Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25804

Whitelisted signature presets for Java standard APIs and Jenkins core APIs

XMLWordPrintable

      Administrators often approve signatures for fundamental methods.

      • Ones in Java APIs like String.parseInt
      • Ones in Jenkins core like Result#isBetterThan

      It's not useful that administrators have to approve all those methods.
      And plugins would be preferred to provide methods returning primitive types.

      I want whitelisted signature presets.

          [JENKINS-25804] Whitelisted signature presets for Java standard APIs and Jenkins core APIs

          ikedam added a comment -

          docwhat
          You're right.
          The mechanism to define whitelists are already available, and I'll create pull requests each time when I want to whitelist something.

          ikedam added a comment - docwhat You're right. The mechanism to define whitelists are already available, and I'll create pull requests each time when I want to whitelist something.

          Jesse Glick added a comment -

          I wanted this left open to track the task of proactively whitelisting a lot of things as a streamlined batch operation, rather than reactively whitelisting things people have bothered to complain about as relatively expensive one-off PRs.

          Admittedly it is a bit open-ended, but there are some plausible success criteria. For example, everything in java.lang and java.util (as of Java 7, say) that looks safe should be added.

          Jesse Glick added a comment - I wanted this left open to track the task of proactively whitelisting a lot of things as a streamlined batch operation, rather than reactively whitelisting things people have bothered to complain about as relatively expensive one-off PRs. Admittedly it is a bit open-ended, but there are some plausible success criteria. For example, everything in java.lang and java.util (as of Java 7, say) that looks safe should be added.

          Sorin Sbarnea added a comment -

          I also have a problem related to this, It seems that I need to add "hudson.plugins.git.GitSCM getBranches" because my jobs fail with this error:

          org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method hudson.plugins.git.GitSCM getBranches

          The big problem is that is currently impossible to approve these because this is never reaching the scriptApproval page, which also does not allow us to introduce free-form text.

          How to solve this?

          Sorin Sbarnea added a comment - I also have a problem related to this, It seems that I need to add "hudson.plugins.git.GitSCM getBranches" because my jobs fail with this error: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method hudson.plugins.git.GitSCM getBranches The big problem is that is currently impossible to approve these because this is never reaching the scriptApproval page, which also does not allow us to introduce free-form text. How to solve this?

          Jesse Glick added a comment -

          Unrelated to this issue ssbarnea.

          Jesse Glick added a comment - Unrelated to this issue ssbarnea .

          Christopher Smith added a comment -

          Proposed addition: The entire Java 8 date-time API. I was trying to extract some basic job information and ran into a blocked LocalDate#getYear().

          Christopher Smith added a comment - Proposed addition: The entire Java 8 date-time API. I was trying to extract some basic job information and ran into a blocked LocalDate#getYear() .

          Mike Kobit added a comment -

          I was looking to add a bunch of Java 8 java.time but ran into test failures because the plugin seems to only support Java 7.

          > java.lang.AssertionError: method java.time.Instant adjustInto java.time.temporal.Temporal does not exist (or is an override)

          Any thoughts on how to support these?

          Mike Kobit added a comment - I was looking to add a bunch of Java 8 java.time but ran into test failures because the plugin seems to only support Java 7. > java.lang.AssertionError: method java.time.Instant adjustInto java.time.temporal.Temporal does not exist (or is an override) Any thoughts on how to support these?

          Jesse Glick added a comment -

          mkobit if you are referring to the https://jenkins.ci.cloudbees.com/job/plugins/job/script-security-plugin/ CI job, this was misconfigured, now fixed to run on JDK 8.

          Jesse Glick added a comment - mkobit if you are referring to the https://jenkins.ci.cloudbees.com/job/plugins/job/script-security-plugin/  CI job, this was misconfigured, now fixed to run on JDK 8.

          Mike Kobit added a comment -

          Awesome, thanks jglick! Going to take another pass at it and open a PR.

          Mike Kobit added a comment - Awesome, thanks jglick ! Going to take another pass at it and open a PR.

          Andrew Bayer added a comment -

          Closing this as won't fix - if you've got additional signatures you want added, open individual tickets for them.

          Andrew Bayer added a comment - Closing this as won't fix - if you've got additional signatures you want added, open individual tickets for them.

          Jesse Glick added a comment -

          abayer FWIW the idea was to proactively search for safe-looking methods in commonly used packages, rather than wait for failures to trickle in.

          Jesse Glick added a comment - abayer FWIW the idea was to proactively search for safe-looking methods in commonly used packages, rather than wait for failures to trickle in.

            Unassigned Unassigned
            ikedam ikedam
            Votes:
            11 Vote for this issue
            Watchers:
            16 Start watching this issue

              Created:
              Updated:
              Resolved: