Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30432

"Scripts not permitted to use method" in Jenkins Workflow

      Inlining the script https://github.com/arun-gupta/javaee7-docker-workflow/blob/master/Jenkinsfile in Jenkins workflow builds the project successfully. But referring as a SCM script gives the following error:

      First time build. Skipping changelog.
      Running: Allocate node : Start
      Running on master in /var/jenkins_home/jobs/hello2/workspace
      Running: Allocate node : Body : Start
      Running: Allocate node : Body : End
      Running: Allocate node : End
      Running: End of Workflow
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
      at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:60)
      at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103)
      at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100)
      at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15)
      at WorkflowScript.run(WorkflowScript:2)
      at Unknown.Unknown(Unknown)
      at __cps.transform__(Native Method)
      at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:69)
      at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
      at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
      at sun.reflect.GeneratedMethodAccessor193.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:497)
      at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
      at com.cloudbees.groovy.cps.Next.step(Next.java:58)
      at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:145)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
      at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:271)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:71)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:180)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:178)
      at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
      at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      Finished: FAILURE

          [JENKINS-30432] "Scripts not permitted to use method" in Jenkins Workflow

          Jesse Glick added a comment -

          Workflow 1.10 requires script-security 1.15 and will not work with the old version you have installed. I am not sure how you managed to get into that configuration, since Plugin Manager will force you to update script-security, but perhaps you hand-assembled your plugin list from Dockerfile and neglected to verify that plugin dependencies were satisfied.

          Jesse Glick added a comment - Workflow 1.10 requires script-security 1.15 and will not work with the old version you have installed. I am not sure how you managed to get into that configuration, since Plugin Manager will force you to update script-security , but perhaps you hand-assembled your plugin list from Dockerfile and neglected to verify that plugin dependencies were satisfied.

          Jesse Glick added a comment -

          Basically yet another manifestation of JENKINS-21486.

          Jesse Glick added a comment - Basically yet another manifestation of JENKINS-21486 .

          arungupta added a comment -

          <rant>Dependency resolution is really messy and need to be cleaned up. I hope you don't expect developers to know each and every possible combination to work. If some combinations don't work, then an error should be thrown in the console, or a message be displayed.</rant>

          Can you help me create an exact list of plugins.txt? Or is this the only change required?

          A PR will be really useful.

          arungupta added a comment - <rant>Dependency resolution is really messy and need to be cleaned up. I hope you don't expect developers to know each and every possible combination to work. If some combinations don't work, then an error should be thrown in the console, or a message be displayed.</rant> Can you help me create an exact list of plugins.txt? Or is this the only change required? A PR will be really useful.

          Jesse Glick added a comment -

          If some combinations don't work, then an error should be thrown in the console

          That is exactly what JENKINS-21486 proposes. Note that this only affects people constructing plugin sets from a config file; the UI already forces you to upgrade dependencies where required (except in a few corner cases).

          Jesse Glick added a comment - If some combinations don't work, then an error should be thrown in the console That is exactly what JENKINS-21486 proposes. Note that this only affects people constructing plugin sets from a config file; the UI already forces you to upgrade dependencies where required (except in a few corner cases).

          arungupta added a comment -

          For a Docker image, how would the list of plugins be created otherwise?

          arungupta added a comment - For a Docker image, how would the list of plugins be created otherwise?

          Jesse Glick added a comment -

          Well, you would either use Support Core (plugins/active.txt is almost right—just strip off /:(not-)?pinned$/), or simply look at /pluginManager/installed if there are only a few plugins relevant to the image.

          Jesse Glick added a comment - Well, you would either use Support Core ( plugins/active.txt is almost right—just strip off /:(not-)?pinned$/ ), or simply look at /pluginManager/installed if there are only a few plugins relevant to the image.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java
          src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
          src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist
          src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
          src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java
          http://jenkins-ci.org/commit/script-security-plugin/7b524139efb32c54be946b5b3fbd6fe01c1abce5
          Log:
          JENKINS-30432 People should not blindly approve dangerous signatures like GroovyObject.invokeMethod.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java http://jenkins-ci.org/commit/script-security-plugin/7b524139efb32c54be946b5b3fbd6fe01c1abce5 Log: JENKINS-30432 People should not blindly approve dangerous signatures like GroovyObject.invokeMethod.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java
          src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
          src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist
          src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
          src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java
          http://jenkins-ci.org/commit/script-security-plugin/0632c7531fbe585c65b19dbdaf1999e4a9a3bb2c
          Log:
          Merge pull request #24 from jglick/dangerous-signatures

          JENKINS-30432 Warn about dangerous signatures

          Compare: https://github.com/jenkinsci/script-security-plugin/compare/b8b421f6836e...0632c7531fbe

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java http://jenkins-ci.org/commit/script-security-plugin/0632c7531fbe585c65b19dbdaf1999e4a9a3bb2c Log: Merge pull request #24 from jglick/dangerous-signatures JENKINS-30432 Warn about dangerous signatures Compare: https://github.com/jenkinsci/script-security-plugin/compare/b8b421f6836e...0632c7531fbe

          arungupta added a comment -

          arungupta added a comment - Can you explain in simple language on how https://github.com/javaee-samples/docker-java/blob/master/attendees/cicd/jenkins/plugins.txt would evolve?

          Jesse Glick added a comment -

          Well, if when testing your image in a temporary container you find that (a) updates are available, and (b) you want to use them, then accept updates from the Jenkins UI and see if that works. If so, make the corresponding edits in the versioned file and verify that the resulting image behaves as expected. I do this routinely.

          Jesse Glick added a comment - Well, if when testing your image in a temporary container you find that (a) updates are available, and (b) you want to use them, then accept updates from the Jenkins UI and see if that works. If so, make the corresponding edits in the versioned file and verify that the resulting image behaves as expected. I do this routinely.

            jglick Jesse Glick
            arungupta arungupta
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: