fix(deps): update dependency org.jenkins-ci.plugins:junit to v1166 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.jenkins-ci.plugins:junit	1.24 -> 1166.1168.vd6b_8042a_06de

GitHub Vulnerability Alerts

CVE-2022-45380

JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links.

This is done in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

JUnit Plugin 1160.vf1f01a_a_ea_b_7f no longer converts URLs to clickable links.

CVE-2022-34176

JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.

JUnit Plugin 1119.1121.vc43d0fc45561 applies the configured markup formatter to descriptions of test results.

CVE-2023-25761

Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.

CVE-2018-1000411

A cross-site request forgery vulnerability exists in Jenkins JUnit Plugin 1.25 and earlier in TestObject.java that allows setting the description of a test result.

---

Release Notes

jenkinsci/junit-plugin (org.jenkins-ci.plugins:junit)

v1166.1168.vd6b_8042a_06de

Compare Source

v1166.va_436e268e972

Compare Source

🚀 New features and improvements

• Add getSuites() method in TestResultImpl (#​464) @​topikachu

✍ Other changes

• Merge back SECURITY-2888 - fix into master (#​458) @​daniel-beck

📦 Dependency updates

• Bump byte-buddy from 1.12.18 to 1.12.19 (#​461) @​dependabot
• Bump bom-2.346.x from 1678.vc1feb_6a_3c0f1 to 1706.vc166d5f429f8 (#​462) @​dependabot
• Bump plugin from 4.50 to 4.51 (#​460) @​dependabot
• Bump plugin from 4.49 to 4.50 (#​457) @​dependabot

v1160.vf1f01a_a_ea_b_7f

Compare Source

v1159.v0b_396e1e07dd

Compare Source

👷 Changes for plugin developers

• Use ionicons-api version provided by bom (#​456) @​NotMyFault

📦 Dependency updates

• Bump plugin from 4.48 to 4.49 (#​452) @​dependabot
• Bump bom-2.346.x from 1643.v1cffef51df73 to 1670.v7f165fc7a_079 (#​454) @​dependabot

v1156.vcf492e95a_a_b_0

Compare Source

📦 Dependency updates

• Bump bom-2.346.x from 1607.va_c1576527071 to 1643.v1cffef51df73 (#​447) @​dependabot
• Bump ionicons-api from 28.va_f3a_84439e5f to 31.v4757b_6987003 (#​448) @​dependabot
• Bump byte-buddy from 1.12.17 to 1.12.18 (#​449) @​dependabot

v1153.v1c24f1a_d2553

Compare Source

🚀 New features and improvements

• JENKINS-69656 - Un-inlining AbstractTestResultAction/summary.jelly for CSP compliance (#​444) @​aneveux
• JENKINS-69657 - Un-inlining floatingBox.jelly for CSP compliance (#​445) @​aneveux

📦 Dependency updates

• Bump plugin from 4.47 to 4.48 (#​443) @​dependabot

v1150.v5c2848328b_60

Compare Source

🚀 New features and improvements

• JENKINS-69658 - Move internal script block in "failed-test.jelly" to external file (#​439) @​Jagrutiti

👻 Maintenance

• Run tests on Java 11 & 17 (#​441) @​NotMyFault
• Switch bootstrap5-api and echarts-api to get versions from bom (#​440) @​timja

📦 Dependency updates

• Bump database from 128.vaa83e142f7f2 to 148.v4a_ff2ca_608b_7 (#​383) @​dependabot
• Bump echarts-api from 5.3.2-3 to 5.3.3-1 (#​400) @​dependabot
• Bump byte-buddy from 1.12.16 to 1.12.17 (#​436) @​dependabot

v1144.v909f4d9978e8

Compare Source

🚀 New features and improvements

• Use ionicons in test result overview (#​438) @​NotMyFault

v1143.1145.v81b_b_9579a_019

Compare Source

v1143.v8d9a_e3355270

Compare Source

🚦 Tests

• Check the card and not the card-body in TestResultPublishingTest (#​435) @​raul-arabaolaza

📦 Dependency updates

• Bump byte-buddy from 1.12.13 to 1.12.16 (#​431) @​dependabot
• Bump github-checks from 1.0.18 to 1.0.19 (#​430) @​dependabot
• Bump plugin from 4.46 to 4.47 (#​429) @​dependabot
• Bump bom-2.332.x from 1577.v63609d9cb_5dc to 1607.va_c1576527071 (#​426) @​dependabot
• Bump bom-2.332.x from 1556.vfc6a_f216e3c6 to 1577.v63609d9cb_5dc (#​422) @​dependabot
• Bump plugin from 4.45 to 4.46 (#​421) @​dependabot
• Bump bootstrap5-api from 5.1.3-6 to 5.2.0-1 (#​420) @​dependabot

v1119.1124.va_a_8ccde5658f

Compare Source

v1119.1122.v750e65d31b_db_

Compare Source

v1119.1121.vc43d0fc45561

Compare Source

v1119.va_a_5e9068da_d7

👻 Automatic releases are now enabled on merge to master

This comes with a new version number format, see https://www.jenkins.io/jep/229

• Enable CD (#​395) @​timja

🚀 New features and improvements

• Allow skipping parsing of old test result files with a configurable option (skipOldReports defaulted to false) (#​384) @​olamy

🐛 Bug fixes

• Do not fail build when checks publishing breaks (#​387) @​jglick

📝 Documentation updates

• Add information about skipMarkingBuildUnstable in README.MD (#​386) @​juris-kreilis

📦 Dependency updates

• Bump bom-2.332.x from 1342.v729ca_3818e88 to 1362.v59f2f3db_80ee (#​382) @​dependabot

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud