[pull] master from gocd:master

.github/dependabot.yml

@@ -1,5 +1,10 @@
 version: 2
 updates:
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: weekly
+    day: friday
 - package-ecosystem: gradle
   directory: "/"
   schedule:

.github/workflows/update-gradle-wrapper.yml

@@ -0,0 +1,24 @@
+name: Update Gradle Wrapper
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+jobs:
+  update-gradle-wrapper:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: temurin
+
+      - name: Update Gradle Wrapper
+        uses: gradle-update/update-gradle-wrapper-action@v2
+        with:
+          labels: dependencies, build-script

.gitignore

@@ -1,5 +1,5 @@
 ##########################################################################
-# Copyright 2024 Thoughtworks, Inc.
+# Copyright Thoughtworks, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

.tool-versions

@@ -1,3 +1,3 @@
-# Configuration for https://github.com/asdf-vm/asdf as an alternative to jabba, rvm, nvm etc
-java temurin-17.0.10+7
-nodejs 20.11.0
+# Configuration for https://mise.jdx.dev/ or https://github.com/asdf-vm/asdf as an alternative to jabba, sdkman, rvm, nvm etc
+java temurin-21.0.6+7.0.LTS
+nodejs 22.14.0

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2024 Thoughtworks, Inc.
+   Copyright Thoughtworks, Inc.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,16 +1,27 @@
 # GoCD
 
-[![Join the chat at https://gitter.im/gocd/gocd](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/gocd/gocd?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![Google Groups](https://img.shields.io/badge/Google_Groups-user_help-purple)](https://groups.google.com/g/go-cd)
+[![GitHub Discussions](https://img.shields.io/badge/GitHub_discussions-user_&_dev_chat-green)](https://github.com/gocd/gocd/discussions)
+[![GitHub License](https://img.shields.io/github/license/gocd/gocd?color=yellow)](LICENSE)
+[![Server Docker Pulls](https://img.shields.io/docker/pulls/gocd/gocd-server?label=Server%20Docker%20pulls)](https://hub.docker.com/r/gocd/gocd-server/)
+
 
 This is the main repository for [GoCD](https://gocd.org) - a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for worry-free, continuous delivery of your product.
 
-To quickly build your first pipeline while learning key GoCD concepts, visit our [Test Drive GoCD](https://www.gocd.org/test-drive-gocd.html).
+- To quickly build your first pipeline while learning key GoCD concepts, visit our [Test Drive GoCD](https://www.gocd.org/test-drive-gocd.html).
+- To download GoCD, visit the [downloads page](https://www.gocd.org/download/).
+
+## Security
+
+Please see [the security policy](SECURITY.md) for details on GoCD's security status, and how to responsibly disclose issues.
+
+## Development
 
-## Development Setup
+GoCD is predominantly a Java & TypeScript project utilising [Spring Framework](https://spring.io/projects/spring-framework/), [SparkJava](https://sparkjava.com/) & [MithrilJS](https://mithril.js.org/) as key frameworks, built using [Gradle](https://gradle.org/) & [Webpack](https://webpack.js.org/) and running within [Eclipse Jetty](https://eclipse.dev/jetty/).
 
-GoCD is predominantly a Java & TypeScript project utilising [Spring Framework](https://spring.io/projects/spring-framework/), [SparkJava](https://sparkjava.com/) & [MithrilJS](https://mithril.js.org/) as key frameworks, built using [Gradle](https://gradle.org/) & [Webpack](https://webpack.js.org/). There are still a small number of pages rendered server-side within [JRuby](https://www.jruby.org/) on [Rails](https://rubyonrails.org/) which utilise some legacy plain JavaScript. GoCD itself is used to [build GoCD](https://build.gocd.org).
+There are a small number of older parts of GoCD rendered server-side within [JRuby](https://www.jruby.org/) on [Rails](https://rubyonrails.org/) which utilise some legacy plain JavaScript with [JQuery](https://jquery.com/). GoCD itself is used to [build GoCD](https://build.gocd.org).
 
-Here is the guide to setup your [development environment](https://developer.gocd.org/current/).
+Here is the guide to [setup your development environment](https://developer.gocd.org/current/).
 
