Afaik core is not using commons-lang anymore. It is only included in core due to json-lib. And given the almost 300 plugins that use commons-lang I think once json-lib is fixed we can remove it from core and have the commons-lang-api plugin as an implied dependency.
Can we make the Jenkins Security Scan look for usages of commons.lang and report them? ________________________________ From: [email protected] <[email protected]> on behalf of Verachten Bruno <[email protected]> Sent: Wednesday, July 30, 2025 6:20 PM To: [email protected] <[email protected]> Subject: Re: Modernize core dependency json-lib library Basil, Thank you for creating the spreadsheet to track the dependencies related to removing Commons Lang 2 from Jenkins core. That will prove helpful! Best wishes, Bruno On Wed, Jul 30, 2025 at 6:16 PM Basil Crow <[email protected]<mailto:[email protected]>> wrote: CVE-2025-48924 increases the motivation to remove Commons Lang 2 from Jenkins core. That cannot be done until core stops depending on it (including via Json-Lib), as discussed in this thread, and until plugins stop depending on core's copy. To track the latter I created this spreadsheet: https://docs.google.com/spreadsheets/d/1w6_QXUflt1GSTdQ1-WyWtVXewu99LuHuvr-0Hivoi7I/edit -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:jenkinsci-dev%[email protected]>. To view this discussion visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjrL%3D3nOYG8nAOVVZofbXJcy65-%2B-E0Kd%3Da%2B06q9fa9WKA%40mail.gmail.com. -- Bruno Verachten -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/d/msgid/jenkinsci-dev/CACtV%3DdcdRBFQhs6QxQ5jEMLxf9Eei2Lg%3DRu1bzrGyUkweNrdLw%40mail.gmail.com<https://groups.google.com/d/msgid/jenkinsci-dev/CACtV%3DdcdRBFQhs6QxQ5jEMLxf9Eei2Lg%3DRu1bzrGyUkweNrdLw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/jenkinsci-dev/AS1PR02MB7847959D1BD263AAE41E75968724A%40AS1PR02MB7847.eurprd02.prod.outlook.com.
