Bamboo 11.0 EAP
This documentation is intended for third-party app vendors and people maintaining their own in-house apps who want to ensure that the apps are compatible with Bamboo 11.0. If you’d like to stay in the loop, check out the latest posts and discussions in the Atlassian Developer Community.
Quick info
Here’s some quick information about the latest Early Access Program (EAP) release:
| Application | Release | Downloads |
|---|---|---|
| Bamboo Data Center | 11.0.0-rc4
| Download the EAP |
Summary of the changes
This is an overview of the changes that are going to become part of the upcoming release of Bamboo, so you can start thinking about how they might impact your apps.
Velocity template and allowlist security improvements
Status: IMPLEMENTED
We're making steps towards verifiably secure installation directories for all Data Centre products. These changes not only increase the difficulty for an attacker to exploit filesystem access, but also allow customers to verify the state of the product installation.
From Bamboo 11.0, all Velocity files stored on the filesystem (for example, shared, local home, or any other) will need to be explicitly allowlisted and must be of a specific file type. Files stored inside .jar files and bundled within plugins will not be affected.
In addition, all method invocations within a Velocity template must be explicitly allowlisted.For more information, visit Configuring the Velocity method allowlist and Configuring the Velocity file and file type allowlist.
Migration to Apache Struts 6
Status: IMPLEMENTED
We’ve upgraded to Struts 6. Make sure you’re aware of the following changes:
Annotate getters with @StrutsParameter(depth=X) (dependency on
struts-corelib)Annotate setters with @StrutsParameter (dependency on
struts-corelib)The action method previously named
doSomethingmust now be fully informed. Previously, thedoprefix could be suppressed.The method previously named
getBamboo()has been renamed togetBambooContainer()to avoid warnings from Struts when.bamboo.is used in our templates.OGNL Allowlist - Example from Confluence available at Struts Module
Your deployment projects and environments are cached now
Status: IMPLEMENTED
Bamboo 11 introduces application-level caching for deployment projects and environments to elevate your daily experience. This can be especially beneficial if you utilize them heavily or have many of them. Bamboo speeds up display times and optimizes resource usage by serving cached objects for user interface and background processing. We recommend that you keep this enabled, though you can disable it via the system property bamboo.deployment.cache.enabled.
Automatic offline agents management
Status: IMPLEMENTED
As an administrator, you can now configure policies for the automatic removal of offline agents. This feature helps free up agent names and keeps your instance data tidy and clean. Enabling this will enhance your agents' processing performance.
Bamboo uses the AWS SDK V2 now
Status: IMPLEMENTED
Bamboo AWS-related functionality, such as elastic agents and S3 artifact handlers, are now using AWS SDK V2, which replaced V1. This change was introduced to elevate your security and improve the performance and it should be invisible from the user perspective.
CodeDeploy Task was removed
Status: IMPLEMENTED
After being deprecated for some time, the AWS CodeDeploy Task was finally removed from Bamboo due to compatibility and security concerns.
Legacy repositories API is removed
Status: IMPLEMENTED
Bamboo 11.0 has removed the legacy repositories API. This change finalizes the transition to the modern API introduced in Bamboo 5.14, which included a rebuilt repository subsystem, new plugin points, and web repository viewers. This update eliminates technical debt and ensures a more streamlined and efficient system. Check out the Bamboo API Changes for 5.14 for more details.
Quiet period removal
Status: IMPLEMENTED
The quiet period functionality has been removed due to performance issues. Consider using the Stop oldest builds strategy for concurrent builds as an alternative. Explore more: Configuring concurrent builds
Secure app installations with app signing
Status: IMPLEMENTED
To improve app security, we’re introducing a new feature that will restrict app installations to only those that are signed. This will help us to:
ensure that apps are either from Atlassian Marketplace or manually uploaded by trusted partners
prevent malicious actors from uploading harmful apps
App signing affects only new app installations, already installed apps will remain intact.
This feature will be gradually rolled out across Data Center products by mid-2025. For details, check out this community post.
In this release, app signing is disabled by default. The grace period will last until the next feature release of Universal Plugin Manager (UPM), after which app signing will be enabled by default.
Use the grace period to adapt your processes. The steps you need to take differ depending on whether you install applications from the Marketplace or build your custom applications.
Enable app signing and install from Marketplace
During the grace period, you can enable app signing at your convenience. To do so:
Enable app signing. For details, see Configuring UPM app signature check.
Download and install Certificate Authority (CA) from Atlassian. For details, see Updating Atlassian Certificate Bundles.
That’s it! Enjoy the safe app installations from Marketplace.
Install custom apps
If you use custom application builds, you can sign and secure your apps:
Enable app signing. For details, see Configuring UPM app signature check.
Get the app signature and verification certificate as described in Generating app signature and verification certificate using OpenSSL.
Put your new certificate in your Trust store as described in Updating Atlassian Certificate Bundles.
Install the signed application.
You can also install the app via the file system without using the app signing feature.
If you’re experiencing issues, check out app signing troubleshooting.
Updates to supported platforms
See what changes are in store for the supported platforms in Bamboo. For more information about what the latest stable release of Bamboo supports, see Supported platforms.
End-of-support announcements
In this release, we’re removing support for:
PostgreSQL 14
In this release, we’re deprecating support for:
PostgreSQL 15
SQL Server 2017
MySQL 8.0
New supported platforms
Bamboo 11.0 doesn’t introduce support for any new software platforms.
Known issues
We've identified an issue where HTML in authentication links to Atlassian Product applications is not escaped correctly.
