Merge branch 'master' into skip-symlink-tests-if-not-supported

Author: MarkEWaite

.github/workflows/announce-lts-rc.yml

@@ -17,7 +17,7 @@ jobs:
           discourse-author-username: jenkins-release-bot
           discourse-category: 23
       - name: Post on mailing list
-        uses: dawidd6/action-send-mail@6e71c855c9a091d80a519621b9fd3e8d252ca40c # v7
+        uses: dawidd6/action-send-mail@afe978662944c6805dd197bac88b27acb0bda55a # v8
         with:
           server_address: smtp.gmail.com
           server_port: 465

ath.sh

@@ -6,7 +6,7 @@ set -o xtrace
 cd "$(dirname "$0")"
 
 # https://github.com/jenkinsci/acceptance-test-harness/releases
-export ATH_VERSION=6528.v0005e222b_5b_c
+export ATH_VERSION=6535.v65db_170d2a_03
 
 if [[ $# -eq 0 ]]; then
 	export JDK=21

cli/pom.xml

@@ -15,7 +15,7 @@
   <url>https://github.com/jenkinsci/jenkins</url>
 
   <properties>
-    <mina-sshd.version>2.16.0</mina-sshd.version>
+    <mina-sshd.version>2.17.1</mina-sshd.version>
     <!-- Filled in by jacoco-maven-plugin -->
     <jacocoSurefireArgs />
   </properties>

core/src/main/java/hudson/Functions.java

@@ -170,6 +170,7 @@
 import jenkins.model.details.Detail;
 import jenkins.model.details.DetailFactory;
 import jenkins.model.details.DetailGroup;
+import jenkins.telemetry.impl.PasswordMasking;
 import jenkins.util.SystemProperties;
 import org.apache.commons.jelly.JellyContext;
 import org.apache.commons.jelly.JellyTagException;
@@ -2256,32 +2257,64 @@ public String getPasswordValue(Object o) {
         if (o instanceof Secret || Secret.BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE) {
             if (req != null) {
                 if (NON_RECURSIVE_PASSWORD_MASKING_PERMISSION_CHECK) {
+                    List<Ancestor> ancestors = req.getAncestors();
+                    String closestAncestor = ancestors.isEmpty() ? "unknown" :
+                        ancestors.getLast().getObject().getClass().getName();
+
                     Item item = req.findAncestorObject(Item.class);
                     if (item != null && !item.hasPermission(Item.CONFIGURE)) {
+                        PasswordMasking.recordMasking(
+                            item.getClass().getName(),
+                            closestAncestor,
+                            getJellyViewsInformationForCurrentRequest()
+                        );
                         return "********";
                     }
                     Computer computer = req.findAncestorObject(Computer.class);
                     if (computer != null && !computer.hasPermission(Computer.CONFIGURE)) {
+                        PasswordMasking.recordMasking(
+                            computer.getClass().getName(),
+                            closestAncestor,
+                            getJellyViewsInformationForCurrentRequest()
+                        );
                         return "********";
                     }
                 } else {
                     List<Ancestor> ancestors = req.getAncestors();
+                    String closestAncestor = ancestors.isEmpty() ? "unknown" :
+                        ancestors.getLast().getObject().getClass().getName();
+
                     for (Ancestor ancestor : Iterators.reverse(ancestors)) {
                         Object type = ancestor.getObject();
                         if (type instanceof Item item) {
                             if (!item.hasPermission(Item.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    item.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;
                         }
                         if (type instanceof Computer computer) {
                             if (!computer.hasPermission(Computer.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    computer.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;
                         }
                         if (type instanceof View view) {
                             if (!view.hasPermission(View.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    view.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;