 ## Contributing
 

SECURITY.md

@@ -8,22 +8,35 @@ Since breaking changes are rare, and generally sign-posted well in advance, we e
 
 Having said this, wherever possible we will try and provide suggested mitigations or workarounds for older versions.
 
-## Reporting a Vulnerability
-
-Please report any issues to https://hackerone.com/gocd according to the listed policy.
-
 ## Baseline
 
-This represents the oldest version which has **no known exploitable vulnerabilities**. Users are strongly recommended to be on at least this version; and preferably the latest version. 
+This represents the oldest versions which have **no known exploitable vulnerabilities** of a given severity, as assessed by GoCD maintainers and/or NIST NVD via CVSS 4.0 or 3.1. Users are strongly recommended to be on at least these versions; and preferably the latest version. 
 
-| Baseline Version |
-| ---------------- |
-| `23.1.0`         |
+| Without known vulns             | Version                                            |
+| ------------------------------- | -------------------------------------------------- |
+| No >= **high** severity vulns   | [`24.5.0`](https://www.gocd.org/releases/#24-5-0)+ |
+| No >= **medium** severity vulns | [`24.5.0`](https://www.gocd.org/releases/#24-5-0)+ |
+| No known vulns of any severity  | [`24.5.0`](https://www.gocd.org/releases/#24-5-0)+ |
 
 Please note that this does *not* mean that there are zero potential vulnerabilities known from GoCD's dependencies
 in this or subsequent versions. However where such vulnerabilities exist, none have been confirmed to be exploitable via GoCD
 itself (without a prior non-GoCD breach).
 
+## Reporting a Vulnerability
+
+Please report any issues to https://hackerone.com/gocd according to the listed policy.
+
+## Disclosure policy
+
+GoCD does not have a formal disclosure policy for vulnerability details, however generally our practice has been
+
+| Severity                     | During fix/patch development     | Upon fix/patched release             | Detailed disclosure / published CVE         |
+| ---------------------------- | -------------------------------- | ------------------------------------ | ------------------------------------------- |
+| >= **high** severity vulns   | Limited _(*)_ or zero disclosure | Limited disclosure with mitigations. | 2-4 weeks after patched version's release.  |
+| <= **medium** severity vulns | Limited _(*)_ disclosure         | More detailed disclosure             | Immediately upon patched version's release. |
+
+_(*)_ - As an open-source project for ease of collaboration fixes _may_ be developed in the open (with somewhat obfuscated PR or commit comments) rather than entirely developed in private.
+
 ## How do I know if I am using a release with known vulnerabilities?
 
 In more recent years, an effort has been made to publish and request CVEs for responsibly disclosed & fixed issues to increase transparency and help users assess risk of running older versions.
@@ -38,11 +51,9 @@ The GoCD team make a concerted effort to keep dependencies up-to-date wherever p
 still have some EOL dependencies with known vulnerabilities that GoCD is not vulnerable to, but which may create noise in scanner reports.
 
 While this is a moving target the GoCD team maintain documented suppressions with commentary via:
-- [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/) - Java & JavaScript dependencies
-  - [current suppressions](https://github.com/gocd/gocd/blob/master/buildSrc/dependency-check-suppress.xml)
-  - [build.gocd.org report off master](https://build.gocd.org/go/files/Security-Checks/latest/test/latest/dependency-check/dependency-check-report.html) (use _Guest_ login)
-- [Bundler Audit](https://github.com/rubysec/bundler-audit) - Ruby/JRuby dependencies
-  - [build.gocd.org report off master](https://build.gocd.org/go/files/Security-Checks/latest/test/latest/bundler-audit/cruise-output/console.log) 
+- [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/) - Java, JavaScript & Ruby/JRuby dependencies
+  - [current suppressions](https://github.com/gocd/gocd/blob/master/build-platform/dependency-check-suppress.xml)
+  - [build.gocd.org report off master](https://build.gocd.org/go/files/Security-Checks/latest/Security-Checks/latest/dependency-check/dependency-check-report.html) (use _Guest_ login)
 - [Trivy](https://trivy.dev/) - built container images (OS and packaged dependencies), especially server
-  - [current suppressions](https://github.com/gocd/gocd/blob/master/buildSrc/.trivyignore)
+  - [current suppressions](https://github.com/gocd/gocd/blob/master/build-platform/.trivyignore.yaml)
   - [build.gocd.org Security-Checks-Containers pipeline](https://build.gocd.org/) (use _Guest_ login)

