Merge branch 'main' into cve-fixes

Author: fdevans

.github/workflows/gradle.yml

@@ -14,10 +14,10 @@ jobs:
       - name: Get Fetch Tags
         run: git -c protocol.version=2 fetch --tags --progress --no-recurse-submodules origin
         if: "!contains(github.ref, 'refs/tags')"
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v4
         with:
-          java-version: '11'
+          java-version: '17'
           distribution: 'zulu'
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew

.github/workflows/release.yml

@@ -2,7 +2,7 @@ on:
   push:
     # Sequence of patterns matched against refs/tags
     tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+' # Push events to matching v*, i.e. v1.0, v20.15.10
+      - '*.*.*' # Push events to matching semver tags (no v prefix)
 
 name: Publish Release
 
@@ -15,10 +15,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v4
         with:
-          java-version: '11'
+          java-version: '17'
           distribution: 'zulu'
       - name: Build with Gradle
         run: ./gradlew build

.gitignore

@@ -7,6 +7,7 @@
 build/
 bin/
 out/
+.temp/
 
 # VS Code
 .vscode/

build.gradle

@@ -18,11 +18,12 @@ ext.developers = [
 ]
 
 scmVersion {
-    ignoreUncommittedChanges = true
+    ignoreUncommittedChanges = false
     tag {
-        prefix = 'v'
+        prefix = ''           // NO "v" prefix - see PLUGIN_TAGGING_ARCHITECTURE.md
         versionSeparator = ''
     }
+    versionCreator 'simple'  // Use simple version creator (just tag name)
 }
 
 allprojects {
@@ -34,6 +35,15 @@ defaultTasks 'clean','build'
 
 repositories {
     mavenLocal()
+    maven {
+        name = 'Central Portal Snapshots'
+        url = 'https://central.sonatype.com/repository/maven-snapshots/'
+        
+        // Only search this repository for org.rundeck snapshots
+        content {
+            includeGroup('org.rundeck')
+        }
+    }
     mavenCentral()
 }
 
@@ -55,7 +65,8 @@ dependencies {
     pluginLibs libs.expectitCore
 
     implementation libs.commonsIo
-    implementation libs.rundeckCore
+    compileOnly libs.rundeckCore
+    testImplementation libs.rundeckCore
     implementation libs.slf4jApi
 
     // Add secure commons-lang3 to provide alternative to vulnerable commons-lang 2.6
@@ -101,6 +112,13 @@ jar {
 
 test {
     useJUnitPlatform()
+    
+    // Java 17+ module access for cglib/Spock mocking
+    jvmArgs = [
+        '--add-opens=java.base/java.lang=ALL-UNNAMED',
+        '--add-opens=java.base/java.util=ALL-UNNAMED',
+        '--add-opens=java.base/java.lang.reflect=ALL-UNNAMED'
+    ]
 }
 
 //set jar task to depend on copyToLib
@@ -117,3 +135,20 @@ nexusPublishing {
 }
 
 apply from: "${rootDir}/gradle/publishing.gradle"
+
+// Add PackageCloud repository
+publishing {
+    repositories {
+        maven {
+            name = "PackageCloudTest"
+            url = uri("https://packagecloud.io/pagerduty/rundeckpro-test/maven2")
+            authentication {
+                header(HttpHeaderAuthentication)
+            }
+            credentials(HttpHeaderCredentials) {
+                name = "Authorization"
+                value = "Bearer " + (System.getenv("PKGCLD_WRITE_TOKEN") ?: project.findProperty("pkgcldWriteToken"))
+            }
+        }
+    }
+}

gradle/java.gradle

@@ -1,5 +1,6 @@
 java {
-    sourceCompatibility = JavaVersion.VERSION_11
+    sourceCompatibility = JavaVersion.VERSION_17
+    targetCompatibility = JavaVersion.VERSION_17
     withJavadocJar()
     withSourcesJar()
 }

gradle/libs.versions.toml

@@ -1,21 +1,21 @@
 [versions]
-sshj = "0.39.0"
+sshj = "0.40.0"
 asnOne = "0.6.0"
 eddsa = "0.3.0"
-bouncycastle = "1.80"
+bouncycastle = "1.79"
 expectit = "0.9.0"
 commonsIo = "2.17.0"
-rundeckCore = "5.14.0-rc1-20250722"
+rundeckCore = "6.0.0-alpha1-20260407"
 slf4j = "2.0.17"
 junit = "4.13.2"
-groovy = "3.0.22"
-spock = "2.0-groovy-3.0"
+groovy = "4.0.29"
+spock = "2.4-groovy-4.0"
 cglib = "3.3.0"
 objenesis = "1.4"
 axionRelease = "1.18.18"
 nexusPublish = "2.0.0"
 # Security overrides for transitive dependencies
-commonsLang3 = "3.18.0"
+commonsLang3 = "3.20.0"
 
