Special thanks from the Jenkins project to users and contributors with the New Year! Let’s take a look at some changes this year.
Highlights
-
Major events including Google Summer of Code, Hacktoberfest, She Code Africa Contributhon, and three Contributor Summits
-
Strong support from new and continuing Sponsors
-
Core features for configuration form modernization, upgrades to key dependencies, continuous delivery for plugins, and Java 11 as the preferred JVM
-
Security improvements for safer and more secure automation
-
Plugin site enhancements with integrated site search, better navigation, more information, and easier updates of existing information
-
Community site to encourage users to help one another and to welcome new contributors
Project updates
The highlights in this blog post do not cover all the advancements in the project.
Additional improvements are noted in the February 2021 Contributor Summit, the June 2021 Contributor Summit, and the October 2021 Contributor Summit. New and updated Jenkins features are described in the LTS changelog and the weekly changelog. The introduction to Jenkins 2.277.1 webinar shares more information on configuration form modernization, the update from acegi to Spring Security, and other dependency updates. See the security advisories archive for more details on security fixes and improvements.
Major events
The Jenkins project participates in major open source events around the world. These events bring new and existing contributors together to improve Jenkins.
Google Summer of Code 2021
The Jenkins project continued its deep commitment to Google Summer of Code in 2021.
Five Jenkins projects were accepted into Google Summer of Code. All five projects were completed successfully.
Special thanks to the Google Summer of Code students:
Read more about their results and their impact on the Jenkins project in the end of project report.
Hacktoberfest
Hacktoberfest 2021 contributors provided over 90 pull requests to Jenkins repositories. The pull requests included improvements to Jenkins core, Jenkins plugins, Jenkins infrastructure, and Jenkins documentation.
Key results included:
-
Translations and artwork, including improvements in French, Spanish, and Russian language translations and two new Jenkins images
-
Plugin documentation migration to GitHub for 29 different plugins, with a tutorial video to help new contributors
-
Security improvements in content security policy from six contributors moving JavaScript into dedicated files
-
Architecture diagrams providing both a dataflow view and a high-level overview of Jenkins
-
Five part video series on "Modernizing Jenkins Plugins"
She Code Africa Contributhon
The Jenkins project was a mentoring organization in the first ever She Code Africa Contributhon. The She Code Africa Contributhon pays African women to work with open source organizations on selected projects with dedicated mentors. This program aims to create a more diverse, inclusive, and innovative culture within the African open source ecosystem by matching African women in technology with sponsor and mentor open source organizations.
The five women met with mentors twice weekly for a month. They built Jenkins core and Jenkins plugins and submitted pull requests to improve Jenkins plugin online help and documentation. The 5 mentees on the Jenkins project joined the project from Nigeria, Kenya, and Rwanda.
More details are available in the She Code Africa blogpost.
Sponsors
The Jenkins project is truly fortunate to have so many sponsors contributing to its success. We thank our sponsors sincerely and look forward to their continuing support. The Jenkins project depends on sponsor organizations for its infrastructure, tools, and funding.
Jenkins distribution, build, test, and deployment infrastructure is provided by sponsors like JFrog, Amazon Web Services, Oregon State University Open Source Lab, Oracle, and DigitalOcean.
Jenkins development is tracked with tools provided by sponsors like GitHub, JFrog, Atlassian, the Linux Foundation, Netlify, and 1Password. Site search for the Jenkins primary web site and the plugins site is provided by Algolia.
Operational funding is provided by the Continuous Delivery Foundation, CloudBees, and Amazon Web Services.
Mirrors for worldwide distribution are provided by organizations like Oregon State University Open Source Lab, XMission, Tsinghua University, Yamagata University, Gruenehoelle NL, Belgian Education and Research Network, and RWTH Aachen University.
Core features
Jenkins core delivered 53 weekly releases and 14 long term support releases in 2021. Hundreds of plugin releases were delivered in 2021.
The releases included user interface improvements, security improvements, security fixes, dependency replacements, dependency updates, and more. Contributors from around the world provided the changes included in those releases.
Configuration form modernization
As the culmination of 12 months of work by many different people, Jenkins modernized its configuration forms in Jenkins 2.277.1. The Jenkins user interface is now much better adapted to narrow screens and modern web layout techniques. It works well on all modern web browsers.
The configuration form modernization introduction included a changelog, an upgrade guide, and an introductory webinar.
Dependency updates
Many outdated Jenkins dependencies were updated or replaced by 2021 development work.
The Jenkins core security library was converted from a forked copy of Acegi Security to the most recent release of the standard Spring Security library. The Jenkins core XML serialization library was converted from a forked copy of the XStream library to the most recent release of the standard XStream library. The Jenkins internal class management libraries were converted from a forked copy of Apache Ant libraries to the most recent release of the standard Apache Ant libraries.
Outdated libraries were removed from Jenkins core including ASM 5, ASM 6, Apache Commons Digester, Bytecode Compatibility Transformer, Akuma, Woodstox, JNA Posix, JTidy, and libpam4j. Removals were accompanied by plugin updates as needed to retain compatibility and functionality.
Key libraries were updated to use more recent releases of the libraries. Guava was upgraded from 11.0.1 to 31.0.1. Guice was upgraded from 4.0 to 5.0.1. Groovy was upgraded from 2.4.12 to 2.4.21. Many Apache Commons libraries were upgraded to their most recent releases.
Continuous delivery for plugins
Continuous delivery of Jenkins components was proposed in 2020 by Jesse Glick as Jenkins Enhancement Proposal 229. By the end of 2021, 119 plugins had adopted continuous delivery, providing new plugin releases each time a relevant commit was merged to the plugin repository. Additional components have adopted continuous delivery as well, including the plugin bill of materials and the Jenkins test harness.
We look forward to even greater adoption of continuous delivery for plugins in 2022.
Prefer Java 11 instead of Java 8
Java 11 was adopted as the recommended JDK during 2021. Docker images now use JDK 11 by default. See the blogpost for more information about the Docker image transition.
Docker images with Java 11 are also available for multiple platforms, including 64 bit ARM and IBM s390x.
More inclusive naming
The Jenkins project decided in 2016 to replace the term "slave" with the more inclusive term "agent". In July 2020 the project adopted the "controller" term to replace the older term "master".
Jenkins core 2.319.1 was released in December 2021 replaced the term "master" with more accurate terminology. The release also includes an integrated migration tool to allow existing installations to decide when they would adopt the new terminology.
Security improvements
Jenkins security improvements have continued throughout 2021. The Jenkins security team provided timely responses to security issues in Jenkins core and in Jenkins plugins. The project is sincerely grateful to Daniel Beck for his years of service as Jenkins Security Officer. Wadeck Follonier began his service as Jenkins Security Officer in December, 2021.
The Jenkins infrastructure team resolved infrastructure issues and safeguarded Jenkins infrastructure. The project is deeply grateful to Olivier Vernin for his years of service as Jenkins Infrastructure Officer. Damien Duportal began his service as Jenkins Infrastructure Officer in December, 2021.
Agent to controller security
Daniel Beck proposed Jenkins Enhancement Proposal 235 in November, 2021 to remove the ability to disable or customize the agent-to-controller security system. Telemetry has been added to Jenkins releases beginning with 2.319.1 and Jenkins 2.326. The telemetry reports agent use of methods to access files on the controller. As controller file access from agents is detected by the telemetry, issues are raised to remove that access from the offending plugin.
Log4j 2 zero day vulnerability
December 2021 included the announcement of multiple zero day vulnerabilities in the Apache Log4j 2 library. The Jenkins security team assessed the impact of the vulnerabilities and confirmed that Jenkins core was not affected by the vulnerabilities. Further research showed that Jenkins plugins might be affected by the vulnerabilities. Instructions were shared in a blogpost so that Jenkins administrators could check their system for issues. A Jira epic tracks the progress of corrections in the plugins that were including the affected Apache Log4j 2 library versions.
Jenkins Confluence instance shutdown
In September, 2021, a zero day vulnerability was disclosed in the Confluence version used in the Jenkins project. The infrastructure team permanently disabled the service, rotated privileged credentials, and actively reduced the scope of access across the Jenkins infrastructure. Passwords for all user accounts on jenkins.io were reset. Users were required to perform a password recovery in order to regain access to their jenkins.io accounts. See the blogpost for more details.
The page content from the Jenkins Confluence instance has been returned to service as static HTML pages. The plugin documentation from the Jenkins Confluence instance is now integrated into the plugin site build process.
Master project in Jenkins security
Wadeck Follonier coordinated and mentored an end-of-study security research project for four students during the last year of their Master’s Degree - Reliability and IT Security at the University of Aix-Marseille. The students applied their university training to audit Jenkins core and many Jenkins plugins for specific types of security issues. Their project resulted in 14 vulnerabilities reported in Jenkins security advisories. More details of their results and their processes are available in the blogpost.
Plugin site enhancements
The Jenkins plugins site has become the definitive location for information about Jenkins plugins. It successfully presents plugin documentation, changelogs, and dependencies for over 1100 plugins.
Site search is provided by an Algolia open source sponsorship for easy and accurate search of Jenkins plugins. Search performance reports are used to refine and improve the site.
Jenkins plugin maintainers migrated plugin documentation for over 200 plugins into plugin repositories. Documentation in GitHub repositories is easier to update, easier to manage, and more likely to be correct.
Community site
The Jenkins community has improved its communication with the addition of a new internet forum, community.jenkins.io. Discourse sponsors the internet forum management software that runs the community site. The site hosts question and answer forums, highlights novel and interesting use of Jenkins, and encourages users to help one another. See the "2021: Year in Review" page for more details on the use and evolution of the community site.
Jenkins is the way
"Jenkins Is The Way" is a global showcase of how developers and engineers are building, deploying, and automating great stuff with Jenkins. 138 new user stories were added to the site in 2021. Jenkins use around the world was highlighted in 3 eBooks.
What’s next?
The Jenkins project will be busy in 2022. User experience improvements are arriving. Java updates are continuing. In the coming months there will be discussions on the community site, in the mailing lists, special interest groups, and contributor summits. We invite all teams to work on their roadmaps and to communicate them in the community.
We also plan to continue all outreach programs. At the moment we are looking for Google Summer of Code 2022 mentors and project ideas (announcement). We also work on improving contribution guidelines for newcomers and expert contributors. If you are interested, please contact the Advocacy and Outreach SIG.
And even more
This blog post does not provide a full overview of what changed in the project. The Jenkins project consists of more than 2000 plugins and components which are developed by thousands of contributors. Thanks to them, a lot of changes happen in the project every day. We are cordially grateful to everybody who participates in the project, regardless of contribution size. Everything matters: new features, bug fixes, documentation, blog posts, well reported issues, Stackoverflow responses, etc. THANKS A LOT FOR ALL YOUR CONTRIBUTIONS!
So, keep updating Jenkins and exploring new features. And stay tuned, there is much more to come in 2022!