agent-bootstrapper/build.gradle

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Thoughtworks, Inc.
+ * Copyright Thoughtworks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@ dependencies {
   extractedAtTopLevel project(path: ':jar-class-loader')
   testImplementation project.deps.junit5Api
   testRuntimeOnly project.deps.junit5Engine
+  testRuntimeOnly project.deps.junit5PlatformLauncher
 }
 
 jar {

agent-bootstrapper/src/main/java/com/thoughtworks/go/agent/bootstrapper/AgentBootstrapper.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Thoughtworks, Inc.
+ * Copyright Thoughtworks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

agent-bootstrapper/src/main/java/com/thoughtworks/go/agent/bootstrapper/AgentLauncherCreator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Thoughtworks, Inc.
+ * Copyright Thoughtworks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

agent-bootstrapper/src/main/java/com/thoughtworks/go/agent/bootstrapper/DefaultAgentLaunchDescriptorImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Thoughtworks, Inc.
+ * Copyright Thoughtworks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

agent-bootstrapper/src/main/java/com/thoughtworks/go/agent/bootstrapper/DefaultAgentLauncherCreatorImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Thoughtworks, Inc.
+ * Copyright Thoughtworks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

agent-bootstrapper/src/main/java/com/thoughtworks/go/agent/bootstrapper/LauncherTempFileHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Thoughtworks, Inc.
+ * Copyright Thoughtworks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

agent-bootstrapper/src/main/resources/config/agent-bootstrapper-logback.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright 2024 Thoughtworks, Inc.
+  ~ Copyright Thoughtworks, Inc.
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.

agent-bootstrapper/src/test/java/com/thoughtworks/go/agent/bootstrapper/AgentBootstrapperFunctionalTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Thoughtworks, Inc.
+ * Copyright Thoughtworks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,9 +37,7 @@
 import static com.thoughtworks.go.agent.common.util.Downloader.*;
 import static com.thoughtworks.go.agent.testhelper.FakeGoServer.TestResource.TEST_AGENT_LAUNCHER;
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.not;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -91,7 +89,7 @@ void jvmExit(int returnValue) {
                 }
             }.go(false, new AgentBootstrapperArgs().setServerUrl(new URL("http://" + "localhost" + ":" + server.getPort() + "/go")).setRootCertFile(null).setSslVerificationMode(AgentBootstrapperArgs.SslMode.NONE));
             agentJar.delete();
-            assertThat(os.toString(), containsString("Hello World Fellas!"));
+            assertThat(os.toString()).contains("Hello World Fellas!");
         } finally {
             System.setErr(err);
         }
@@ -123,11 +121,11 @@ public void shouldDownloadJarIfTheCurrentOneIsWrong() throws Exception {
             void jvmExit(int returnValue) {
             }
         }.go(false, new AgentBootstrapperArgs().setServerUrl(new URL("http://" + "localhost" + ":" + server.getPort() + "/go")).setRootCertFile(null).setSslVerificationMode(AgentBootstrapperArgs.SslMode.NONE));
-        assertThat(agentJar.length(), not(original));
+        assertThat(agentJar.length()).isNotEqualTo(original);
         agentJar.delete();
     }
 
     private void createRandomFile(File agentJar) throws IOException {
-        FileUtils.writeStringToFile(agentJar, RandomStringUtils.random((int) (Math.random() * 100)), UTF_8);
+        FileUtils.writeStringToFile(agentJar, RandomStringUtils.insecure().next((int) (Math.random() * 100)), UTF_8);
     }
 }

agent-bootstrapper/src/test/java/com/thoughtworks/go/agent/bootstrapper/AgentBootstrapperTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2024 Thoughtworks, Inc.
+ * Copyright Thoughtworks, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,9 +31,9 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.Semaphore;
+import java.util.concurrent.TimeUnit;
 
