Skip to content

Enable Spotless#1091

Merged
jglick merged 3 commits intojenkinsci:masterfrom
jglick:spotless
Sep 30, 2025
Merged

Enable Spotless#1091
jglick merged 3 commits intojenkinsci:masterfrom
jglick:spotless

Conversation

@jglick
Copy link
Member

@jglick jglick commented Sep 30, 2025
edited
Loading

@jglick jglick requested a review from a team as a code owner September 30, 2025 18:20
@jglick jglick added the chore label Sep 30, 2025
@jglick jglick marked this pull request as draft September 30, 2025 18:22
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 30, 2025
View reviewed changes
plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java
@QueryParameter boolean sandbox) {
return sandbox ? FormValidation.ok() :
ScriptApproval.get().checking(value, GroovyLanguage.get(), !Objects.equals(oldScript, value));
public FormValidation doCheckScript(

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in DescriptorImpl#doCheckScript
plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java
}

private CpsGroovyShell(@CheckForNull CpsFlowExecution execution, CompilerConfiguration cc, ClassLoader usuallyTimingLoader) {
private CpsGroovyShell(

Check warning

Code scanning / Jenkins Security Scan

Jenkins: Potentially unsafe classes Warning

This use of class
groovy.lang.GroovyShell
Loading
should be reviewed for unsafe behavior, like allowing XML External Entity injection, or arbitrary code execution.
plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsThreadDumpAction.java

@WebMethod(name = "program.xml") public void doProgramDotXml(StaplerRequest2 req, StaplerResponse2 rsp) throws Exception {
@WebMethod(name = "program.xml")
public void doProgramDotXml(StaplerRequest2 req, StaplerResponse2 rsp) throws Exception {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation Warning

Potential CSRF vulnerability: If CpsThreadDumpAction#doProgramDotXml connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
@jglick jglick marked this pull request as ready for review September 30, 2025 20:01
@jglick jglick mentioned this pull request Sep 30, 2025
Closed
@jglick jglick enabled auto-merge (squash) September 30, 2025 20:41
@lemeurherve
Copy link
Member

lemeurherve commented Sep 30, 2025

@jglick to unblock you cf jenkins-infra/helpdesk#4816 (comment) until ACP is fixed, you can add the skip-artifact-caching-proxy label to this PR and trigger a new build which will skip ACP for the mean time.

@jglick jglick merged commit 038a73c into jenkinsci:master Sep 30, 2025
16 of 17 checks passed
@jglick jglick deleted the spotless branch September 30, 2025 22:40
jglick added a commit that referenced this pull request Sep 30, 2025
@jglick
.git-blame-ignore-revs for #1091
e4b9517
@jglick jglick mentioned this pull request Oct 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dwnusbaum dwnusbaum dwnusbaum approved these changes

Assignees

No one assigned

Labels

chore skip-artifact-caching-proxy

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jglick @lemeurherve @dwnusbaum