6.x Release Notes
Check out what’s new for ScriptRunner for BitBucket Server.
Repository Administrator Sandbox Escape Vulnerability
SRBITB-854 - A security vulnerability for escaping the repository administrator code sandbox has been fixed.
The vulnerability allowed a malicious repository administrator to run arbitrary code inside the instance.
This security vulnerability has been fixed in ScriptRunner for Bitbucket 6.5.2 (for Bitbucket Server 5.13+) and 6.9.2 (for Bitbucket Server 6+); it is recommended all customers upgrade to 6.5.2+ where possible.
Remote Code Execution Vulnerability
SRBITB-816 - A security vulnerabilty for Remote Code Execution has been fixed.
The vulnerability allowed a malicious authenticated user to run arbitrary code inside the instance without administrative permissions.
This security vulnerability has been fixed in ScriptRunner for Bitbucket 6.5.1 / 6.5.1-p5; it is recommended all customers upgrade to 6.5.1+ where possible.
SRPLAT-1213 - Test on Borrow should be the default for LDAP connections.
SRPLAT-1171 - The Confluence-specific scriptMacroMetadataProvider module no longer shows up in UPM for all ScriptRunner products.
SRBITB-770 - The upgrade tasks and subsequent startup tasks failed to run on JDK11.
SRBITB-747 - The auto-configure Delete Branch checkbox was broken on Bitbucket 7.3.
SRBITB-768 - The existing Require a Valid Jira Issue pre-hook configurations now respond to file edit triggers.
SRBITB-717 - The Valid Jira Issue hook now responds to file-edit triggers.
SRPLAT-1139 - Compilation failures in one script caused entire features to fail.
SRPLAT-1131 - You now have the ability to set all Hikari pool configuration parameters when using database connections.
SRPLAT-1094 - Autocompletion requests failed when requesting autocomplete after typing "Check."
SRBITB-741 - Mandatory reviewers were not being shown with the padlock picture.
SRBITB-729 - The Clone Repo script produced excessive project search requests when trying to generate its parameters.
SRPLAT-1119 - Classes in scriptrunner-API/SPI were no longer consumable by dependent plugins.
The version of Groovy used by ScriptRunner has been upgraded from 2.4.15 to 2.5.11.
Improvements and new features (like additional AST transformations, or the new
tap() method) shipped in Groovy 2.5 are now available to ScriptRunner users.
See the Groovy 2.5 Release Notes for more information.
As with any dependency upgrade, breaking changes could potentially affect users' scripts. However, the breaking changes between Groovy 2.4 and 2.5 are relatively minor. The low-level nature of most of these breaking changes means they are unlikely to impact many ScriptRunner scripts if any.
Take a look at the list of breaking changes in the Groovy 2.5 Release Notes for further details.
This version removes all support for the IntelliJ IDEA plugin. See our previous deprecation announcement for our rationale and plans for the future.
Deprecated Event Handler Removal
The previously deprecated Naming Standard Enforcement event handler has been removed along with its configuration in this release.
If you were previously using this event handler, you should migrate to the pre-receive hook of the same name. This hook blocks UI interactions in the same way that the event handler did.
Use Execution History to view up to two years of execution times and failure rates of ScriptRunner scripts in your instance, allowing a long-term view of script performance.
Using the extended history, observe if a script is getting slower over time, or if slow performance correlates with specific events (such as Bitbucket or app upgrades). Execution History provides long-term analytics allowing you to develop scripts and change execution timings, to keep your instance performing at an optimal level.
Previously, viewable executions included event handlers and scheduled jobs.
Viewable executions now include pre-hooks, post-hooks, event handlers, and merge checks.
See Execution History documentation here.
SRPLAT-1092 - There is now DocLink support for absolute URLs.
SRPLAT-1084 - The autocompletion window of the Script Console now closes correctly.
SRBITB-718 - Jira query validation prevented the issue keys hook from working if the invoking user lacked permissions.
SRBITB-684 - Require Valid Jira Issue merge check/pre-hook was updated to check Jira issue keys case insensitively.
SRBITB-691 - The BranchAndTagNamingRuleEnforcer event handler was removed.
SRBITB-633 - Auditing of built-in script execution was added.
SRBITB-731 - You are now allowed to configure event handlers to respond to any implementation of RepositoryRefsChangedEvent.
Have questions? Visit the Atlassian Community to connect, share, and learn with other Atlassian users and experts, including Adaptavist staff.
Want to learn more? Check out courses on Adaptavist Learn, an online platform to onboard and train new users for Atlassian solutions.