Releases: jenkinsci/sysdig-secure-plugin
sysdig-secure-3.0.1
What's Changed
- chore(deps): bump io.jenkins.tools.bom:bom-2.440.x from 3413.v0d896b_76a_30d to 3435.v238d66a_043fb_ by @dependabot in #109
- fix: correct execution within remote k8s workers by @tembleking in #112
Full Changelog: sysdig-secure-3.0.0...sysdig-secure-3.0.1
sysdig-secure-3.0.0
We're excited to announce the new version of the Sysdig Jenkins Plugin for vulnerability scanning and compliance.
This release focuses on enhancing stability, security, and adopting a modular architecture. We've upgraded Infrastructure as Code (IaC) scanning and removed the old scanning engine to simplify the code, making it easier to maintain and improve.
🚨 Breaking Changes
-
Legacy Scanning Engine Removal: The old scanning engine has been removed. You must update your pipeline steps to use the new scanning engine. For more details, check the configuration documentation here: Jenkins Integration Documentation.
-
Reconfiguration Required: The plugin's configuration structure has changed, which means existing settings won't be compatible anymore. You will need to reconfigure the plugin, updating critical settings like the URL and API token. Please refer to the linked documentation for detailed steps.
- Note: Pipeline workflows remain unaffected since they are defined as code. Their global configuration is still affected though.
✨ Major Changes
-
Removed Docker Dependency: With the removal of the old scanning engine, Docker is no longer required 🎉. The plugin is now compatible with all container engines supported by the CLI scanner.
-
Pinned Scanner Version: The scanner version is now pinned to the latest tested version included in the plugin, rather than using a rolling "latest" version. This improves stability and prevents unexpected issues.
-
IaC Scanning Improvements:
- The IaC scanner now uses the Jenkins credential store for Secure API Token management, replacing the previous textbox input. This change makes managing credentials more secure, centralized, and easier to maintain.
- Proxy settings for IaC scanning have been unified with those used for VM scanning, ensuring consistent behavior. If you've already set up proxy settings for VM scanning, the IaC scanner will automatically respect those settings.
- IaC scanning results are now available in real-time, instead of waiting for the entire process to finish.
🛠️ Enhancements
-
Bugfix for Multiple VM Image Scanning Steps: Previously, if you added multiple VM image scanning steps in the same job, the plugin displayed two buttons linking to the same report, which was always the latest one. Now, each button correctly points to its own report, showing vulnerabilities for each specific image.
-
Logging Improvements: Logs are now streamed directly from the CLI scanner to Jenkins, eliminating the need for temporary storage and providing faster, real-time feedback.
⚙️ Internal Changes (For Developers)
-
Master-Worker E2E Testing: Added simpler end-to-end (e2e) tests to ensure the plugin operates correctly in a master-worker setup, improving reliability during remote worker execution.
-
Hexagonal Architecture ⬢: The codebase has been restructured to follow a hexagonal architecture, making the code more modular and easier to maintain, which will simplify future updates.
-
Modernized Plugin Code: The plugin's code has been updated to comply with the latest Jenkins plugin standards, making future maintenance and enhancements more efficient.
-
Scanner Invocation Refactor: The way scanner commands are constructed has been improved. We replaced the old, error-prone method with a process builder to ensure that scanner options are consistently applied, regardless of the order.
What's Changed
- chore(deps): bump org.jenkins-ci.plugins:plugin from 4.87 to 4.88 by @dependabot in #104
- chore: update bom dependency to 3413.v0d896b_76a_30d by @tembleking in #106
- refactor!: remove legacy scanner and improve the codebase by @tembleking in #107
Full Changelog: sysdig-secure-2.3.5...sysdig-secure-3.0.0
sysdig-secure-2.3.5
What's Changed
- fix(reporting): add missing libraries no included anymore with jenkins by @tembleking in #103
Full Changelog: sysdig-secure-2.3.4...sysdig-secure-2.3.5
sysdig-secure-2.3.4
🚨 Compatibility Changes: Minimum Java and Jenkins Versions Increased 🚨
🚀 New Features & Enhancements
- 🔄 Automated Dependency Updates: Introduced automated dependency updates using Dependabot, ensuring that dependencies stay current and secure.
- 🛡️ Security Scan Added: Implemented a security scan to verify the plugin’s security and protect against potential vulnerabilities.
- 📈 Expanded Java Support: The plugin now supports Java 11, 17, and 21. Java 8 support has been dropped.
- 🌐 JDK Flexibility: The plugin no longer requires GraalVM 8 for development. It now supports any JDK from Java 11+, with Temurin JDK 17 configured as the recommended development environment, in line with Jenkins' guidance.
- 🔧 CI Testing for All Java Versions: Enforced continuous integration (CI) and testing across the three supported Java versions: 11, 17, and 21.
- 📦 BOM Plugin Usage: The plugin now uses the BOM plugin to automatically manage dependency versions, simplifying dependency management and preventing conflicts.
⚠️ Compatibility Notice
-
🔼 Java and Jenkins Version Requirements Raised: While the minimum supported Java version has been raised to 11+ and Jenkins to version 2.440.3 LTS, this is not considered a breaking change. If your Jenkins instance does not meet these requirements, the newer plugin version will simply not be installed. Users with older versions of Jenkins will need to upgrade their Jenkins environment to receive plugin updates.
-
📅 Upcoming Breaking Change: We are working on removing legacy scanner support from the Jenkins plugin in a future release. This will be a breaking change for customers still using the legacy scanner. If you rely on the legacy scanner, we will advise you to pin to the previous version of the plugin once the change is made.
It is not yet decided whether a dedicated support branch for the legacy scanner will be created, as most customers have already migrated to the new scanner.
🛠️ Fixes & Improvements
- 🔨 IaC Scanner Bug Fix: Fixed a bug in the Infrastructure as Code (IaC) scanner that prevented it from executing due to outdated serialization methods. The issue was caused by the use of insecure serialization that Jenkins no longer supports.
- 📜 Parent POM Update: The parent POM has been upgraded from version 3.57 to 4.87 to keep pace with the latest Jenkins project development.
⚠️ Jenkins Version Support: The plugin now requires Jenkins version 2.440.3 LTS, replacing the previous minimum version of 2.150.1. While this version is no longer receiving security updates, most of our customers are already using it. Users with older Jenkins versions will need to upgrade to remain compatible.
🔒 Security Vulnerabilities Resolved
A major security overhaul was completed in this release, resolving 48 vulnerabilities:
- 6 Critical (10/10 severity)
- 2 Critical (9.8/10 severity)
- 26 High
- 13 Moderate
- 1 Low
What's Changed
- build: add nix flake to be able to compile with old graalvm by @tembleking in #99
- build: modernize jenkins plugin jdk to 17 by @tembleking in #100
- Enable Jenkins Security Scan by @strangelookingnerd in #92
- ci: add codeowners file for automatic review request by @tembleking in #102
- build: cleanup dependencies by @tembleking in #101
New Contributors
- @strangelookingnerd made their first contribution in #92
Full Changelog: sysdig-secure-2.3.3...sysdig-secure-2.3.4
sysdig-secure-2.3.3
What's Changed
- feat: iac cli scan builder by @lior-alafi-work in #97
- fix: step-fix some messages by @lior-alafi-work in #98
New Contributors
- @lior-alafi-work made their first contribution in #97
Full Changelog: sysdig-secure-2.3.2...sysdig-secure-2.3.3
sysdig-secure-2.3.2
sysdig-secure-2.3.1
This release Includes the changes included in the following PRs:
- #84 fix: ensure that all the logs from embedded scanner have been written to file for proper retrieval by the trailer
- #86 fix: increase the waiting time before stopping the logs trailer to 2s
- #87 fix: ensure proper management of vuln-list inside result json
- #88 feat: bump embedded scanner to
1.9.2
- #89 fix: use imageTag (if available) when all policies evaluation pass
sysdig-secure-2.3.0
Bump of the internal cli-scanner
to version 1.5.0, adding the following capabilities:
- Support to apply image-based accepts for the following:
- All the versions of an image
- Images in a specific registry and repository
- Images that contain wildcards for a customized subset of the environment
- Vendor paths' inspection during analysis
- Show of results in VM Overview Page (Dashboards)
sysdig-secure-2.2.9
- Bump of the internal
cli-scanner
to 1.3.6 - Addition of a new parameter (
Custom Version
at the global config level in the UI -customCliVersion
at job level) to have the possibility to specify and use a specific version of the scanner instead of the default one
sysdig-secure-2.2.8
What's Changed
- Updates sysdig scanner to the latest available version (
1.3.4
) to fix a bug on non-os vulnerabilities matching