jenkins-plugin

Changelog

Version 3.20.7 (November 08, 2024)

• Fixed a TOML parsing error that affected scanning of Python projects using pyproject.toml and poetry.lock

Version 3.20.6 (October 07, 2024)

• Fixed issue where the callflow algorithm parameter was not assigned the default value RTA_PLUS

Version 3.20.5 (September 25, 2024)

• Fixed issue with Jenkins DSL plugin treating optional parameters as required
• Improved the handling of Maven plugin-generated scan modules files (module.xml) to ensure a consistent approach across the policy evaluation step and the callflow analysis sub-step
• Added support for displaying both the App and Priorities Reports

Version 3.20.4 (September 04, 2024)

• Set Jenkins 2.452.x LTS as the minimum supported version
• Added an option to enable the Callflow feature from the UI configuration

Version 3.20.3 (August 20, 2024)

• Maintenance release

Version 3.20.2 (August 12, 2024)

• Added support for scanning CycloneDx version 1.6 files
• Added support for analyzing Java 21 and Java 22 bytecode

Version 3.20.1 (July 12, 2024)

• Maintenance release

Version 3.20.0 (June 27, 2024)

• Preview feature: Reachability Analysis
• Maintenance release

Version 3.19.6 (June 05, 2024)

• Maintenance release

Version 3.19.5 (May 17, 2024)

• Bug fix: exclude patterns work with archive files as well

Version 3.19.4 (April 09, 2024)

• Maintenance release

Version 3.19.3 (March 07, 2024)

• Maintenance release

Version 3.19.2 (February 08, 2024)

• Maintenance release

Version 3.19.1 (January 19, 2024)

• Added support for exclude scan patterns

Version 3.19.0 (December 08, 2023)

• Java 11 is the minimum supported Java version

Version 3.18.0 (November 02, 2023)

• Maintenance release

Version 3.17.518 (September 08, 2023)

• Renamed the feature previously known as Policy Violation Grandfathering to Legacy Violations

Version 3.17.514 (September 01, 2023)

• Added support for scanning SPDX version 2.3 files

Version 3.16.510 (August 01, 2023)

• Added support for scanning Java class binaries produced by Java 19 and 20

Version 3.16.508 (July 20, 2023)

• Maintenance release

Version 3.16.503 (July 05, 2023)

• Maintenance release

Version 3.16.501 (June 16, 2023)

• Maintenance release

Version 3.16.497 (June 13, 2023)

• Added full support for Java 17

Version 3.16.491 (May 12, 2023)

• Maintenance release

Version 3.16.489 (April 20, 2023)

• Maintenance release

Version 3.16.487 (April 06, 2023)

• Maintenance release

Version 3.16.485 (March 22, 2023)

• For remote image scanning, environmental variables NEXUS_CONTAINER_IMAGE_REGISTRY_USER and NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD are not required and are now optional for public images

Version 3.16.481 (February 27, 2023)

• Maintenance release

Version 3.16.478 (February 13, 2023)

• Maintenance release

Version 3.16.476 (January 27, 2023)

• Maintenance release

Version 3.16.474 (January 16, 2023)

• Maintenance release

Version 3.16.471 (December 14, 2022)

• Removed support for scanning IaC targets

Version 3.16.465 (December 01, 2022)

• Scanning local images does not require providing environmental variables
• To scan remote images, the user will now have to provide only these variables:
  • NEXUS_CONTAINER_IMAGE_REGISTRY_USER
  • NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD

Version 3.16.459 (November 17, 2022)

• Fixed for an edge case where the policy evaluation pipeline stage is marked UNSTABLE even though no policy violations are present

Version 3.16.455 (October 26, 2022)

• Maintenance release

Version 3.16.453 (October 20, 2022)

• Maintenance release

Version 3.16.449 (October 06, 2022)

• Policy evaluation stage is marked according to policy actions
• Fixed dependency conflict with certain versions of the credentials plugin

Version 3.16.444 (September 22, 2022)

• Added the organization ID parameter, used for automatic IQ apps
• Fixed Nexus IQ Build Report to properly show the icon for “notify” actions

Version 3.15.438 (September 07, 2022)

• Started using the lightweight Nexus Java API to reduce complexity on class loading for the plugin

Version 3.14.431 (July 28, 2022)

• Improved summary message for policy evaluations

Version 3.14.424 (July 07, 2022)

• Maintenance release

Version 3.14.418 (June 16, 2022)

• Maintenance release

Version 3.14.415 (June 01, 2022)

• Maintenance release

Version 3.14.412 (May 19, 2022)

• Maintenance release

Version 3.14.407 (April 29, 2022)

• Added support for scanning Java class binaries produced by Java 18

Version 3.14.405 (March 28, 2022)

• Fixed a IllegalAccessError that prevents the plugin to run properly in certain cases

Version 3.14.403 (March 24, 2022)

• Fixed a NoSuchMethodError exception that prevents the plugin to run in certain cases

Version 3.14.401 (March 15, 2022)

• Maintenance release

Version 3.13.20220304 (March 04, 2022)

• Maintenance release

Version 3.13.20220201 (February 01, 2022)

• Reduced logging on INFO level

Version 3.13.20220124 (January 24, 2022)

• Bug fix for false positives in container scans

Version 3.13.20220121 (January 21, 2022)

• Added support for scanning IaC targets

Version 3.13.20211220 (December 20th, 2021)

• Conda Matching Improvements
• Cran and Cargo Matching Improvements

Version 3.13.20211207 (December 7th, 2021)

• Updated the min Jenkins version required to 2.249.1
• Removed obsolete dependencies

Version 3.13.20211117 (November 18th, 2021)

• Added support for multiple Nexus IQ Servers

Version 3.12.20211110 (November 11th, 2021)

• Fixed java.lang.NoClassDefFoundError: io/jenkins/cli/shaded/org/xml/sax/ContentHandler

Version 3.12.20211019 (October 21th, 2021)

• Added support for scanning Java class binaries produced by Java 17

Version 3.11.20210920 (September 20, 2021)

• Added support for using environment variables and credentials for required values for container scanning
• Made default mount folder for nexus container analysis workspace temp folder

Version 3.11.20210915 (September 16, 2021)

• Bug fixes
• NPM manifest file scans now include dependency information and can identify InnerSource components

Version 3.11.20210824 (August 25, 2021)

• Made mount folder for nexus container analysis customisable
• Made default mount folder /tmp for nexus container analysis
• Improvements in log statements for nexus container analysis

Version 3.11.20210811 (August 11, 2021)

• Bug fixes

Version 3.11.20210729 (July 30, 2021)

• Handle yarn v2 files
• Exclude package-lock.json in favour of npm-shrinkwrap.json
• Bug fixes

Version 3.11.20210716 (July 16, 2021)

• Add support for nexus container analysis
• Make build unstable on scan error

Version 3.11.20210621 (June 21st, 2021)

• Deleted temp files from scan after eval
• Send licensed features into the scanner
• Fixed runtime error due to stax2 conflict
• Added jenkins version to user agent

Version 3.11.20210420 (April 20th, 2021)

• Added support for scanning Java class binaries produced by Java 16
• Fixed XStream parser error when scanning nuget manifests

Version 3.11.20210323 (March 24th, 2021)

• Fixed a regression in configuring the Policy Evaluation task in the UI

Version 3.11.20210308 (March 8th, 2021)

• Added scanning and application/package analysis support for Java using a pom.xml or build.gradle file

Version 3.11.20210301 (March 1, 2021)

• Added a Global Configuration option to remove direct IQ reporting of policy violations from Jenkins

Version 3.10.20210222 (February 23rd, 2021)

• Updated the resultant structure to include the nested dependencies to form a dependency tree when scanning a module.xml file
• Added scanning and application/package analysis support for the following ecosystems:
  • NPM using files : yarn.lock, pnpm-lock.yaml, package-lock.json, npm-shrinkwrap.json
  • Nuget using packages.config file or .csproj files

Version 3.10.20201208 (December 8th, 2020)

• Added support for running the plugin with Java 11 and 14
• Added support for scanning Java class binaries produced by Java 14 and 15

Version 3.9.20201109 (November 9th, 2020)

• Added flag to enable debug logging

Version 3.9.20200722 (July 22nd, 2020)

• Added scanning and application/package analysis support for Conan using a conaninfo.txt file (in addition to the files conanfile.txt and conanfile.py)

Version 3.9.20200716 (July 16th, 2020)

• Added scanning and application/package analysis support for Golang using a go.list file (in addition to the file go.sum)

Version 3.9.20200623 (June 23rd, 2020)

• Added scanning and application/package analysis support for the following ecosystems:
  • Alpine
  • Conda
  • Debian
  • Drupal
  • R (Cran)
  • Rust (Cargo)
  • Swift (Cocoapods)
  • Yum
• Use policy violation counts instead of component counts in the policy evaluation summary
• Fixed an issue with y-axis labels on the new trend graph

Version 3.8.20200204 (February 6th, 2020)

• Fixed to ensure that all Nexus IQ for SCM logging goes to the build log instead of the server log

Version 3.8.20191216 (December 18th, 2019)

• Fixed additional marshalling issue with new trend graph

Version 3.8.20191213 (December 13th, 2019)

• Fixed marshalling issue with new trend graph
• Fixed issue with y-axis number on new trend graph

Version 3.8.20191204 (December 4th, 2019)

• Added Nexus IQ Build Report which shows details for warn/fail vulnerabilities
• Support slave nodes for automatic repository URL discovery for usage with Nexus IQ for SCM

Version 3.8.20191127 (November 27th, 2019)

• Added trend graph to a Pipeline, which depicts the information about the last 5 builds with critical, severe and moderate violation numbers
• Added support to scan and evaluate Clair identified container dependencies
• Added support to scan and evaluate identified dependencies from a CycloneDX SBOM file

Version 3.8.20190920 (September 20th, 2019)

• Added support for automatically deducing the repository URL for usage with Nexus IQ for SCM

Version 3.7.20190823 (August 23rd, 2019)

• Added support for automatically deducing git commit hash for usage with Nexus IQ for SCM

Version 3.6.20190722 (July 22nd, 2019)

• BREAKING CHANGES: Nexus IQ 69 or newer is a required upgrade to use the Nexus Platform Plugin
• BREAKING CHANGES: Support for Scanning Go Modules
• BREAKING CHANGES: Mitigate IQ Server Client Timeouts

Version 3.5.20190425 (April 25th, 2019)

• Added messages about Nexus Vulnerability Scanner to the plugin
• Added ability to provide custom/advanced properties to IQ scanner

Version 3.5.20190422 (April 22nd, 2019)

• Fixed for environmental variables not getting resolved in the tags field

Version 3.5.20190313 (March 13th, 2019)

• Added support for Java 12 IQ evaluations

Version 3.5.20190215 (February 18th, 2019)

• Added support for Scanning Python Wheel Packages

Version 3.4.20190116 (January 16th, 2019)

• Added support for Java 10, 11 IQ evaluations
• Added support for Python coordinate detection via requirements.txt files

Version 3.3.20190108 (January 8th, 2019)

• Added support for multiple policy evaluations per Jenkins job
• Added application name and IQ stage to the entries in the build results
• Renamed the “Application Composition Report” to “Nexus IQ Policy Evaluation”

Version 3.3.20181207 (December 12, 2018)

• Bug fix: Could not connect to Nexus Repository servers exposed over HTTPS
• Bug Fix: Proxy settings were not respected when verifying connection to Nexus Repository

Version 3.3.20181129 (November 29, 2018)

• Bug fix: IQ application list incorrect for jobs configured to use job specific credentials

Version 3.3.20181102 (November 2, 2018)

• Bug fix: Environment variables weren’t expanded for manual application IDs

Version 3.3.20181025 (October 25, 2018)

• Bug fix: When configuring the ‘Invoke Nexus Policy Evaluation’ build step, the ‘module excludes’ field is not persisted on save.
• Bug fix: Jenkins Platform Plugin unable to determine Nexus Repository Manager version using Server URL with trailing slash
• Bug fix: Jenkins plugin fails requests when Nexus is not at base context path
• Added link to plugin documentation for NXRM3 to readme

Version 3.3.20180912 (September 12, 2018)

• The plugin will now emit a warning when the scanner encounters an invalid JAR file:
  “[WARN] Could not open some.jar as an archive. Will scan it as regular file.”

Version 3.3.20180830 (August 30, 2018)

• BREAKING CHANGES: Nexus IQ 1.50 or newer is a required upgrade to use the Nexus Platform Plugin
• BREAKING CHANGES: Support for Nexus IQ Policy Violation Grandfathering
• BREAKING CHANGES: Fixed snippet generation

Version 3.3.20180801 (August 1, 2018)

• New build step available for tag association
• Moved components using NXRM3 search criteria from Pipeline

Version 3.2.20180724 (July 24, 2018)

• Added support of Nexus Repository Manager 3.13.0 servers for Maven component uploads, and new staging features (for Pro versions): tags, move, and delete

Version 3.1.20180702 (July 2, 2018)

• Fixes for recording of component occurrences

Version 3.1.20180605 (June 5, 2018)

• Log additions for Automatic application creation

Version 3.0.20180531 (May 31, 2018)

• UI fixes for chiclet style on older versions of Jenkins

Version 3.0.20180425 (April 25, 2018)

• BREAKING CHANGES: Nexus IQ 1.47 or newer is a required upgrade to use the Nexus Platform Plugin
• BREAKING CHANGES: Support for Nexus IQ Automatic application creation

Version 3.0.20180214 (February 14, 2018)

• BREAKING CHANGES: Pipeline jobs using the plugin will now fail during execution if a policy action is set to fail the build. This is different from previous behavior which would set the build result to failure but allow the build to continue. This is adopting standard practice for Jenkins pipeline plugins and allows more visibility into what has failed and why. Pipelines that require continuation of the build will have to surround the plugin step with try catch, where the evaluation information is now wrapped in the exception argument.
• BREAKING CHANGES: The pipeline step has always returned a model for the evaluation containing information about the results. The ApplicationPolicyEvaluation will no longer include a boolean for reevaluation therefore calls to get or set this will fail. The Jenkins pipeline has never supported reevaluation and this boolean has always returned false. For simplification, it has been removed.
• Module.xml evaluation support. The Nexus Platform Plugin for Jenkins now supports policy evaluations against results generated by the clm-maven-plugin index goal. The new plugin will scan module.xml files available in ’/sonatype-clm/module.xml’, ‘/nexus-iq/module.xml’ and will support module exclude patterns to exclude these files if desired.
• Fix for directory structure of JavaScript files scanned by the plugin
• No longer requires optional parameters to be declared in declarative pipelines
• All users can now select credentials for jobs as long as they have the appropriate permissions to configure the job and view the credentials

Version 1.6.20180123 (January 23, 2018)

• Whitelist updates to support JEP-200

Version 1.5.20171121 (November 21, 2017)

• Added support for Java 9 IQ evaluations

Version 1.4.20170929 (September 29, 2017)

• Updated upstream dependencies to consume latest IQ server Application Evaluation result
• Fix for throwing serializable exception upon client exception

Version 1.3.20170728 (July 28, 2017)

• Added support for Docker image evaluations

Version 1.2.20170627 (June 27th, 2017)

• Added support for credentials in Folder stores
• Added support for Certificate credentials through the Credentials Plugin

Version 1.2.20170428 (April 28th, 2017)

• Added support for Nexus Publish when remote agent is used for build

Version 1.2.20170417 (April 17th, 2017)

• Fix for connection pool saturation when publishing many components

Version 1.2.20170404 (April 4th, 2017)

• Initial release to the Jenkins Update Center