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.is;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.ArgumentMatchers.anyInt;
 import static org.mockito.Mockito.doNothing;
@@ -53,14 +53,15 @@ public void tearDown() {
     }
 
     @Test
+    @Timeout(value = 10, unit = TimeUnit.SECONDS)
     public void shouldNotDieWhenCreationOfLauncherRaisesException() throws InterruptedException {
         final Semaphore waitForLauncherCreation = new Semaphore(1);
         waitForLauncherCreation.acquire();
         final boolean[] reLaunchWaitIsCalled = new boolean[1];
         final AgentBootstrapper bootstrapper = new AgentBootstrapper() {
             @Override
             void waitForRelaunchTime() {
-                assertThat(waitTimeBeforeRelaunch, is(0));
+                assertThat(waitTimeBeforeRelaunch).isEqualTo(0);
                 reLaunchWaitIsCalled[0] = true;
                 super.waitForRelaunchTime();
             }
@@ -103,12 +104,12 @@ public void close() {
         } catch (Exception e) {
             fail("should not have propagated exception thrown while creating launcher");
         }
-        assertThat(reLaunchWaitIsCalled[0], is(true));
+        assertThat(reLaunchWaitIsCalled[0]).isTrue();
     }
 
 
     @Test
-    @Timeout(10)
+    @Timeout(value = 10, unit = TimeUnit.SECONDS)
     public void shouldNotRelaunchAgentLauncherWhenItReturnsAnIrrecoverableCode() {
         final boolean[] destroyCalled = new boolean[1];
         final AgentBootstrapper bootstrapper = new AgentBootstrapper(){
@@ -136,10 +137,11 @@ public void close() {
         } catch (Exception e) {
             fail("should not have propagated exception thrown while invoking the launcher");
         }
-        assertThat(destroyCalled[0], is(true));
+        assertThat(destroyCalled[0]).isTrue();
     }
 
     @Test
+    @Timeout(value = 10, unit = TimeUnit.SECONDS)
     public void shouldNotDieWhenInvocationOfLauncherRaisesException_butCreationOfLauncherWentThrough() throws InterruptedException {
         final Semaphore waitForLauncherInvocation = new Semaphore(1);
         waitForLauncherInvocation.acquire();
@@ -187,9 +189,10 @@ public void close() {
     }
 
     @Test
+    @Timeout(value = 1, unit = TimeUnit.SECONDS)
     public void shouldRetainStateAcrossLauncherInvocations() throws Exception {
 
-        final Map expectedContext = new HashMap();
+        final Map<String, String> expectedContext = new HashMap<>();
         AgentBootstrapper agentBootstrapper = new AgentBootstrapper() {
             @Override
             AgentLauncherCreator getLauncherCreator() {
@@ -202,22 +205,19 @@ public AgentLauncher createLauncher() {
                             @Override
                             public int launch(AgentLaunchDescriptor descriptor) {
 
-                                Map descriptorContext = descriptor.context();
+                                Map<String, String> descriptorContext = descriptor.context();
                                 incrementCount(descriptorContext);
-                                incrementCount(expectedContext);
-                                Integer expectedCount = (Integer) expectedContext.get(COUNT);
-                                assertThat(descriptorContext.get(COUNT), is(expectedCount));
+                                int expectedCount = incrementCount(expectedContext);
+                                assertThat(descriptorContext.get(COUNT)).asInt().isEqualTo(expectedCount);
                                 if (expectedCount > 3) {
                                     ((AgentBootstrapper) descriptor.getBootstrapper()).stopLooping();
                                 }
                                 return 0;
                             }
 
-                            private void incrementCount(Map map) {
-                                Integer currentInvocationCount = map.containsKey(COUNT) ? (Integer) map.get(COUNT) : 0;
-                                map.put(COUNT, currentInvocationCount + 1);
+                            private int incrementCount(Map<String, String> map) {
+                                return Integer.parseInt(map.compute(COUNT, (k, v) -> v == null ? "1" : Integer.toString(Integer.parseInt(v) + 1)));
                             }
-
                         };
                     }