettier": "10.1.8",
     "eslint-formatter-checkstyle": "9.0.1",
-    "globals": "17.1.0",
+    "globals": "17.2.0",
     "handlebars-loader": "1.7.3",
     "mini-css-extract-plugin": "2.10.0",
     "postcss": "8.5.6",

yarn.lock

@@ -3237,18 +3237,18 @@ __metadata:
   languageName: node
   linkType: hard
 
-"css-loader@npm:7.1.2":
-  version: 7.1.2
-  resolution: "css-loader@npm:7.1.2"
+"css-loader@npm:7.1.3":
+  version: 7.1.3
+  resolution: "css-loader@npm:7.1.3"
   dependencies:
     icss-utils: "npm:^5.1.0"
-    postcss: "npm:^8.4.33"
+    postcss: "npm:^8.4.40"
     postcss-modules-extract-imports: "npm:^3.1.0"
     postcss-modules-local-by-default: "npm:^4.0.5"
     postcss-modules-scope: "npm:^3.2.0"
     postcss-modules-values: "npm:^4.0.0"
     postcss-value-parser: "npm:^4.2.0"
-    semver: "npm:^7.5.4"
+    semver: "npm:^7.6.3"
   peerDependencies:
     "@rspack/core": 0.x || 1.x
     webpack: ^5.27.0
@@ -3257,7 +3257,7 @@ __metadata:
       optional: true
     webpack:
       optional: true
-  checksum: 10c0/edec9ed71e3c416c9c6ad41c138834c94baf7629de3b97a3337ae8cec4a45e05c57bdb7c4b4d267229fc04b8970d0d1c0734ded8dcd0ac8c7c286b36facdbbf0
+  checksum: 10c0/8743a8f1a0beff371d0fbeae7dbae7b079e546c734e3c936f0c5dc4603a716a576200e9261c934565584cf0e090cca444efb613efa4282ee3fcab81db4c73c7e
   languageName: node
   linkType: hard
 
@@ -4115,10 +4115,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"globals@npm:17.1.0":
-  version: 17.1.0
-  resolution: "globals@npm:17.1.0"
-  checksum: 10c0/4a4a17847676a09f164b8bdce7df105a4f484d6d44586e374087ba9ec7089cbf4c578b8648838dee9917074199c542ce157ea3c07b266f708dfb1652010900c8
+"globals@npm:17.2.0":
+  version: 17.2.0
+  resolution: "globals@npm:17.2.0"
+  checksum: 10c0/fd25a98b08c1d31082337cbbb5ff1b90b9980e1db69a8621fb942bdb2cdca8aa54d61466742e8bf4910578ea5fa903b8bf83bffd1b2d45551cc614830dba910b
   languageName: node
   linkType: hard
 
@@ -4545,12 +4545,12 @@ __metadata:
     "@eslint/js": "npm:9.39.2"
     babel-loader: "npm:10.0.0"
     clean-webpack-plugin: "npm:4.0.0"
-    css-loader: "npm:7.1.2"
+    css-loader: "npm:7.1.3"
     css-minimizer-webpack-plugin: "npm:7.0.4"
     eslint: "npm:9.39.2"
     eslint-config-prettier: "npm:10.1.8"
     eslint-formatter-checkstyle: "npm:9.0.1"
-    globals: "npm:17.1.0"
+    globals: "npm:17.2.0"
     handlebars: "npm:4.7.8"
     handlebars-loader: "npm:1.7.3"
     hotkeys-js: "npm:3.12.2"
@@ -6245,7 +6245,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"postcss@npm:8.5.6, postcss@npm:^8.4.33, postcss@npm:^8.4.40, postcss@npm:^8.5.6":
+"postcss@npm:8.5.6, postcss@npm:^8.4.40, postcss@npm:^8.5.6":
   version: 8.5.6
   resolution: "postcss@npm:8.5.6"
   dependencies:
@@ -6582,12 +6582,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"semver@npm:^7.3.5, semver@npm:^7.5.4, semver@npm:^7.6.2":
-  version: 7.7.2
-  resolution: "semver@npm:7.7.2"
+"semver@npm:^7.3.5, semver@npm:^7.6.2, semver@npm:^7.6.3":
+  version: 7.7.3
+  resolution: "semver@npm:7.7.3"
   bin:
     semver: bin/semver.js
-  checksum: 10c0/aca305edfbf2383c22571cb7714f48cadc7ac95371b4b52362fb8eeffdfbc0de0669368b82b2b15978f8848f01d7114da65697e56cd8c37b0dab8c58e543f9ea
+  checksum: 10c0/4afe5c986567db82f44c8c6faef8fe9df2a9b1d98098fc1721f57c696c4c21cebd572f297fc21002f81889492345b8470473bc6f4aff5fb032a6ea59ea2bc45e
   languageName: node
   linkType: hard