Jenkins 2023 Recap
Contributed by: Wadeck Follonier
The Jenkins Security team has multiple missions, with the most visible to users being the publication of advisories.
In 2023, the team published 17 advisories: 4 included Jenkins core, and 13 were solely about plugins. In total, 211 vulnerabilities were announced.
In terms of reporting trends, we have seen an increase in people reporting CVEs originating from dependencies. Our position on this issue is that when analyzing CVEs, if they are impacting we correct them and publish an advisory; otherwise, we publish a blog post only for the most popular ones, such as Spring4Shell or Log4Shell. With dozens of CVEs published every month, we prefer not to publish information for each one unless it is relevant.
To reduce the occurrence of those issues and provide reporters with a point of reference, we have updated the security policy in Docker.
We would also like to extend our gratitude to the GitHub Security Lab for reporting 27 vulnerabilities through their CodeQL rules and for their collaborative efforts in both the analysis and the enhancement of our tools.
The team does not rely solely on “external” security researchers to find vulnerabilities; a considerable amount of time during the year is spent on proactively auditing the code. This year was marked by some specific research areas: OAuth flow and disabled SSL validation, in addition to the usual CSRF, XSS, or XXE vulnerabilities.
Additionally, we have expanded the scope of our security reviews for Pull Requests, particularly in Jenkins core. Approximately 70 PRs were labeled as “security-approved”. This proactive measure allowed the team to prevent the introduction of some vulnerabilities, which is significantly less costly than addressing them after they have been incorporated into the production code.
As part of our mission, raising community awareness about security is also a key factor in reducing the introduction of vulnerabilities at an early stage. In this regard, we welcomed Andrea to our security team for a summer internship from June to August. By the end of it, he had successfully reported 28 vulnerabilities. For more information about his internship, you can read his blog post.
Education and tooling are closely related for us. We are investing time to propose new security automation and to improve our existing tooling. This year, we introduced the existing CodeQL ruleset for hosting requests. This provided future maintainers with detailed explanations of the findings. Along with this effort, we also enhanced our security scan by supporting warning suppression through code annotation.
Continuing with tooling improvements, we added a beta feature to the bot present in SECURITY tickets, allowing maintainers to block or unblock releases of their plugins. The intent of this feature is to reduce the likelihood of an involuntary release when one is staged in private for a future advisory.
We also introduced the possibility of having an exclusive CD mode. This option allows maintainers to force all releases of their plugins to be done through the official CI, reducing the risk related to their laptops being compromised.
Nowadays, AI is everywhere. For security, it’s often a bit more complicated due to the aspect of confidentiality. To circumvent this while still delving into the topic, we have been using OpenAI API since October to triage the new JENKINS tickets. It’s the public tracker for Jenkins, but sometimes, vulnerability reports are wrongly submitted there. AI has helped us detect whether something is security-related and thus expands our scope without needing to monitor everything. This approach has proven to be quite successful after three months.
Along with other small projects, we continue to work on more long-term/background projects, such as the introduction of the Content-Security-Policy header. Throughout the year, we made significant progress in covering the core usage of inline JavaScript.
Contributed by: Mark Waite
Jenkins is a project of the Continuous Delivery Foundation. We’re grateful for the many different ways that the Continuous Delivery Foundation supports the Jenkins project. They provide financial support for Jenkins infrastructure, promotional support for Jenkins initiatives, infrastructure support for the Jenkins issue tracker, and consultation on many other topics. The Jenkins project was well represented at cdCon 2023 and at cdCon Japan.
Contributed by: Damien Duportal
Infrastructure costs decreased by 21% in 2023 while usage increased. Jenkins use is increasing worldwide and Jenkins infrastructure continues to meet the growing needs.
Jenkins infrastructure broadened its operating environments in 2023 by expanding its use of ARM64 processors to reduce costs. Additional software improvements were implemented in the Jenkins Pipeline to reduce costs while maintaining reliability.
Costs were further reduced by the Artifactory bandwidth reduction project. We’ve gone from 50 TB per month to 15 TB per month of artifact repository bandwidth use, thanks to help from JFrog and implementations of artifact caching proxies by the infrastructure team.
We’re grateful for donations from our organizational sponsors like CloudBees, the Continuous Delivery Foundation, and the Linux Foundation and for our infrastructure sponsors including GitHub, JFrog, Atlassian, Microsoft, DigitalOcean, Netlify, PagerDuty, Discourse, Datadog, and Cloudflare. We deeply appreciate the mirror providers around the world like Oregon State University Open Source Lab, Tsinghua University, XMission, Yamagata University, Servana, Belnet, and RWTH Aachen University.
Contributed by: Mark Waite
The badly outdated and unmaintained Prototype.js JavaScript library has been removed from Jenkins core and from over 50 Jenkins plugins. Special thanks to Basil Crow and Tim Jacomb for their work to identify and replace Prototype.js references in Jenkins JavaScript.
User interface look and feel improvements continued throughout 2023. Improvements were delivered in forms, menus, and pages. Menus are easier to navigate and easier to understand.
Multiple improvements were released for the Jenkins management pages, including the new “Appearance” page that makes it easier to use Jenkins themes. Forms, pages, and menus have all been enhanced in 2023.
Navigation of cloud management pages is simpler and clearer thanks to layout and navigation enhancements.
Hundreds of user interface improvement pull requests have been merged this year. Thanks to all those contributors!
Contributed by: Bruno Verachten
The year 2023 has been a significant period for the Jenkins project, marked by notable advancements and achievements. The community as a whole has played a crucial role in shaping the project’s trajectory.
Software Versions
-
Jenkins Core: The project witnessed multiple Jenkins Core releases, featuring advancements in stability, security, and added features. Notable releases include Jenkins LTS 2.426.2 and weekly releases, reflecting our commitment to both stability and innovation.
-
Java Versions: The transition to Java 17 and subsequently Java 21 marked a significant step forward. The community diligently tested the top 250 plugins with Java 21, showcasing the project’s adaptability to evolving technologies.
-
Java Support Plan: The proposal and discussion around the 2+2+2 Java Support Plan demonstrated a strategic vision for the project’s future. This aligns with industry standards, ensuring long-term sustainability.
-
Dependency Updates: Components throughout the Jenkins project were updated in 2023, including operating systems, libraries, and tools. We also made essential transitions, such as moving to Debian Bookworm, the latest Alpine version, and implementing an end-of-life warning. This helps users know when they need to upgrade their OS or Java version. Additionally, we officially declared the end of life for Jenkins support of Red Hat Enterprise Linux 7 and derivatives like Centos 7 and Amazon Linux 2.
Docker Images and Containers
-
The transition to using OS-based images and installing JDK from binaries in some instances, rather than relying solely on Temurin images, highlighted our adaptability to evolving best practices.
-
Now, all Docker images are available with a version of Eclipse Temurin JDK21.
-
We expanded our platform support to include amd64, aarch64, s390x, windows/amd64, and even armv7 for some images.
-
Regular dependency updates were a focus in 2023:
-
Docker agent received 205 pull requests.
-
Inbound agent saw 132 pull requests.
-
Docker ssh-agent had 139 pull requests.
-
Docker had 219 pull requests.
Expanded Compatibility Testing
The Jenkins project added over 90 plugins to the compatibility testing suite that is part of our plugin bill of materials. The most popular Jenkins plugins are regularly tested in a Jenkins configuration with hundreds of other plugins.
These updates and transitions underscore our commitment to providing a robust and adaptable platform for our users.
Contributed by: Kevin Martens
Throughout 2023, the Jenkins site and documentation saw several changes from returning and new contributors. Over the course of 12 months, the site had a total of 843 pull requests merged, 67 blog posts from 21 different authors, and 98 plugin wiki migrations completed. These pull requests and blog posts covered everything from minor adjustments and refinements to major announcements regarding Jenkins and everything in between.
Some of the notable changes that happened were:
-
The addition of the Platform Information section, which contains Java information and Jenkins support policies.
-
The Plugin Health Score is now visible on https://plugins.jenkins.io/, providing users insight into the health of plugins in the Jenkins ecosystem.
-
The Books page was updated with new additions & formatting.
-
The Contributor Spotlight page was launched to highlight the heaviest contributors to Jenkins. The goal is to appreciate and showcase the talent and hard work that goes into keeping Jenkins working behind the scenes.
-
This was done in collaboration with the Outreach & Advocacy SIG.
-
Several enhancements to Jenkins.io for mobile users were implemented so that regardless of platform, everyone can access and read every screen. Additionally, there is a new layout for the blog, where each post is displayed as a card.
There was also the addition of UpdateCLI to the jenkins.io repository. This has helped ensure that whenever new versions of Jenkins are released, the documentation is updated accordingly. Thanks to Bruno Verachten for his work on getting this configured and added.
The Google Summer of Code participants also provided various contributions to both Jenkins core and Jenkins.io, sharing their experiences and insights with the community.
In the coming year, we are also planning on implementing a versioned documentation site, where users will select which Jenkins LTS version they are using and see the corresponding documentation. This is the result of a Google Summer of Code project originally looking at alternative build tools for jenkins.io. Thanks to Kris Stern and Vandit Singh for all their work on this.
Contributed by: Alyssa Tong
In 2023, through the collaboration and contributions of new and existing community members from around the globe, the Jenkins project successfully completed the following projects for the betterment of Jenkins:
-
The launching of a new site, contributors.jenkins.io, is dedicated to highlighting top Jenkins contributors who are dedicating their time and talent to shape the future of Jenkins.
-
Participated in Google Summer of Code 2023
-
Welcomed 80+ new contributors with over 400 pull requests merged in Hacktoberfest 2023
-
Participated in five DevOps World locations, with community speakers
-
Tim Jacomb - London
-
Olivier Lamy - Singapore
-
Mark Waite - New York, Chicago, and Santa Clara
-
Along the way, Jenkins won the DevOps Dozen Most Innovative DevOps Open Source Project award for 2023!
The Jenkins project is also excited to share what’s to come in 2024:
-
Jenkins in GSoC 2024: Call for Project Ideas + Call for Mentors.
-
A Guide for Mentors is a great resource for potential GSoC mentors, who want to give back to the community through the act of mentorship.
-
-
Contributor Summit at FOSDEM: A day-long event featuring updates on the "State of Jenkins", Projects/SIGs, discussion on various key projects, and demos (Feb 2, 2024).
-
FOSDEM'24: Jenkins will have a devstand at FOSDEM (Feb 3-4, 2024).
-
SCALE 21x: Jenkins will have a booth presence at SCALE (March 14-17, 2024)
Jenkins Momentum
In August, we worked together with the Linux Foundation and the CloudBees communications teams to report out on achievements of the Jenkins project. We highlighted growth in Jenkins jobs, along with the vibrant contributor community and impressive community sponsors. Jenkins still enjoys an estimated 44% market share and is a critical part of the IT infrastructure enabling organizations to automate their CI/CD processes.
Specifically, as reported in the news release and from the community stats:
-
Monthly Jenkins Pipeline jobs defined grew 79% during the period June 2021 – June 2023, from 27,105,176 jobs per month to 48,625,398 jobs per month. Jenkins Pipeline jobs are used to build out CI/CD software delivery automation flows, or software pipelines. Growth in this job type is a leading indicator of CI/CD adoption and, specifically, the pervasiveness of Jenkins-based CI/CD.
-
Total monthly jobs rose 45% from June 2021, when 50,785,205 jobs per month were defined, to June 2023 when 73,746,418 jobs per month were defined. Growth in the total monthly workload (all Jenkins jobs) further demonstrates the expansion of Jenkins usage within organizations.
The news release also called out the 600 active contributors the Jenkins project has, along with sponsors such as GitHub, Atlassian, AWS, CloudBees, Datadog, DigitalOcean, Discourse, Fastly, GitHub, IBM, JFrog, Netlify, PagerDuty, and Sentry.
Many THANKS!
The Jenkins project consists of more than 2000 plugins and components which are maintained and developed by thousands of contributors from around the globe. Thanks to them, a lot of improvements happen in the project every day. We are grateful to everybody who participates in the project, regardless of contribution size. Every bit makes a difference: new features, bug fixes, documentation, blog posts, well reported issues, Stackoverflow responses, etc.
MANY THANKS FOR ALL YOUR CONTRIBUTIONS!
Here’s looking forward to many more exciting accomplishments to come in 2024!