Merge branch 'master' into new-header

Author: janfaracik

.github/workflows/announce-lts-rc.yml

@@ -16,7 +16,7 @@ jobs:
           discourse-author-username: jenkins-release-bot
           discourse-category: 23
       - name: Post on mailing list
-        uses: dawidd6/action-send-mail@v3
+        uses: dawidd6/action-send-mail@v4
         with:
           server_address: smtp.gmail.com
           server_port: 465

bom/pom.xml

@@ -41,7 +41,7 @@ THE SOFTWARE.
     <commons-fileupload2.version>2.0.0-M2</commons-fileupload2.version>
     <groovy.version>2.4.21</groovy.version>
     <jelly.version>1.1-jenkins-20250108</jelly.version>
-    <stapler.version>1955.vdb_2736b_480e3</stapler.version>
+    <stapler.version>1961.vd0a_a_60970a_a_2</stapler.version>
   </properties>
 
   <dependencyManagement>
@@ -63,7 +63,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.springframework</groupId>
         <artifactId>spring-framework-bom</artifactId>
-        <version>6.2.3</version>
+        <version>6.2.4</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>

core/src/main/java/hudson/Functions.java

@@ -1810,6 +1810,7 @@ public static <T> T defaulted(T value, T defaultValue) {
         return s.toString();
     }
 
+    @SuppressFBWarnings(value = "INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE", justification = "Jenkins handles this issue differently or doesn't care about it")
     private static void doPrintStackTrace(@NonNull StringBuilder s, @NonNull Throwable t, @CheckForNull Throwable higher, @NonNull String prefix, @NonNull Set<Throwable> encountered) {
         if (!encountered.add(t)) {
             s.append("<cycle to ").append(t).append(">\n");
@@ -1863,6 +1864,7 @@ private static void doPrintStackTrace(@NonNull StringBuilder s, @NonNull Throwab
      * @param pw the log
      * @since 2.43
      */
+    @SuppressFBWarnings(value = "XSS_SERVLET", justification = "TODO needs triage")
     public static void printStackTrace(@CheckForNull Throwable t, @NonNull PrintWriter pw) {
         pw.println(printThrowable(t).trim());
     }

core/src/main/java/hudson/Launcher.java

@@ -1000,6 +1000,7 @@ private File toFile(FilePath f) {
         }
 
         @Override
+        @SuppressFBWarnings(value = "COMMAND_INJECTION", justification = "TODO needs triage")
         public Channel launchChannel(String[] cmd, OutputStream out, FilePath workDir, Map<String, String> envVars) throws IOException {
             printCommandLine(cmd, workDir);
 
@@ -1437,11 +1438,15 @@ private static class RemoteChannelLaunchCallable extends MasterToSlaveCallable<O
             this.envOverrides = envOverrides;
         }
 
+        @SuppressFBWarnings(value = "COMMAND_INJECTION", justification = "TODO needs triage")
+        private Process launchProcess() throws IOException {
+            return Runtime.getRuntime()
+                    .exec(cmd, Util.mapToEnv(inherit(envOverrides)), workDir == null ? null : new File(workDir));
+        }
+
         @Override
         public OutputStream call() throws IOException {
-            Process p = Runtime.getRuntime().exec(cmd,
-                Util.mapToEnv(inherit(envOverrides)),
-                workDir == null ? null : new File(workDir));
+            Process p = launchProcess();
 
             List<String> cmdLines = Arrays.asList(cmd);
             new StreamCopyThread("stdin copier for remote agent on " + cmdLines,

core/src/main/java/hudson/PluginManager.java

@@ -363,6 +363,7 @@ PluginManager doCreate(@NonNull Class<? extends PluginManager> klass,
      * This is used to report a message that Jenkins needs to be restarted
      * for new plugins to take effect.
      */
+    @SuppressFBWarnings(value = "PA_PUBLIC_PRIMITIVE_ATTRIBUTE", justification = "Preserve API compatibility")
     public volatile boolean pluginUploaded = false;
 
     /**

core/src/main/java/hudson/ProxyConfiguration.java

@@ -27,6 +27,7 @@
 import com.thoughtworks.xstream.XStream;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
 import hudson.model.Saveable;
@@ -113,6 +114,7 @@ public final class ProxyConfiguration extends AbstractDescribableImpl<ProxyConfi
      * @see #getNoProxyHostPatterns()
      */
     @Restricted(NoExternalUse.class)
+    @SuppressFBWarnings(value = "PA_PUBLIC_PRIMITIVE_ATTRIBUTE", justification = "Preserve API compatibility")
     public String noProxyHost;
 
     @Deprecated

core/src/main/java/hudson/TcpSlaveAgentListener.java

@@ -206,6 +206,7 @@ public void run() {
     /**
      * Initiates the shuts down of the listener.
      */
+    @SuppressFBWarnings(value = "UNENCRYPTED_SOCKET", justification = "TODO needs triage")
     public void shutdown() {
         shuttingDown = true;
         try {

core/src/main/java/hudson/cli/CLICommand.java

@@ -124,6 +124,7 @@ public abstract class CLICommand implements ExtensionPoint, Cloneable {
      * (In contrast, calling {@code System.out.println(...)} would print out
      * the message to the server log file, which is probably not what you want.
      */
+    @SuppressFBWarnings(value = "PA_PUBLIC_PRIMITIVE_ATTRIBUTE", justification = "Preserve API compatibility")
     public transient PrintStream stdout, stderr;
 
     /**
@@ -139,6 +140,7 @@ public abstract class CLICommand implements ExtensionPoint, Cloneable {
      * <p>
      * This input stream is buffered to hide the latency in the remoting.
      */
+    @SuppressFBWarnings(value = "PA_PUBLIC_PRIMITIVE_ATTRIBUTE", justification = "Preserve API compatibility")
     public transient InputStream stdin;
 
     /**
@@ -150,6 +152,7 @@ public abstract class CLICommand implements ExtensionPoint, Cloneable {
     /**
      * The locale of the client. Messages should be formatted with this resource.
      */
+    @SuppressFBWarnings(value = "PA_PUBLIC_PRIMITIVE_ATTRIBUTE", justification = "Preserve API compatibility")
     public transient Locale locale;
 
     /**

core/src/main/java/hudson/cli/Connection.java

@@ -208,6 +208,7 @@ public Connection encryptConnection(SecretKey sessionKey, String algorithm) thro
         return new Connection(i, o);
     }
 
+    @SuppressFBWarnings(value = "STATIC_IV", justification = "TODO needs triage")
     private IvParameterSpec createIv(SecretKey sessionKey) {
         return new IvParameterSpec(sessionKey.getEncoded());
     }

core/src/main/java/hudson/cli/CopyJobCommand.java

@@ -24,6 +24,7 @@
 
 package hudson.cli;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.Extension;
 import hudson.model.Item;
 import hudson.model.TopLevelItem;
@@ -47,6 +48,7 @@ public String getShortDescription() {
     public TopLevelItem src;
 
     @Argument(metaVar = "DST", usage = "Name of the new job to be created.", index = 1, required = true)
+    @SuppressFBWarnings(value = "PA_PUBLIC_PRIMITIVE_ATTRIBUTE", justification = "Preserve API compatibility")
     public String dst;
 
     @Override