Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30432

"Scripts not permitted to use method" in Jenkins Workflow

    XMLWordPrintable

Details

    Description

      Inlining the script https://github.com/arun-gupta/javaee7-docker-workflow/blob/master/Jenkinsfile in Jenkins workflow builds the project successfully. But referring as a SCM script gives the following error:

      First time build. Skipping changelog.
      Running: Allocate node : Start
      Running on master in /var/jenkins_home/jobs/hello2/workspace
      Running: Allocate node : Body : Start
      Running: Allocate node : Body : End
      Running: Allocate node : End
      Running: End of Workflow
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
      at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:60)
      at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103)
      at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100)
      at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15)
      at WorkflowScript.run(WorkflowScript:2)
      at Unknown.Unknown(Unknown)
      at __cps.transform__(Native Method)
      at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:69)
      at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
      at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
      at sun.reflect.GeneratedMethodAccessor193.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:497)
      at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
      at com.cloudbees.groovy.cps.Next.step(Next.java:58)
      at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:145)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
      at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:271)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:71)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:180)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:178)
      at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
      at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      Finished: FAILURE

      Attachments

        Issue Links

          Activity

            jglick Jesse Glick added a comment -

            Well, you would either use Support Core (plugins/active.txt is almost right—just strip off /:(not-)?pinned$/), or simply look at /pluginManager/installed if there are only a few plugins relevant to the image.

            jglick Jesse Glick added a comment - Well, you would either use Support Core ( plugins/active.txt is almost right—just strip off /:(not-)?pinned$/ ), or simply look at /pluginManager/installed if there are only a few plugins relevant to the image.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java
            http://jenkins-ci.org/commit/script-security-plugin/7b524139efb32c54be946b5b3fbd6fe01c1abce5
            Log:
            JENKINS-30432 People should not blindly approve dangerous signatures like GroovyObject.invokeMethod.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java http://jenkins-ci.org/commit/script-security-plugin/7b524139efb32c54be946b5b3fbd6fe01c1abce5 Log: JENKINS-30432 People should not blindly approve dangerous signatures like GroovyObject.invokeMethod.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java
            http://jenkins-ci.org/commit/script-security-plugin/0632c7531fbe585c65b19dbdaf1999e4a9a3bb2c
            Log:
            Merge pull request #24 from jglick/dangerous-signatures

            JENKINS-30432 Warn about dangerous signatures

            Compare: https://github.com/jenkinsci/script-security-plugin/compare/b8b421f6836e...0632c7531fbe

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java http://jenkins-ci.org/commit/script-security-plugin/0632c7531fbe585c65b19dbdaf1999e4a9a3bb2c Log: Merge pull request #24 from jglick/dangerous-signatures JENKINS-30432 Warn about dangerous signatures Compare: https://github.com/jenkinsci/script-security-plugin/compare/b8b421f6836e...0632c7531fbe
            arungupta arungupta added a comment - Can you explain in simple language on how https://github.com/javaee-samples/docker-java/blob/master/attendees/cicd/jenkins/plugins.txt would evolve?
            jglick Jesse Glick added a comment -

            Well, if when testing your image in a temporary container you find that (a) updates are available, and (b) you want to use them, then accept updates from the Jenkins UI and see if that works. If so, make the corresponding edits in the versioned file and verify that the resulting image behaves as expected. I do this routinely.

            jglick Jesse Glick added a comment - Well, if when testing your image in a temporary container you find that (a) updates are available, and (b) you want to use them, then accept updates from the Jenkins UI and see if that works. If so, make the corresponding edits in the versioned file and verify that the resulting image behaves as expected. I do this routinely.

            People

              jglick Jesse Glick
              arungupta arungupta
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: