From 0b47c1d380715115ad7c1e7e154d8c2d1393199c Mon Sep 17 00:00:00 2001
From: Devin Nusbaum <d.w.nusbaum@gmail.com>
Date: Tue, 25 Oct 2022 10:01:54 -0400
Subject: [PATCH 1/6] Add ionicons-api to BOM since workflow-cps requires it

---
 bom-weekly/pom.xml    | 5 +++++
 sample-plugin/pom.xml | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/bom-weekly/pom.xml b/bom-weekly/pom.xml
index aaa783951..5f14cbd9a 100644
--- a/bom-weekly/pom.xml
+++ b/bom-weekly/pom.xml
@@ -138,6 +138,11 @@
                 <artifactId>gitlab-branch-source</artifactId>
                 <version>640.v7101b_1c0def9</version>
             </dependency>
+            <dependency>
+                <groupId>io.jenkins.plugins</groupId>
+                <artifactId>ionicons-api</artifactId>
+                <version>31.v4757b_6987003</version>
+            </dependency>
             <dependency>
                 <groupId>io.jenkins.plugins</groupId>
                 <artifactId>jakarta-activation-api</artifactId>
diff --git a/sample-plugin/pom.xml b/sample-plugin/pom.xml
index 478096139..cc5c221c5 100644
--- a/sample-plugin/pom.xml
+++ b/sample-plugin/pom.xml
@@ -124,6 +124,10 @@
             <artifactId>gitlab-branch-source</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.jenkins.plugins</groupId>
+            <artifactId>ionicons-api</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.jenkins.plugins</groupId>
             <artifactId>jakarta-activation-api</artifactId>

From 71139efce746fe5bbbe7b9d0d9c7a7b9129c0b97 Mon Sep 17 00:00:00 2001
From: Devin Nusbaum <d.w.nusbaum@gmail.com>
Date: Tue, 25 Oct 2022 09:13:21 -0400
Subject: [PATCH 2/6] Update plugins affected by SECURITY-2824

---
 bom-2.332.x/pom.xml | 5 +++++
 bom-weekly/pom.xml  | 6 +++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/bom-2.332.x/pom.xml b/bom-2.332.x/pom.xml
index 88f602fc1..8683fd9d0 100644
--- a/bom-2.332.x/pom.xml
+++ b/bom-2.332.x/pom.xml
@@ -69,6 +69,11 @@
                 <artifactId>jnr-posix-api</artifactId>
                 <version>3.1.7-3</version>
             </dependency>
+            <dependency>
+                <groupId>io.jenkins.plugins</groupId>
+                <artifactId>pipeline-groovy-lib</artifactId>
+                <version>612.v84da_9c54906d</version>
+            </dependency>
             <dependency>
                 <groupId>io.jenkins.plugins</groupId>
                 <artifactId>plugin-util-api</artifactId>
diff --git a/bom-weekly/pom.xml b/bom-weekly/pom.xml
index 5f14cbd9a..95e6d6773 100644
--- a/bom-weekly/pom.xml
+++ b/bom-weekly/pom.xml
@@ -21,7 +21,7 @@
         <scm-api-plugin.version>621.vda_a_b_055e58f7</scm-api-plugin.version>
         <subversion-plugin.version>2.16.0</subversion-plugin.version>
         <workflow-api-plugin.version>1200.v8005c684b_a_c6</workflow-api-plugin.version>
-        <workflow-cps-plugin.version>2759.v87459c4eea_ca_</workflow-cps-plugin.version>
+        <workflow-cps-plugin.version>2803.v1a_f77ffcc773</workflow-cps-plugin.version>
         <workflow-job-plugin.version>1236.vc3a_d1602f439</workflow-job-plugin.version>
         <workflow-multibranch-plugin.version>716.vc692a_e52371b_</workflow-multibranch-plugin.version>
         <workflow-step-api-plugin.version>639.v6eca_cd8c04a_a_</workflow-step-api-plugin.version>
@@ -196,7 +196,7 @@
             <dependency>
                 <groupId>io.jenkins.plugins</groupId>
                 <artifactId>pipeline-groovy-lib</artifactId>
-                <version>612.v84da_9c54906d</version>
+                <version>613.v9c41a_160233f</version>
             </dependency>
             <dependency>
                 <groupId>io.jenkins.plugins</groupId>
@@ -504,7 +504,7 @@
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>script-security</artifactId>
-                <version>1183.v774b_0b_0a_a_451</version>
+                <version>1189.vb_a_b_7c8fd5fde</version>
             </dependency>
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>

From e74c37b7d02f5082cf06943b17b95eaa07699e91 Mon Sep 17 00:00:00 2001
From: Devin Nusbaum <d.w.nusbaum@gmail.com>
Date: Tue, 25 Oct 2022 09:49:19 -0400
Subject: [PATCH 3/6] Update plugins related to Pipeline input step
 vulnerabilities

---
 bom-weekly/pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bom-weekly/pom.xml b/bom-weekly/pom.xml
index 95e6d6773..93c966367 100644
--- a/bom-weekly/pom.xml
+++ b/bom-weekly/pom.xml
@@ -25,7 +25,7 @@
         <workflow-job-plugin.version>1236.vc3a_d1602f439</workflow-job-plugin.version>
         <workflow-multibranch-plugin.version>716.vc692a_e52371b_</workflow-multibranch-plugin.version>
         <workflow-step-api-plugin.version>639.v6eca_cd8c04a_a_</workflow-step-api-plugin.version>
-        <workflow-support-plugin.version>838.va_3a_087b_4055b</workflow-support-plugin.version>
+        <workflow-support-plugin.version>839.v35e2736cfd5c</workflow-support-plugin.version>
     </properties>
     <dependencyManagement>
         <dependencies>
@@ -458,7 +458,7 @@
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>pipeline-input-step</artifactId>
-                <version>451.vf1a_a_4f405289</version>
+                <version>456.vd8a_957db_5b_e9</version>
             </dependency>
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>

From 113b0f4c8827db95152fd73ab40d0219e7e8d186 Mon Sep 17 00:00:00 2001
From: Devin Nusbaum <d.w.nusbaum@gmail.com>
Date: Tue, 25 Oct 2022 10:13:10 -0400
Subject: [PATCH 4/6] script-security must be frozen to a pre-SECURITY-2824
 version on 2.332.x for compatibility with workflow-cps and
 pipeline-groovy-lib

---
 bom-2.332.x/pom.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bom-2.332.x/pom.xml b/bom-2.332.x/pom.xml
index 8683fd9d0..1e034849b 100644
--- a/bom-2.332.x/pom.xml
+++ b/bom-2.332.x/pom.xml
@@ -120,6 +120,11 @@
                 <artifactId>pipeline-stage-step</artifactId>
                 <version>293.v200037eefcd5</version>
             </dependency>
+            <dependency>
+                <groupId>org.jenkins-ci.plugins</groupId>
+                <artifactId>script-security</artifactId>
+                <version>1183.v774b_0b_0a_a_451</version>
+            </dependency>
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>ssh-credentials</artifactId>

From 1e8f8b6dd83403863e3a6c28536b40ca8797588a Mon Sep 17 00:00:00 2001
From: Devin Nusbaum <d.w.nusbaum@gmail.com>
Date: Tue, 25 Oct 2022 12:04:16 -0400
Subject: [PATCH 5/6] Only depend on ionicons-api transitively in sample-plugin
 and modify check.groovy to allow it to be unused when testing BOM on old LTS
 lines

---
 sample-plugin/check.groovy | 3 ++-
 sample-plugin/pom.xml      | 4 ----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/sample-plugin/check.groovy b/sample-plugin/check.groovy
index 004514799..81747bac4 100644
--- a/sample-plugin/check.groovy
+++ b/sample-plugin/check.groovy
@@ -7,7 +7,8 @@ assert artifactMap['junit:junit'] == project.artifactMap['junit:junit']
 def managedPluginDeps = managedDeps.collect {stripAllButGA(it)}.grep { ga ->
     def art = artifactMap[ga]
     if (art == null) {
-        if (ga.contains('.plugins')) { // TODO without an Artifact, we have no reliable way of checking whether it is actually a plugin
+        if (ga.contains('.plugins') // TODO without an Artifact, we have no reliable way of checking whether it is actually a plugin
+                && !(ga == 'io.jenkins.plugins:ionicons-api' && settings.activeProfiles.any {it ==~ /^2[.](332|319)[.]x$/})) { // TODO: Remove once 2.332.x is no longer part of the BOM (or if MNG-5600 is fixed and we can exclude this dependency in the BOM for old LTS lines)
             throw new org.apache.maven.plugin.MojoFailureException("Managed plugin dependency $ga not listed in test classpath of sample plugin")
         } else {
             println "Do not see managed dependency $ga"
diff --git a/sample-plugin/pom.xml b/sample-plugin/pom.xml
index cc5c221c5..478096139 100644
--- a/sample-plugin/pom.xml
+++ b/sample-plugin/pom.xml
@@ -124,10 +124,6 @@
             <artifactId>gitlab-branch-source</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.jenkins.plugins</groupId>
-            <artifactId>ionicons-api</artifactId>
-        </dependency>
         <dependency>
             <groupId>io.jenkins.plugins</groupId>
             <artifactId>jakarta-activation-api</artifactId>

From 3845d2e2324c4ddd3e91dc108edbaf785db648b8 Mon Sep 17 00:00:00 2001
From: Devin Nusbaum <d.w.nusbaum@gmail.com>
Date: Tue, 25 Oct 2022 13:38:00 -0400
Subject: [PATCH 6/6] Lock pipeline-input-step to a pre-SECURITY-2880 version
 in 2.319.x for compatibility with pipeline-model-definition

---
 bom-2.319.x/pom.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bom-2.319.x/pom.xml b/bom-2.319.x/pom.xml
index 61d2d9583..30f58c225 100644
--- a/bom-2.319.x/pom.xml
+++ b/bom-2.319.x/pom.xml
@@ -82,6 +82,11 @@
                 <artifactId>metrics</artifactId>
                 <version>4.1.6.1-358.vf46b_95ea_d2b_3</version>
             </dependency>
+            <dependency>
+                <groupId>org.jenkins-ci.plugins</groupId>
+                <artifactId>pipeline-input-step</artifactId>
+                <version>451.vf1a_a_4f405289</version>
+            </dependency>
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>saml</artifactId>