 [libraries]
 sshj = { group = "com.hierynomus", name = "sshj", version.ref = "sshj" }
@@ -28,7 +28,7 @@ commonsIo = { group = "commons-io", name = "commons-io", version.ref = "commonsI
 rundeckCore = { group = "org.rundeck", name = "rundeck-core", version.ref = "rundeckCore" }
 slf4jApi = { group = "org.slf4j", name = "slf4j-api", version.ref = "slf4j" }
 junit = { group = "junit", name = "junit", version.ref = "junit" }
-groovyAll = { group = "org.codehaus.groovy", name = "groovy-all", version.ref = "groovy" }
+groovyAll = { group = "org.apache.groovy", name = "groovy-all", version.ref = "groovy" }
 spockCore = { group = "org.spockframework", name = "spock-core", version.ref = "spock" }
 cglibNodep = { group = "cglib", name = "cglib-nodep", version.ref = "cglib" }
 objenesis = { group = "org.objenesis", name = "objenesis", version.ref = "objenesis" }

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

jitpack.yml

@@ -1,2 +1,2 @@
 jdk:
-  - openjdk11
+  - openjdk17

src/main/java/com/plugin/sshjplugin/SSHJNodeExecutorPlugin.java

@@ -277,7 +277,8 @@ public NodeExecutorResult executeCommand(ExecutionContext context, String[] comm
                     connectionInfo,
                     listener);
         } catch (Exception e) {
-            e.printStackTrace();
+            listener.log(2, "[" + getClass().getSimpleName() + "] Failed to build SSH executor: " + 
+                        e.getMessage() + " (" + e.getClass().getSimpleName() + ")");
         }
 
 
@@ -292,6 +293,9 @@ public NodeExecutorResult executeCommand(ExecutionContext context, String[] comm
                 config.setKeepAliveProvider(KeepAliveProvider.KEEP_ALIVE);
                 sshClient = new SSHClient(config);
             }
+            if (sshexec == null) {
+                throw new SSHJBuilder.BuilderException("Failed to initialize SSH executor");
+            }
             sshexec.connect(sshClient);
             sshexec.execute(sshClient);
             success = true;
@@ -313,7 +317,9 @@ public NodeExecutorResult executeCommand(ExecutionContext context, String[] comm
                     sshClient.disconnect();
                     sshClient.close();
                 } catch (Exception iex) {
-                    throw new SSHJBuilder.BuilderException(iex);
+                    // Log cleanup errors instead of throwing to avoid masking original exception
+                    listener.log(2, "[" + getClass().getSimpleName() + "] Error closing SSH client: " + 
+                                iex.getMessage() + " (" + iex.getClass().getSimpleName() + ")");
                 }
             }
 

src/main/java/com/plugin/sshjplugin/model/SSHJAuthentication.java

@@ -42,7 +42,7 @@ void authenticate(final SSHClient ssh) throws IOException {
                     try{
                         passphrase = connectionParameters.getPrivateKeyPassphrase(passphrasePath);
                     } catch (Exception e) {
-                        throw new SSHJBuilder.BuilderException("Failed to read SSH Passphrase stored at path: " + passphrasePath);
+                        throw new SSHJBuilder.BuilderException("Failed to read SSH Passphrase stored at path: " + passphrasePath, e);
                     }
                 }
                 if(privateKeyFileSystemPath != null && privateKeyStoragePath == null){
@@ -59,7 +59,7 @@ void authenticate(final SSHClient ssh) throws IOException {
                     try{
                         privateKeyContent = connectionParameters.getPrivateKeyStorage(privateKeyStoragePath);
                     } catch (Exception e) {
-                        throw new SSHJBuilder.BuilderException("Failed to read SSH Key Storage stored at path: " + privateKeyStoragePath);
+                        throw new SSHJBuilder.BuilderException("Failed to read SSH Key Storage stored at path: " + privateKeyStoragePath, e);
                     }
                     KeyFormat format = KeyProviderUtil.detectKeyFileFormat(privateKeyContent,true);
                     keys = Factory.Named.Util.create(ssh.getTransport().getConfig().getFileKeyProviderFactories(), format.toString());
@@ -83,7 +83,7 @@ void authenticate(final SSHClient ssh) throws IOException {
                 try{
                     password = connectionParameters.getPassword(passwordPath);
                 } catch (Exception e) {
-                    throw new SSHJBuilder.BuilderException("Failed to read SSH Password stored at path: " + passwordPath);
+                    throw new SSHJBuilder.BuilderException("Failed to read SSH Password stored at path: " + passwordPath, e);
                 }
 
                 ssh.authPassword(username, password);