Bamboo 10.0 EAP
This documentation is intended for third-party app vendors and people maintaining their own in-house apps who want to ensure that the apps are compatible with Bamboo 9.0. If you’d like to stay in the loop, check out the latest posts and discussions in the Atlassian Developer Community.
Quick info
Here’s some quick information about the latest Early Access Program (EAP) release:
| Application | Release | Downloads |
|---|---|---|
| Bamboo Data Center | 10.0.0-rc5
| Download the EAP |
Summary of the changes
This is an overview of the changes that are going to become part of the upcoming release of Bamboo, so you can start thinking about how they might impact your apps.
Platform 7 upgrade
Status: IMPLEMENTED
We’ve built Bamboo 10.0 on Atlassian Platform 7.0, which introduces several significant changes. Before upgrading Bamboo, verify the compatibility of the apps you’ve built.
This upgrade better positions us to respond to security changes with reduced disruption and breaking changes for your apps.
As part of this work, we have:
upgraded numerous Atlassian and third-party components to benefit from the latest security patches and bug fixes
removed ‘gray APIs’ (unsupported third-party and cross-product libraries with their dependencies).
reduced public JAVA API in Atlassian Plugins, WRM, Web Fragments, and LESS
Check out how to prepare for the Platform 7 upgrade.
REST v2
Status: IMPLEMENTED
Platform 7 and Bamboo 10.0 have rearchitected the Java APIs used to implement REST resources, which we’re calling REST v2.
Note that this isn’t a change to Bamboo REST API, which remains largely unchanged. These changes will only impact app developers. The underlying libraries, Jackson and Jersey, have been upgraded to the latest versions. REST v2 also makes use of JAX-RS 2.
The REST v2 upgrade guide contains advice and examples on how to upgrade your app to use REST v2.
Endpoint default security annotations
Status: IMPLEMENTED
We’ve enabled better control access to endpoints with new annotations. From Bamboo 10.0, only licensed users can access resources without specified access criteria annotations. Make sure you review:
@AdminOnly@AnonymousSiteAccess@LicensedOnly@SystemAdminOnly@UnlicensedSiteAccess@UnrestrictedAccess
Reviewing these will ensure that the intended users can access your application endpoints. You may need to make changes to endpoints such as Struts Actions, Filters, Servlets, and REST resources.
Visit Prepare your Data Center app to comply with secure endpoint defaults for full details.
For development or testing purposes, this new behavior can be disabled by setting bamboo.security.endpoint.annotation.default.to.licensed.access property to false. This flag may be unavailable in the later releases and is not recommended for production environments.
Dark theme
Status: IMPLEMENTED
Bamboo 10.0 features both dark and light themes to offer a modern visual experience.
To experiment with new themes, select your profile avatar on the upper right of the screen, and under Themes choose the needed option. Note that although the Original theme is currently accessible, there are intentions to phase it out in upcoming releases.
Additionally, the look and feel will not apply color choices to both themes. If your instance uses a custom header color, it will default to the light theme.
If your app incorporates visual elements, developers should check our guidelines for preparing your Data Center app for the dark theme, while designers should explore how to utilize tokens.
WebSudo support
Status: IMPLEMENTED
Bamboo 10.0 adds support for WebSudo to further protect admin pages against malicious access. This feature creates an extra layer of protection by prompting admins to re-enter their passwords to access administrative functions.
Apps can opt into WebSudo by adding the @WebSudoRequired annotation to REST APIs that require admin access. Similarly, servlets that require admin access should call WebSudoManager.enforceWebSudoProtection.
Explore more details how to add WebSudo support to your app.
Struts security improvement
Status: IMPLEMENTED
Bamboo 10.0 removes support for the Struts Dynamic Method Invocation feature. This affected a few links that used to pass the method name as part of the URL in the format strutsAction!method.action. The most visible change is related to the userlogin!doDefault.action link, which was changed to userlogin.action.
Removal of JSP pages support
Status: IMPLEMENTED
JSP files no longer work with Bamboo 10.0. They won't be read and rendered anymore. This addresses potential RCE escalations.
Removal of Guava from public API
Status: IMPLEMENTED
Guava usage has been removed from the public API across the bamboo-api and bamboo-core packages. The following new classes have been icreated to replace the functionality previously offered by the Guava API:
com.atlassian.bamboo.utils.collection.multimap.ImmutableListMultimapcom.atlassian.bamboo.utils.collection.multimap.ImmutableMultimapcom.atlassian.bamboo.utils.collection.multimap.ImmutableSetMultimapcom.atlassian.bamboo.utils.collection.multimap.LinkedSetMultimapcom.atlassian.bamboo.utils.collection.multimap.ListMultimapcom.atlassian.bamboo.utils.collection.multimap.Multimapcom.atlassian.bamboo.utils.collection.multimap.SetMultimapcom.atlassian.bamboo.utils.collection.multimap.TreeMultimapcom.atlassian.bamboo.utils.ByteSourcecom.atlassian.bamboo.utils.Throwablescom.atlassian.bamboo.utils.Validations
The creation of the com.atlassian.bamboo.utils.Validations class aims to replace the static methods previously used from com.google.common.base.Preconditions.
Additionally, the changes include the replacements of com.google.common.base.Predicate with java.util.function.Predicate and com.google.common.base.Function with java.util.function.Function.
The following class com.atlassian.bamboo.util.CallableResultCache has been marked as internal and can no longer be used by plugins.
With Guava API removal, atlassian-spring has been updated as well.
Bundled atlassian-whitelist plugin
Status: IMPLEMENTED
Bundled atlassian-whitelist plugin now supports Git, GitHub, Bitbucket Server, and Bitbucket Cloud test connection by validating remote URLs through its API.
Changes to supported platforms
See what changes are in store for the supported platforms in Bamboo. For more information about what the latest stable release of Bamboo supports, see Supported platforms.
End-of-support announcements
In this release, we’re removing support for Java 11 as both Bamboo DC Nodes and Agents require Java 17. Support for PostgreSQL 12 and Oracle 18c has been removed. Additionally, Perforce repositories are no longer supported. After upgrading to Bamboo 10.0, all plans using any Perforce repository will be disabled.
New supported platforms
Bamboo 10.0 doesn’t introduce support for any new software platforms.
Known issues
There aren’t any known issues to report yet, but we’re keeping an eye out.
Implemented changes
In this section we'll provide details of changes we've implemented, organised by the milestone they are first available in. This will help you decide which milestone to use when testing.
EAP 2 – 26 July 2024
Milestone 10.0.0-rc5
Contains:
- Removal of Guava from public API
- Bundled atlassian-whitelist plugin
- Minor bug fixes
EAP 1 – 28 June 2024
Milestone 10.0.0-rc3
Contains:
- Platform 7 upgrade
- REST v2
- Endpoint default security annotations
- Dark theme
- WebSudo support
- Struts security improvement
- Removal of JSP pages support
- Minor bug fixes