-
Improvement
-
Resolution: Fixed
-
Critical
-
None
-
jenkins instance configured with github organization plugin and github authorization too.
-
-
git plugin 4.1.0
It seems that I get this exception which is NOT logged inside the script approver which means there is not way to approve it.
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method hudson.plugins.git.GitSCM getBranches
This happened with this pipeline https://github.com/pycontribs/powertape/blob/master/Jenkinsfile
Now, the interesting thing is that if you configure a this project in jenkins using the pipeline type of of job and setting the source as SCM, it will work.
So this problem is specific to this way of configuring the jobs.
- is related to
-
JENKINS-37817 checkout scm should be able to override extensions/settings
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
[JENKINS-42860] RejectedAccessException: Scripts not permitted to use method hudson.plugins.git.GitSCM getBranches
Mihai Stoichitescu
added a comment - m4x1m0v3r This does not appear on `In-process Script Approval` unfortunately.
Mihai Stoichitescu
added a comment - m4x1m0v3r This does not appear on `In-process Script Approval` unfortunately. I have two Jenkins instances an on one of them i have scriptApproval.xml in jenkins home directory and on the other one I don't have any such file or directory, even if the plugin is enabled and running.
At least until these bugs are fixed can at least have a documented way to bypass these security measures?
Greg Smith
added a comment - We also got this error, with no way to approve, when following the instructions here:
Basically, the documented example way in which you are supposed to customize a pipeline checkout does not work at the moment. The docs at the above url mention you will need to approve the access in script approval, but we also did not find any means to approve / allow this customization.
Greg Smith
added a comment - We also got this error, with no way to approve, when following the instructions here:
https://support.cloudbees.com/hc/en-us/articles/226122247-How-to-Customize-Checkout-for-Pipeline-Multibranch
Basically, the documented example way in which you are supposed to customize a pipeline checkout does not work at the moment. The docs at the above url mention you will need to approve the access in script approval, but we also did not find any means to approve / allow this customization. Greg Smith
added a comment - For people that find this later, even though we were not automatically given the methods to approve in the script approval UI, adding these to our scriptApproval.xml file solved the problem:
<string>method hudson.plugins.git.GitSCM getBranches</string> <string>method hudson.plugins.git.GitSCM getUserRemoteConfigs</string> <string>method hudson.plugins.git.GitSCMBackwardCompatibility getExtensions</string>
Greg Smith
added a comment - For people that find this later, even though we were not automatically given the methods to approve in the script approval UI, adding these to our scriptApproval.xml file solved the problem:
<string>method hudson.plugins.git.GitSCM getBranches</string>
<string>method hudson.plugins.git.GitSCM getUserRemoteConfigs</string>
<string>method hudson.plugins.git.GitSCMBackwardCompatibility getExtensions</string>
Andres Montalban
added a comment - Thanks gregcovertsmith I had the same issue with GIT plugin and adding the above lines helped me.
Andres Montalban
added a comment - Thanks gregcovertsmith I had the same issue with GIT plugin and adding the above lines helped me. So this would need to be addressed by adding @Whitelisted annotations in the git plugin.
Steph Gosling
added a comment - gregcovertsmith amontalban any insight into exactly what your scriptApproval.xml files looked like would be greatly appreciated. As of current LTS builds and plugins today I cannot cajole Jenkins into behaving (simply to get tags from a GitHub repo
Steph Gosling
added a comment - gregcovertsmith amontalban any insight into exactly what your scriptApproval.xml files looked like would be greatly appreciated. As of current LTS builds and plugins today I cannot cajole Jenkins into behaving (simply to get tags from a GitHub repo 
Daryl Banttari
added a comment - I was able to work around a similar issue using (in my Jenkins config scripts):
def scriptApproval = org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get()
scriptApproval.approveSignature('method hudson.plugins.git.BranchSpec getName')
scriptApproval.approveSignature('method hudson.plugins.git.GitSCM getBranches')
and now I can use "${scm.branches[0].name}" in my Jenkinsfile
Would save a lot of grief for people if these methods were @Whitelisted
Daryl Banttari
added a comment - I was able to work around a similar issue using (in my Jenkins config scripts):
def scriptApproval = org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get()
scriptApproval.approveSignature('method hudson.plugins.git.BranchSpec getName')
scriptApproval.approveSignature('method hudson.plugins.git.GitSCM getBranches')
and now I can use " ${scm.branches [0] .name }" in my Jenkinsfile
c.f. https://stackoverflow.com/questions/47925058/how-to-approve-script-snippets-from-a-jenkinsfile-via-the-groovy-script-console
Would save a lot of grief for people if these methods were @Whitelisted
Did you tried to go to $JENKINS_URL/scriptApproval/ and look if you have some signatures pending to approve?
I had this problem and I had to update this page to add 4 different signatures.