chore(deps): bump org.jenkins-ci.plugins:jackson2-api from 2.20.0-411.v6ef8fdee4fe9 to 2.20.0-420.v8a_08b_d57ca_05

[dependabot]

Bumps org.jenkins-ci.plugins:jackson2-api from 2.20.0-411.v6ef8fdee4fe9 to 2.20.0-420.v8a_08b_d57ca_05.

Release notes

Sourced from org.jenkins-ci.plugins:jackson2-api's releases.

2.20.0-420.v8a_08b_d57ca_05

🚀 New features and improvements

• Package jackson-module-jakarta-xmlbind-annotations (#312) @​basil

👻 Maintenance

• Migrate tests to JUnit5 (#309) @​strangelookingnerd

📦 Dependency updates

• Bump io.jenkins.tools.incrementals:git-changelist-maven-extension from 1.10 to 1.13 (#313) @dependabot[bot]

Commits

• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[jglick]

Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.6.2:enforce (display-info) on project saml: 
 Rule 6: org.apache.maven.enforcer.rules.dependency.RequireUpperBoundDeps failed with message:
 Failed while enforcing RequireUpperBoundDeps. The error(s) are [
 Require upper bound dependencies error for com.sun.xml.bind:jaxb-impl:2.3.9. Paths to dependency are:
 +-org.jenkins-ci.plugins:saml:4.594.va_f6fa_d40e9c1
   +-io.jenkins.plugins:jaxb:2.3.9-133.vb_ec76a_73f706
     +-com.sun.xml.bind:jaxb-impl:2.3.9
 and
 +-org.jenkins-ci.plugins:saml:4.594.va_f6fa_d40e9c1
   +-org.jenkins-ci.plugins:jackson2-api:2.20.0-420.v8a_08b_d57ca_05
     +-io.jenkins.plugins:jakarta-xml-bind-api:4.0.5-3.v3d5b_a_73965b_9
       +-com.sun.xml.bind:jaxb-impl:4.0.5
 ]

similar to jenkinsci/postgresql-fingerprint-storage-plugin#387 apparently caused by jenkinsci/jackson2-api-plugin#312. Should

saml-plugin/pom.xml

Lines 141 to 144 in e42d0d4

	<dependency>
	<groupId>io.jenkins.plugins</groupId>
	<artifactId>jaxb</artifactId>
	</dependency>

be replaced with https://plugins.jenkins.io/jakarta-xml-bind-api/ ? Would some of its deps needed to be updated to match? The existence of

saml-plugin/src/test/java/org/jenkinsci/plugins/saml/LiveTest.java

Line 66 in e42d0d4

public final RealJenkinsRule rr = new RealJenkinsRule();

offers some comfort. @jtnord advice would be welcome as I am not familiar with the situation here.

[jtnord]

offers some comfort. @jtnord advice would be welcome as I am not familiar with the situation here.

it really depends if anything in the saml dependencies uses the older javab versions as the namespace was swapped out in v4 so they are not compatible. Historically I think this was in the SAML library or its dependencies -> apache/santuario-xml-security-java#192 (from 3 years ago and I guess no cleanup was performed when this was picked up?)

I'm not aware of how this is used at runtime but I would guess it is related to the SOAP response/generation parsing and/or checking of signatures, I don't know the SAML spec so I do not know if that test would exercise signing parts, or if that is only involved in a different (optional?) flow per the specification.

mostly I would say replace the direct dependency on io.jenkins.plugins:jaxb with io.jenkins.plugins:jakarta-xml-bind-api (usage-in-plugins or javap on the dependencies would offer more reasurance also)