Even in high summer, we don’t fail in our duty to provide you with fresh new developments: smart commits for Tuleap Git, Git branches and Pull Requests creation from Artifacts, multiple level XLSX export of Tuleap Trackers… and even more. See what’s up in this Tuleap 13.11 release !

Smart commits for Tuleap Git

Smart commits shouldn’t be confused with good commit even if both refer to commit messages.

A smart commit, is a commit whose message is triggering an action on the behalf of the committer. These kind of commits are here to close Tuleap artifacts automatically.
It’s an option at git repository level that controls the behavior. Note that all new repositories will have the option enabled by default, whereas the existing ones will need to opt-in.

Configure Tuleap smart git commits
Configure Tuleap smart git commits

Then, using one of the recognized keywords (close, fix, etc) in a commit message that is integrated in the default branch of the repository will update the referenced artifact.

Commit message with keyword to close an issue
Commit message with keyword to close an issue
Comment that highlight the change of state
Comment that highlights the change of status

Note that the same feature exists for GitLab integration.

Create Git branches & pull requests from Artifacts

The goal of this feature is to ease the work of people working with feature branches and/or pull requests.

In the classical Git Flow, you are going to create an artifact that will correspond to something to do. For instance a high level story. Then, the very next move would be to create a branch that corresponds to this same story. And finally, once the feature is ready, create a pull request for that.

These 3 steps can be reduced to one. It’s now possible to create the branch – and optionally the pull request – directly from the story:

Create branch is a feature of the action menu
Branch creation is a feature of the action menu

In the associated modal, there is a bunch of defaults that can be adapted. Once you click, the branch is created and ready to be worked on.

A pull request can also be created; it’s a good way, associated to labels, to have a view of the ongoing work for a repository.

Branch creation options
Branch creation options

Note that the same feature exists for GitLab integration.

Multiple level XLSX export of Tuleap Trackers

It’s already possible to export any given tracker report as a CSV file. It’s very useful for offline work and data manipulation in spreadsheet tools. As links between artifact are more and more used it’s, however, a bit limited.

There is an increasing need to have a consolidated view of artifacts across trackers. For instance, you can have a Risk tracker. For each Risk you associate a Risk Mitigation (an artifact of another tracker) and this Risk Mitigation is, in turn, associated to a new Feature to develop. At this point, if you want a consolidated view of Risk / Risk Mitigations / Features, it’s when a cross tracker report comes in handy.

Configuration panel of cross tracker report
Configuration panel of cross tracker report

The configuration screen is a bit complex because it gives a very fine grain access to what you can export.

First, it works on multi projects and of course it enforces access control. Then you can select the kind of tracker (user stories, risks, bugs, etc) as well as the link types (Covered by for tests, Child, etc) you wish and finally you can even select a report.

This last part is very important because it will drive what you will actually obtain:

  • The columns of the report will be used as the columns of the final document
  • Search criteria apply, so it means that you can tailor your data exports as much as you need.
Generated XLSX document
Generated XLSX document

Note: this feature is provided by DocGen™ plugin that is part of Tuleap Enterprise Edition (TEE).

New authentication layer for Subversion

TL;DR: We made a big change on this area so it’s better to be aware to report if anything goes wrong.

If you are an end user and if we did our job well, you shouldn’t see any difference except, maybe, a small perf gain. If you are a system administrator and if we did our job well, you shouldn’t see any difference either 🙂

The nifty details

You might wonder why Tuleap doesn’t support MySQL 8.0 yet (ok maybe not you, maybe your sysadmin)?

Most of Tuleap code is already compatible with it, but some old and dark corners of this application were written a long time ago, in a far away galaxy named Perl. As it turns out, it’s not that easy to have perl-mysql libs to connect to MySQL 8.0 on rhel 7 and we don’t want to wait for rhel 8/9 for MySQL 8 support.

One of the most annoying parts of Tuleap that still relies on perl is named « Tuleap.pm » and it’s the apache module that deals with all the authentication part of Subversion access. It’s annoying because it’s tangled with the Subversion authorization system in Apache. Fortunately, we have find out that nginx is offering the possibility to offload the authentication part of an HTTP transaction. This gave us an idea: we can expose a route, only for Subversion authentication, that would re-use all the existing code that deals with users and projects.

Architecture of SVN authentication module
Architecture of the SVN authentication module

As a bonus point, we were able to also move the caching layer (that was done with redis) directly at nginx level. A quick benchmark showed us that it was 3 times more efficient as we went from ~500 requests per second with Tuleap.pm + redis cache to ~1500 requests per seconds with nginx auth + cache.

Bugs and requests

There were 56 bugs fixed and requests implemented during the 13.11 release cycle. Bugs and security fixes were already back-ported on Tuleap Enterprise builds. You will find below a detailed list of fixes. The most notable ones are in bold.


  • #27538 Fine grained permissions are not checked when creating a branch with REST API – CVE-2022-31128 – CVSSv3.1 score: 4.3 (Medium)


  • #27552 Add export of report columns as an XLSX spreadsheet
  • #27549 Stop using field names to build the tracker reports SQL queries
  • #27547 A field with a name containing a `-` character makes reports crash
  • #27532 Artifact modal can’t be be open if a non submitable target field is in field dependencies
  • #27183 Mass change can fail when there are rules on dates and user’s local is french
  • #27515 Issue in GraphOnTrackers
  • #27508 Pie and bar charts display invalid information
  • #27498 Tracker renderer widget should not be exported when renderer does not exist
  • #27500 Possible crash when updating an artifact without a status field
  • #27499 « Not found » error of the tracker renderer widget is not internationalized


  • #27530 Search results columns should be ordered alphabetically
  • #27526 Filename is not available in document search columns
  • #27551 Permission settings of the document service cannot be accessed when project is not active
  • #27527 Have full document title on hover in search results
  • #27520 Unable to delete a version
  • #27505 Wrong columns displayed in Document search

Program management

  • #27539 Unplan US only when feature is unplanned from program

Test management

  • #27501 Crash when opening Test Management with a campaign tracker without a « label » field


  • #27557 Git: 2.37.0 -> 2.37.1
  • #27525 Git: 2.36.0 -> 2.37.0
  • #27182 Git repository export is broken in project XML export
  • #27534 Syntax highlight Rust files in Git plugin web UI
  • #27533 No more able to select another GitLab integration in modal

Site wide

  • #27522 Crash when using `Switch to…` with a reference


  • #27545 `/projects/:id/3rd_party_integration_data` doesn’t exposes default references
  • #27174 REST endpoint /tracker_fields/:id/files should return a 200 on success

Site administration

  • #25344 Statistics from Docman appear as CVS in Site Admin Statistics
  • #27541 /robots.txt should be accessible even if the instance is not accessible to anonymous users

System administration

  • #27544 Official `mysql` Docker image has changed its defaults
  • #27502 Force reconnection to the DB after extracting the files during a project import
  • #27507 Rewrite `sha1collisiondetector` tool in Rust 🦀

Receive once a month the latest Tuleap updates