Merge branch 'master' into nodes-with-key-storage

Author: fdevans

.DS_Store

@@ -0,0 +1,15 @@
+name: Snyk Scan
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+  workflow_dispatch:
+
+jobs:
+  security:
+    uses: rundeck-plugins/.github/.github/workflows/snyk-scan-reusable.yml@main
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      SNYK_ORG_ID: ${{ secrets.SNYK_ORG_ID }}

.github/workflows/snyk-scan.yml

@@ -1,5 +1,66 @@
-.idea
-.gradle
-build
-**/.DS_Store
-.vscode
+# Gradle
+.gradle/
+build/
+bin/
+!gradle-wrapper.jar
+!gradle/wrapper/gradle-wrapper.jar
+gradle-app.setting
+!gradle-wrapper.properties
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Java
+*.class
+*.log
+*.ctxt
+.mtj.tmp/
+*.jar
+!gradle-wrapper.jar
+!gradle/wrapper/gradle-wrapper.jar
+hs_err_pid*
+replay_pid*
+
+# Groovy
+*.groovy~
+
+# Build artifacts
+out/
+target/
+dist/
+*.war
+*.ear
+*.sar
+*.zip
+*.tar.gz
+*.rar
+
+# Runtime
+.attach_pid*
+*.tmp
+*.temp
+
+# Logs
+logs/
+*.log
+
+# Test results
+test-results/
+.scannerwork/
+
+# Local environment
+local.properties
+.env

.gitignore

@@ -17,6 +17,8 @@ Run the following command to built the jar file:
 ./gradlew clean build
 ```
 
+**Note:** This plugin requires Rundeck 5.16.0 or later.
+
 ## Install
 
 Copy the `git-plugin-x.y.x.jar` file to the `$RDECK_BASE/libext/` directory inside your Rundeck installation.

README.md

@@ -55,6 +55,9 @@ dependencies {
     implementation(libs.groovyAll)
     implementation(libs.rundeckCore)
     implementation(libs.slf4jApi)
+    
+    // Add secure commons-lang3 to provide alternative to vulnerable commons-lang 2.6
+    implementation(libs.commonsLang3)
 
     pluginLibs(libs.jgit) {
         exclude module: 'slf4j-api'
@@ -70,6 +73,21 @@ dependencies {
     testImplementation libs.bundles.testLibs
 }
 
+configurations.all {
+    resolutionStrategy {
+        // Force secure versions for non-breaking dependency overrides
+        force "com.squareup.okhttp3:okhttp:${libs.versions.okhttp3.get()}"
+        force "com.squareup.okio:okio:${libs.versions.okio.get()}"
+        
+        // Replace vulnerable commons-lang with secure commons-lang3
+        dependencySubstitution {
+            substitute module('commons-lang:commons-lang') using module("org.apache.commons:commons-lang3:${libs.versions.commonsLang3.get()}")
+        }
+        
+        // Note: JGit vulnerabilities left as-is to avoid code breaking changes
+    }
+}
+
 
 task copyToLib(type: Copy) {
     into "$buildDir/output/lib"

build.gradle

@@ -1,17 +1,21 @@
 [versions]
 # Plugins
 axionRelease = "1.18.18"
+nexusPublish = "1.3.0"
 # Libraries
 groovy = "3.0.22"
 junit = "4.13.2"
-rundeckCore = "5.10.0-20250312"
+rundeckCore = "5.16.0-20251006"
 slf4j = "1.7.36"
 jgit = "6.6.1.202309021850-r"
 jgitSsh = "5.13.3.202401111512-r"
 spock = "2.0-groovy-3.0"
 cglib = "3.3.0"
 objenesis = "1.4"
-nexusPublish = "1.3.0"
+# Security overrides for transitive dependencies
+okhttp3 = "4.12.0"
+okio = "3.9.1"
+commonsLang3 = "3.18.0"
 
 [libraries]
 groovyAll   = { group = "org.codehaus.groovy", name = "groovy-all", version.ref = "groovy" }
@@ -23,6 +27,7 @@ jgitSsh     = { group = "org.eclipse.jgit", name = "org.eclipse.jgit.ssh.jsch",
 spockCore   = { group = "org.spockframework", name = "spock-core", version.ref = "spock" }
 cglibNodep  = { group = "cglib", name = "cglib-nodep", version.ref = "cglib" }
 objenesis   = { group = "org.objenesis", name = "objenesis", version.ref = "objenesis" }
+commonsLang3 = { module = "org.apache.commons:commons-lang3", version.ref = "commonsLang3" }
 
 [bundles]
 testLibs = ["junit", "groovyAll", "spockCore", "cglibNodep", "objenesis"]