Skip to content

Open Source

Calling for Columbian Jenkins users!

The Jenkins project has learned that a company is trying to register "Jenkins" as a trademark in Columbia. This is alarming for us, and we are trying to oppose it. In order to do this effectively, we need to hear from Colombian users of Jenkins. The Jenkins project owns a trademark "Jenkins" in the U.S., through a non-profit entity SPI Inc. According to experts on the subject citing the "Washington Convention", our trademark registration in the U.S. does give us some strength in the argument to oppose this. To successfully mount this argument however, we need to be able to show...
Categories: Open Source

Important security updates for Jenkins core

We just released security updates to Jenkins, versions 2.57 and 2.46.2, that fix several security vulnerabilities, including a critical one. That critical vulnerability is an unauthenticated remote code execution via the remoting-based CLI. When I announced the fix for the previous vulnerability of this kind, I announced our plans to revisit the design of the CLI that enabled this class of vulnerabilities. Since Jenkins 2.54, we now have a new CLI implementation that isn’t based on remoting, and deprecated its remoting mode. Despite it being a major feature, we decided to backport it to 2.46.2, so LTS users can also disable the unsafe remoting...
Categories: Open Source

Securing a Jenkins instance on Azure

This is a guest post by Claudiu Guiman and Eric Jizba, Software Engineers in the Azure DevOps team at Microsoft. If you have any questions, please email us at One of the most frequently asked questions for managing a Jenkins instance is "How do I make it secure?" Like any other web application, these issues must be solved: How do I securely pass secrets between the browser and the server? How do I hide certain parts from unauthorized users and show other parts to anonymous users? This blog post details how to securely connect to a Jenkins instance and how to setup a read-only public dashboard. ...
Categories: Open Source

Breaking the SonarQube Analysis with Jenkins Pipelines

Sonar - Wed, 04/19/2017 - 15:14

One of the most requested feature regarding SonarQube Scanners is the ability to fail the build when quality level is not at the expected level. We have this built-in concept of quality gate in SonarQube, and we used to have a BuildBreaker plugin for this exact use case. But starting from version 5.2, aggregation of metrics is done asynchronously on SonarQube server side. It means build/scanner process would finish successfully just after publishing raw data to the SonarQube server, without waiting for the aggregation to complete.

Some people tried to resurrect the BuildBreaker feature by implementing some active polling at the end of the scanner execution. We never supported this solution, since it defeats one of the benefit of having asynchronous aggregation on SonarQube server side. Indeed it means your CI executors/agents will be occupied “just” for a wait.

The cleanest pattern to achieve this is to release the CI executor, and have the SonarQube server send a notification when aggregation is completed. The CI job would then be resumed, and take the appropriate actions (not only mark the job as failed, but it could also send email notifications for example).

All of this is now possible, thanks to the webhook feature introduced in SonarQube 6.2. We are also taking benefit of Jenkins pipeline feature, that allow some part of a job logic to be executed without occupying an executor.

Let’s see it in action.

First, you need SonarQube server 6.2+. In your Jenkins instance, install latest version of the SonarQube Scanner for Jenkins (2.6.1+). You should of course configure in Jenkins administration section the credentials to connect to the SonarQube server.

In your SonarQube server administration page, add a webhook entry:

https://<your Jenkins instance>/sonarqube-webhook/

Now you can configure a pipeline job using the two SonarQube keywords ‘withSonarQubeEnv’ and ‘waitForQualityGate’.

The first one should wrap the execution of the scanner (that will occupy an executor) and the second one will ‘pause’ the pipeline in a very light way, waiting for the webhook payload.

node {
  stage('SCM') {
    git ''
  stage('build & SonarQube Scan') {
    withSonarQubeEnv('My SonarQube Server') {
      sh 'mvn clean package sonar:sonar'
    } // SonarQube taskId is automatically attached to the pipeline context
// No need to occupy a node
stage("Quality Gate") {
  timeout(time: 1, unit: 'HOURS') { // Just in case something goes wrong, pipeline will be killed after a timeout
    def qg = waitForQualityGate() // Reuse taskId previously collected by withSonarQubeEnv
    if (qg.status != 'OK') {
      error "Pipeline aborted due to quality gate failure: ${qg.status}"

Here you are:

That’s all Folks!