core/src/main/java/jenkins/telemetry/impl/PasswordMasking.java

@@ -0,0 +1,110 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2026, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.telemetry.impl;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import java.time.LocalDate;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicLong;
+import jenkins.telemetry.Telemetry;
+import net.sf.json.JSONArray;
+import net.sf.json.JSONObject;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Telemetry implementation gathering information about password field masking.
+ */
+@Extension
+@Restricted(NoExternalUse.class)
+public class PasswordMasking extends Telemetry {
+
+    private static final Map<String, AtomicLong> maskingCounts = new ConcurrentHashMap<>();
+
+    /**
+     * Records when password masking occurs.
+     *
+     * @param className the class name of the object
+     * @param closestAncestor the closest ancestor class name
+     * @param jellyView the Jelly view where masking occurred
+     */
+    public static void recordMasking(String className, String closestAncestor, String jellyView) {
+        if (Telemetry.isDisabled()) {
+            return;
+        }
+
+        String key = className + "|" + closestAncestor + "|" + jellyView;
+        maskingCounts.computeIfAbsent(key, k -> new AtomicLong(0)).incrementAndGet();
+    }
+
+    @NonNull
+    @Override
+    public String getDisplayName() {
+        return "Password field masking";
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getStart() {
+        return LocalDate.of(2026, 1, 26);
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getEnd() {
+        return LocalDate.of(2026, 7, 26);
+    }
+
+    @Override
+    public JSONObject createContent() {
+        JSONArray events = new JSONArray();
+        for (Map.Entry<String, AtomicLong> entry : maskingCounts.entrySet()) {
+            String[] parts = entry.getKey().split("\\|", 3);
+            if (parts.length == 3) {
+                String className = parts[0];
+                String closestAncestor = parts[1];
+                String jellyView = parts[2];
+                long count = entry.getValue().longValue();
+
+                JSONObject event = new JSONObject();
+                event.put("className", className);
+                event.put("closestAncestor", closestAncestor);
+                event.put("jellyView", jellyView);
+                event.put("count", count);
+                events.add(event);
+            }
+        }
+
+        maskingCounts.clear();
+
+        JSONObject payload = new JSONObject();
+        payload.put("components", buildComponentInformation());
+        payload.put("masking", events);
+
+        return payload;
+    }
+}

core/src/main/resources/hudson/PluginWrapper/index.jelly

@@ -0,0 +1,29 @@
+<!--
+The MIT License
+
+Copyright (c) 2026 Somil Jain
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core"
+         xmlns:st="jelly:stapler">
+    <st:redirect url="thirdPartyLicenses"/>
+</j:jelly>

core/src/main/resources/jenkins/security/csp/impl/CspRecommendation/index.jelly

@@ -38,7 +38,7 @@ THE SOFTWARE.
             <form method="post" action="${rootURL}/${it.url}/act" name="${it.id}">
                 <div>
                     <f:bottomButtonBar>
-                        <f:submit name="setup" value="${%Set up now}"/>
+                        <f:submit name="setup" value="${%Go to configuration}"/>
                         <f:submit primary="false" name="defer" value="${%Cancel}"/>
                     </f:bottomButtonBar>
                 </div>

core/src/main/resources/jenkins/telemetry/impl/PasswordMasking/description.jelly

@@ -0,0 +1,16 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core">
+    This trial collects detailed information about password field masking when users lack Configure permission on Items, Computers, or Views:
+    <ul>
+        <li>The class name</li>
+        <li>The closest ancestor class name</li>
+        <li>The Jelly view hierarchy where masking occurred</li>
+        <li>The frequency of each combination</li>
+    </ul>
+    <p>
+        This masking behavior is a fallback that should normally be rare, as views rendering content for users without Configure permission should use read-only mode instead.
+    </p>
+    <p>
+        Additionally, this trial collects the list of installed plugins, their version, and the version of Jenkins.
+    </p>
+</j:jelly>

core/src/main/resources/lib/layout/keyboard-shortcut.jelly

@@ -53,7 +53,7 @@ THE SOFTWARE.
           </j:choose>
         </div>
       </j:set>
-      <j:out value="${h.formatMessage(message, h.translateModifierKeysForUsersPlatform(body))}"/>
+      <j:out value="${h.formatMessage(attrs.message, h.translateModifierKeysForUsersPlatform(body))}"/>
     </div>
   </j:set>
 

package.json

@@ -24,28 +24,28 @@
   },
   "devDependencies": {
     "@babel/cli": "7.28.6",
-    "@babel/core": "7.28.6",
-    "@babel/preset-env": "7.28.6",
+    "@babel/core": "7.29.0",
+    "@babel/preset-env": "7.29.0",
     "@eslint/js": "9.39.2",
     "babel-loader": "10.0.0",
     "clean-webpack-plugin": "4.0.0",
-    "css-loader": "7.1.2",
+    "css-loader": "7.1.3",
     "css-minimizer-webpack-plugin": "7.0.4",
     "eslint": "9.39.2",
     "eslint-config-prettier": "10.1.8",
     "eslint-formatter-checkstyle": "9.0.1",
-    "globals": "17.0.0",
+    "globals": "17.3.0",
     "handlebars-loader": "1.7.3",
     "mini-css-extract-plugin": "2.10.0",
     "postcss": "8.5.6",
     "postcss-loader": "8.2.0",
-    "postcss-preset-env": "11.1.1",
+    "postcss-preset-env": "11.1.2",
     "postcss-scss": "4.0.9",
     "prettier": "3.8.1",
-    "sass": "1.97.2",
+    "sass": "1.97.3",
     "sass-loader": "16.0.6",
     "style-loader": "4.0.0",
-    "stylelint": "17.0.0",
+    "stylelint": "17.1.0",
     "stylelint-checkstyle-reporter": "1.1.1",
     "stylelint-config-standard-scss": "17.0.0",
     "webpack": "5.104.1",