Our May release of Bitbucket 8.9 is mostly about control – there are new repository management controls, global SSH key policy controls and even a new version of the Control Freak plugin. Yes sir-ee, we are in control.
Compliance through stricter controls
Many organizations have compliance needs to meet, and the tools used for software development don’t get the benefit of the doubt.
To help you meet with the compliance and security standards, this release of Bitbucket delivers more controls to mitigate some of the whodunits of the past.
There are tighter controls available for the repository settings. Project admins can now take away some of the repository admin privileges by setting up change restrictions in the project settings.
Restriction options shown for Access keys in Bitbucket 8.9
New restriction options are available for Access keys, HTTP access tokens and Project permissions.
Please see the Bitbucket documentation on atlassian.com for more information on using these new restrictions.
More control over SSH keys
In addition to the new repository settings restrictions, there are also new global policy controls available for SSH key management. All intended to keep Bitbucket compliant with your organization’s requirements.
You can now enforce the use of specific SSH key types and mandate minimum key lengths. This conveniently allows you to ensure that no weak keys are used with Git authentication.
Global settings for SSH keys in Bitbucket 8.9
There’s also a new feature anticipated by some organizations: enforced SSH key expiration.
A system administrator can now enable global expiry for all SSH keys, requiring all keys to be renewed after a certain number of days. However, given that the setting also applies to all existing keys as well, we would highly advise against enabling it haphazardly.
If you would like to enable SSH key expiration in your Bitbucket, please reach out to your friendly Eficode ROOT support before embarking on such a journey.
Starting with this release of Bitbucket, you can now create webhooks on project level as well, in addition to the repository-level webhooks of earlier versions.
You can now avoid having to duplicate the same hook across multiple repositories by simply setting them up on the project level, improving efficiency when operating automations at scale.
Check out the documentation on Bitbucket webhooks on atlassian.com for further details.
Naturally there’s also a round of plugin updates to go with the new Bitbucket version. Find our highlights below.
Control Freak - Commit Checkers and Jira Hooks for Bitbucket
The Control Freak plugin leaps directly from 2022.12.06 to the latest version 2023.04.15.
This update delivers multiple bug fixes to correct annoyances in the previous version:
- Pull Request screen will not put out IllegalArgumentExceptions anymore when “require # approvals” control is enabled.
- The “rebase-and-merge” and “rebase-and-fast-forward” merge options now appropriately honor the “Ignore Clean Rebases” Jira Policy setting.
- And there’s a small preventive fix to guard against long “git log” invocations.
Include Code Quality for Bitbucket
To complement the new SonarQube Current also delivered with our May release, we’ll naturally include the latest version 6.1.0 of Include Code Quality for Bitbucket as well.
In addition to implementing support for SonarQube 10, this release also now includes support for SonarQube installations with SSO authentication only.
Security for Bitbucket: Enhanced Secret Scanner by Soteri
With the update to version 4.4.0, the Security for Bitbucket receives a number of welcome updates:
- AWS Client ID scans now produce less false positive findings.
- Unexpected exceptions are now handled and reported in a more robust manner.
- There are general improvements to the UI and the appearance of finding has been streamlined on the branch scan report.
Following the last month’s release of SonarQube 9.9 LTS, the next generation of Current arrives on Eficode ROOT in May in the form of SonarQube 10.0.
Faster first analysis
Building on top of the massive performance improvements in SonarQube 9.9 LTS, the new SonarQube 10.0 further speeds up the first full analysis of git-based projects.
With the new optimizations in the way git-blame data is handled in SonarQube, the first project analysis is now even faster than before. Especially projects that involve a large number of commits will see the time required for first full analysis to drop down to a fraction of what it used to be.
As an example, in SonarSource’s own benchmarks using the TypeScript compiler source code the time needed for first full analysis dropped down from over 20 hours to mere 5 minutes.
SCIM for Azure AD
SonarQube 10 delivers much anticipated automated user provisioning and deprovisioning support for SAML / Azure AD configurations through SCIM.
With SCIM enabled, you don’t have to manually manage users and groups on SonarQube. The integration can automatically synchronize not only the usual user creations and deletions, but also group operations – group creations and deletions, group membership additions and removals, and possible group name updates.
This feature is currently available on Enterprise Edition and above.
Static analysis for Docker
Dockerfiles can easily end up being a bit of a nightmare when it comes to security issues. With the introduction of Docker support, SonarQube 10.0 can help you mitigate potential problems with your Dockerfiles as well.
SonarQube implements bash command parser and introduces over 20 new best practice rules to help in finding possible security misconfigurations that could be lurking in your Docker instructions.
Check out the SonarQube 10.0 release announcement on sonarsource.com for more on the brand new SonarQube.