Categories: Open Source

Delivery Pipelines, with Jenkins 2, SonarQube, and Artifactory

This is a guest post by Michael Hüttermann. Michael is an expert in Continuous Delivery, DevOps and SCM/ALM. More information about him at, or follow him on Twitter: @huettermann. Continuous Delivery and DevOps are well known and widely spread practices nowadays. It is commonly accepted that it is crucial to form great teams and define shared goals first and then choose and integrate the tools fitting best to given tasks. Often it is a mashup of lightweight tools, which are integrated to build up Continuous Delivery pipelines and underpin DevOps initiatives. In this blog post, we zoom in to an important part of the overall...
Categories: Open Source

SonarQube 6.3 in Screenshots

Sonar - Wed, 04/12/2017 - 16:55

The SonarSource team is proud to announce the release of SonarQube 6.3, which brings both interface and analysis improvements.

  • Project “Activity” page
  • More languages on board by default
  • Global search improvements
  • Backdating issues raised by new rules on old code
  • The return of UI extension points

Project “Activity” page

This version introduces an Activity page at the project level. It replaces the History page found in previous versions, but unlike the History page, Activity can be seen by all users with project permissions, not just admins.

The activity list starts on the project home page, replacing the Events list:

On the project home page, only the most recent analyses are shown, but click through on “Show More” or the new “Activity” menu item, and you land at the full list:

Admins will find here the full list of editing options they’re used to, and users will be able to see the list of analyses on file for a project for the first time!

More languages on board by default

SonarQube 6.3 now embeds the latest versions of most SonarSource code analyzers: SonarC#, SonarFlex, SonarJava, SonarJS, SonarPHP, and SonarPython. That means less setup work on new installations and on upgrades:

Global search improvements

6.3 also brings several improvements to global search. First, it’s now backed by Elasticsearch, so it’s fast. Making that switch allowed us to improve not just speed but, the results as well. Now you can search by multiple terms, and your results will be ordered relevance:

Backdating issues raised by new rules on old code

If you’re living by the Leak Period you know the pain of adding new rules to your quality profile: suddenly code you haven’t touched in months or even years has “new” issues – valid issues you need to silence somehow, either by marking them Won’t Fix, or by editing code you previously had no plan to touch. Because we dogfood new rules at SonarSource we felt this pain acutely.

Well, help is here. Starting with 6.3, SonarQube backdates issues raised by newly activated rules on old code to the line’s last commit date. No longer will you be forced to excavate old code to clean up a specious leak. Instead, you can activate new rules with abandon, knowing that the only issues that show up in the leak period will be the ones that actually belong there.

The return of UI extension points

6.3 is the first version to reach the target architecture of a UI written completely in JavaScript. As a consequence, we’ve been able to re-introduce the ability to extend the UI at both the global and project levels. The docs give the details on how to go about that.

That’s all, folks!

Its time now to download the new version and try it out. But don’t forget to read the installation or upgrade guide.

Categories: Open Source

Getting Started with the Blue Ocean Dashboard

This is a guest post by Liam Newman, Technical Evangelist at CloudBees. Blue Ocean is a new user experience for Jenkins, and version 1.0 is now live! Blue Ocean makes Jenkins, and continuous delivery, approachable to all team members. In my previous post, I used the Blue Ocean Activity View to track the state of branches and Pull Requests in one project. In this video, I’ll use the Blue Ocean Dashboard get a personalized view of the areas that of my project that are most important to me, and also to monitor multiple projects. Please Enjoy!...
Categories: Open Source

Jenkins World 2017 Agenda is Live!

This is a guest post by Alyssa Tong, who runs the Jenkins Area Meetup program and is also responsible for Marketing & Community Programs at CloudBees, Inc. I am excited to announce the agenda for Jenkins World 2017. This year’s event promises to have something for everyone - whether you are a novice, intermediate, or advanced user…​you are covered. Jenkins World 2017 consists of 6 tracks, 60+ Jenkins and DevOps sessions, 40+ industry speakers, 16+ training and workshops. Here is a sneak peek at Jenkins World 2017: Show 'n Tell It’s all about that demo. These sessions are technically advanced with some code sharing, heavy on demos and just a...
Categories: Open Source

Getting Started with Blue Ocean's Activity View

This is a guest post by Liam Newman, Technical Evangelist at CloudBees. Blue Ocean is a new user experience for Jenkins, and version 1.0 is now live! Blue Ocean makes Jenkins, and continuous delivery, approachable to all team members. In my previous post, I showed how easy it is to create and edit Declarative Pipelines using the Blue Ocean Visual Pipeline Editor. In this video, I’ll use the Blue Ocean Activity View to track the state of branches and Pull Requests in one project. Blue Ocean makes it so much easier to find the logs I need to triage failures. Please Enjoy! In my next video, I’ll switch from looking at...
Categories: Open Source

