Removes commons-lang:2.6 from core

[alecharp]

A follow up of #10886
Commons Lang 2.6 as a security advisory and is not maintained. Removing it from core is the best path forward.

Fixes #16404

Testing done

Build the project locally. Expecting to get test results from CI and then use the incremental version to build jenkinsci/bom.

Proposed changelog entries

• Removes Commons Lang 2.6 library from Core

Proposed changelog category

/label developer

Proposed upgrade guidelines

N/A

Submitter checklist

• The issue, if it exists, is well-described.
• The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see examples). Fill in the Proposed upgrade guidelines section only if there are breaking changes or changes that may require extra steps from users during upgrade.
• There is automated testing or an explanation as to why this change has no tests.
• New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadocs, as appropriate.
• New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO"), if applicable.
• UI changes do not introduce regressions when enforcing the current default rules of Content Security Policy Plugin. In particular, new or substantially changed JavaScript is not defined inline and does not call eval to ease future introduction of Content Security Policy (CSP) directives (see documentation).
• For dependency updates, there are links to external changelogs and, if possible, full differentials.
• For new APIs and extension points, there is a link to at least one consumer.

Desired reviewers

@mention

Before the changes are marked as ready-for-merge:

Maintainer checklist

• There are at least two (2) approvals for the pull request and no outstanding requests for change.
• Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
• Changelog entries in the pull request title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood.
• Proper changelog labels are set so that the changelog can be generated automatically.
• If the change needs additional upgrade steps from users, the upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).
• If it would make sense to backport the change to LTS, be a Bug or Improvement, and either the issue or pull request must be labeled as lts-candidate to be considered.

[MarkEWaite]

A spreadsheet of plugins that need to have commons-lang 2 removed is included in issue:

• [JENKINS-72981] Remove Commons Lang 2 from core #16404

The spreadsheet is out of date. Git plugin 5.8.0 removed the commons-lang2 dependency, as one example.

[MarkEWaite]

There is also a suggestion for an addition to the Jenkins plugin pom file that will help avoid accidental insertion of references to commons-lang 2. The idea is described in issue:

• Optionally ban JUnit 4 imports plugin-pom#1178

[alecharp]

There is also a suggestion for an addition to the Jenkins plugin pom file that will help avoid accidental insertion of references to commons-lang 2. The idea is described in issue:

I can work on that.

[alecharp]

I cannot reproduce the test failure locally. Would it be possible to re-run the pull request build?

[timja]

What's the plan for rolling this out?

Example:

1. As there's so many plugins making this a detached plugin?
2. Fixing the majority of the plugins in the spreadsheet
3. Something else?

[alecharp]

For now, I want to see with the BOM if we have critical plugins broken with this removal. The security advisory of Commons Lang 2.6 has been out there for a longtime now and we need to stop from suffering from it.

Fixing all the plugins in the spreadsheet is not really feasible. Fixing the top 250 probably.

[alecharp]

and with jenkinsci/plugin-pom#1338 (comment), it might go rather quickly

[mawinter69]

A spreadsheet of plugins that need to have commons-lang 2 removed is included in issue:

• [JENKINS-72981] Remove Commons Lang 2 from core #16404

The spreadsheet is out of date. Git plugin 5.8.0 removed the commons-lang2 dependency, as one example.

I updated the spreadsheet for the first 100 plugins.