Our monthly GitLab release of 15.11 delivers group level compliance frameworks report management, achievements, Web IDE by default and much more.
This release of GitLab delivers a first Beta version of a new achievements feature. It’s still disabled by default, but your Eficode ROOT Support can enable the feature flag if you so wish.
You can use the feature to acknowledge the accomplishments of your developers by awarding different achievements. An achievement in GitLab consists of a name, a description and an avatar. Users with the Maintainer or Owner role can create custom achievements and award them to the users meeting the defined achievement criteria.
While it’s nice to receive a bit of acknowledgement from time to time, we are also very happy with all the new meme-related possibilities this gives us.
General availability for Web IDE Beta
The new Web IDE Beta, originally introduced in GitLab 15.7, will now be enabled by default.
Web IDE Beta in GitLab 15.11
Web IDE Beta is an advanced, next generation web editor based on Visual Studio Code. Like standalone VSCode, Web IDE Beta also delivers powerful features with a flexible and familiar interface. Starting with GitLab 15.11, Web IDE Beta will be the default editor, unless you decide to opt out (link to documentation on GitLab.com).
Starting with GitLab 15.11, Web IDE Beta includes support for making additional changes to new and modified files in merge requests without having to clone the project to your local workstation. New and modified files now appear in separate tabs when Web IDE Beta is launched from a merge request. Each of these files is presented with an inline diff for reviewing changes immediately in the editor.
Rerun downstream pipeline trigger jobs
Previously, if something went south in a downstream pipeline, you would have had to rerun the full upstream pipeline to correct it. With a large hierarchical pipeline with many jobs or downstream pipelines, this was inefficient and time consuming.
Starting with GitLab 15.11, you can now just run that flaky downstream pipeline again without having to redo the whole ordeal. You can simply select “Run again” on the trigger job. The newly triggered downstream pipeline automatically replaces the previous pipeline in the pipeline graph.
Further documentation for downstream pipelines is available on GitLab.com.
Prevent accidental token leaks in issues, MRs and comments
GitLab has included secret detection for our codebases since release 11.x, which undoubtedly has prevented many embarrassing situations over the years.
GitLab 15.11 takes secret detection one step further – it now checks if the text of your comment, reply, merge request description or issue description contains a secret token. If a token is detected, you’ll see a warning prompt that’ll allow you to go back and edit your message before it’s sent.
In its first incarnation, the new protection checks for GitLab Personal Access Tokens and Feed Tokens, but expansion to broader secret detection is in the works.
README for groups
In earlier versions of GitLab, you could provide more information about your project by adding a README file at the project level.
Starting with GitLab 15.11, it is now also possible to add a README to the group level for sharing more information about your teams, an overview of your projects or anything of that nature. The README is displayed on the group overview page, and can be changed in the group settings.
Scoped inputs for included CI/CD configuration
If you wanted to change the behavior of included CI/CD configuration, such as CI/CD templates, in earlier versions of GitLab you could have used global CI/CD variables to do so. The trouble with this is that global variables apply to the entire pipeline, not just to the included configuration. This could have sometimes led to undesirable results.
This release of GitLab adds the possibility of declaring mandatory or optional input parameters for includable CI/CD configuration files. These input parameters are scoped to the included configuration only, and can replace the need to use global variables. This allows building more robust and isolated CI/CD templates.
Check out the CI Interpolation Example repository on GitLab.com to see how the new scoped parameters work.
And then some
All of this is just the tip of the iceberg again. Check out the GitLab 15.11 release announcement on GitLab.com for a complete overview of all changes in GitLab 15.11, in exhaustive detail.
Eficode ROOT Team Management and Jenkins LTS receive some love in the form of minor patch updates.
Updated Eficode ROOT Team Management
Version 2.11 included in our May release delivers enhancements on how username lowercase / uppercase conversions are handled. There are also corrections to synchronization issues encountered in certain corner cases.
Full release notes of all Eficode ROOT Team Management versions can be found in Eficode ROOT documentation site at docs.eficode.io.
Core and plugin revision for Jenkins LTS
Jenkins LTS Core gets a bump to version 2.387.2 LTS with corrections to the default WebSocket settings and to Plugin Manager API functionality.
There’s also the usual round of plugin updates, which - as always - tend to differ from Jenkins to Jenkins depending on the specific configuration on your very own Eficode ROOT Jenkins deployment.
If you happen to be interested, your friendly Eficode ROOT Support team can shed some light on the nitty-gritty specifics of the updates applicable to your instance.
As always, if we detect potentially problematic or breaking changes that would affect your Jenkins we’ll naturally let you know beforehand.
Published: May 3, 2023