New, safer CLI in 2.54

In response to the zero-day vulnerability we fixed in November, I wrote the following: Moving forward, the Jenkins security team is revisiting the design of the Jenkins CLI over the coming weeks to prevent this class of vulnerability in the future. If you are interested in participating in that discussion, please join in on the jenkinsci-dev@ mailing list. In early February, several project contributors met after FOSDEM for a one day hackathon. I looked into the feasibility of a purely SSH-based CLI. While I considered the experiment to be a success, it was far from ready to be used in a production environment. A few weeks...
Categories: Open Source

Starting with 2.54, Jenkins now requires Java 8

We announced in January that Jenkins would be upgrading its Java runtime dependency to Java 8 this year. After a sizable amount of preparation, this week’s release of Jenkins 2.54 is the first weekly release to require a Java 8 runtime. For users of the weekly release, this means that Jenkins 2.54 must have a Java 8 runtime installed on the system in order to run. Those using the jenkinsci/jenkins:latest Docker container won’t need to take any action, as the Java runtime environment is already bundled in the container. In addition to upgrading the Java Runtime Environment for the master, any connected agents must upgrade to a Java 8 runtime environment. The Long-Term...
Categories: Open Source

Important Scripting-related Security Advisory

These are not security fixes you can apply blindly. We strongly recommend you read this post, as well as the security advisory to understand what the vulnerabilities are, whether and how they affect you, and what to expect when upgrading plugins. Multiple Jenkins plugins received updates today that fix several security vulnerabilities or other security-related issues: Email Extension (Email-ext) Environment Injector (EnvInject) Extensible Choice Parameter Groovy Job DSL Lockable Resources Matrix Authorization Role Strategy Warnings We also included some plugins that received security fixes in the past that haven’t been mentioned in a security advisory before: Active Choices (uno-choice) Extended Choice Parameter Groovy Postbuild Groovy Label Assignment Additionally, we included other plugins in the advisory that...
Categories: Open Source

Getting Started with Blue Ocean's Visual Pipeline Editor

This is a guest post by Liam Newman, Technical Evangelist at CloudBees. Blue Ocean is a new user experience for Jenkins, and version 1.0 is now live! Blue Ocean makes Jenkins, and continuous delivery, approachable to all team members. In my previous post, I explained how to install Blue Ocean on your local Jenkins instance and switch to using Blue Ocean. As promised, here’s a screencast that picks up where that post left off. Starting from a clean Jenkins install, the video below will guide you through creating and running your first Pipeline in Blue Ocean with the Visual Pipeline Editor. Please Enjoy! In my next video, I’ll go over...
Categories: Open Source

Getting Started with Blue Ocean

This is a guest post by Liam Newman, Technical Evangelist at CloudBees. Welcome to Blue Ocean 1.0! In case you’ve been heads down on other projects for the past 10 months, Blue Ocean is a new user experience for Jenkins, and version 1.0 was released today! Blue Ocean makes Jenkins, and continuous delivery, approachable to all team members. I’ve been working with it for the past several months, and I can tell you it is amazing. I wish all the interactions with Jenkins were as easy as this: 10 minutes to Blue Ocean Blue Ocean is simple to install and will work on basically any Jenkins 2 instance (version 2.7 or...
Categories: Open Source

Say hello to Blue Ocean 1.0

Back in May 2016 we announced our intent to rethink the Jenkins User experience with the Blue Ocean project and today the Jenkins project are pleased to announce the general availability of Blue Ocean 1.0. Blue Ocean is an entirely new, modern and fun way for developers to use Jenkins that has been built from the ground up to help teams of any size approach Continuous Delivery. Easily installed as a plugin for Jenkins and integrated with Jenkins Pipeline, it is available from today for production use. Since the start of the beta at Jenkins World 2016 in September there are now over 7400+ installations making use of Blue...
Categories: Open Source

SonarCfamily For C/C++ Now Plays With The Big Kids

Sonar - Tue, 03/28/2017 - 14:20

Version 4.6 of our SonarCfamily for C/C++ has just been released with a shiny new Buffer Overflow detection mechanism. To get an idea of what bugs we can now spot and why you should read this post, I’ll start with a bug found in the Linux kernel:

We started developing SonarCfamily 4 years ago. It has been tough, and we faced many challenges, but we are finally seeing the result of the huge effort we have invested in it. In the last 12 months, thanks to previous work on accurate semantic analysis and analyzer configuration (thanks to build-wrapper), we were able to start working on a new advanced data flow engine, and deliver many cool rules:

  • S3519 – Memory access should be explicitly bounded to prevent buffer overflows
  • S2259 – Null pointers should not be dereferenced
  • S2583 – Conditions should not unconditionally evaluate to “TRUE” or to “FALSE”
  • S3518 – Zero should not be a possible denominator
  • S836 – Variables should be initialized before use
  • S2095 – Resources should be closed
  • S3588 – Closed resources should not be accessed
  • S3584 – Dynamically allocated memory should be released
  • S3520 – Memory locations should not be released more than once
  • S3590 – Stack allocated memory should not be freed
  • S1232 – Appropriate memory de-allocation should be used
  • S2637 – “nonnull” pointers should not be set to null
  • S3807 – Parameters should match function definition

Here are a few examples of issues found with these rules in real projects:

Data flow analysis is by definition an approximation, and our data flow engine is constantly evolving. In that evolution we follow simple principles to develop the most helpful engine: keep the signal-to-noise ratio as high as possible, do not compromise performance, listen to users’ feedback, and react quickly. We’ve already made good progress, but we have great plans for the future to help you discover the trickiest and nastiest bugs.

But data flow was not the only thing we worked on in the last 12 months. We had 10 (!!!) releases with many other features delivered:

  • Support for SonarLint for Eclipse; you can now now get real time feedback while you code
  • ~130 new rules
  • Intel compiler support on Linux and OS X
  • WindRiver GCC compiler support
  • and more…

As you can see, we now have one of the very best static code analyzers on the market for C and C++. It can be viewed and tested online on, which offers analysis of open source projects for free. Just get started, no matter what OS and compiler you are using.

For more information about the product, you can visit the product page.

Categories: Open Source

The State of Jenkins - 2016 Community Survey

This is a guest post by Bhavani Rao, Marketing Manager at CloudBees Last fall, prior to Jenkins World, CloudBees conducted a Community Survey. We received over 1200 responses, and thanks to this input, we have some interesting insights into how Jenkins users and their use of Jenkins are evolving. Based on the survey’s results, Jenkins is increasingly being used to support continuous delivery (CD). Adoption of Jenkins 2, which featured "Pipeline as code" and encouraged users to adopt Jenkins Pipeline, has skyrocketed to more than half of all Jenkins installations. Other data remained consistent with findings year-to-year, for example, the number of Jenkins users continues to increase and 90% of...
Categories: Open Source

Pipeline Workshop & Hackergarten @ ToulouseJAM Feedback

Earlier this month, a full-day event about Jenkins Pipeline was organized in Toulouse, France with the Toulouse JAM. After a warm-up on the previous Tuesday where Michaël Pailloncy had given a talk at the local Toulouse Devops user group about Jenkins Pipeline ecosystem, we were ready for more digging :-). The agenda We had planned the day in two parts: Morning would be a more driven workshop with slides & exercises to be completed Pizzas & beverages to split the day :-) Afternoon would be somehow like an Unconference, where people basically decide by themselves what they want to work on. We planned to have 30 attendees....
Categories: Open Source

Security updates for multiple Jenkins plugins

Multiple Jenkins plugins received updates today that fix several security vulnerabilities: Active Directory Distributed Fork Email Extension (Email-ext) Mailer SSH Slaves For an overview of what was fixed, see the security advisory. Additionally, we also published a security notice for the following plugin and recommend that users disable and uninstall it: Pipeline: Classpath Step This plugin is not part of the Pipeline suite of plugins, despite its name. It’s installed on just several hundred instances. Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security....
Categories: Open Source

Blue Ocean Dev Log: March Week #3

We’re counting down the weeks until Blue Ocean 1.0, and we’re getting close! In this past week, the first release candidate has gone out to the Update Center, along with a new Pipeline Editor plugin. The Blue Ocean Pipeline Editor is its own plugin which integrates into Blue Ocean, so this was a coordinated release with Blue Ocean 1.0 rc1. Noteworthy this week: RC1 includes the Blue Ocean Pipeline Editor, which is integrates support for branch editing and saving the Pipeline back to GitHub (also referred to as "round-tripping"). Many dependencies have been upgraded Per-stage raw logs can be downloaded, this will be included in the next release. Editor design improvements Fixes for...
Categories: Open Source