• Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • script-security-plugin
    • None
    • Master: Win 7 64-bit
      Node: Win 10 64-bit
      Jenkins 2.46.2 (LTS)
      Script Security Plugin v1.27
      Warnings Plugin 4.62

      The following signature is pending, but still approved:

      : method java.util.regex.MatchResult group int

      The first time, I approved it so that it showed up in the "Signatures already approved" list. The next day, the same signature was pending again. After I approved it a couple of times, I tried to use "Approve assuming permission check" instead. Afterward, the signature was listed in "Signatures already approved" and in "Signatures already approved assuming permission check". But every day, this signature is pending again. Some of my jobs which are using this signature are working correctly. Other jobs using this signature are not working correctly because the permission is denied.

        1. job.PNG
          job.PNG
          54 kB
        2. parser.PNG
          parser.PNG
          41 kB
        3. Signature.PNG
          Signature.PNG
          41 kB

          [JENKINS-44332] Already approved signature still pending

          Jesse Glick added a comment -

          Approve assuming permission check is certainly wrong for this method.

          As for the rest of it, not sure offhand. Possibly user error. Steps to reproduce from scratch?

          Jesse Glick added a comment - Approve assuming permission check is certainly wrong for this method. As for the rest of it, not sure offhand. Possibly user error. Steps to reproduce from scratch?

          Nico Falk added a comment -

          Thanks for the response.

          Steps to reproduce:

          1) Install latest warnings plugin

          2) Go to "Manage Jenkins" -> "Configure System" -> "Compiler Warnings"

          3) Add parser as shown in attached screenshot (parser.PNG)

          4) Generate freestyle job and add a build step (here: Windows batch) and post build action as shown in attached screenshot (job.PNG)

          5) Run the job on master (therefore, you can select "Restrict where this project can be run" to "master" in the job configuration)

          6) It should work (probably you need to approve permissions) and you should see the following console output:
          [WARNINGS] Parsing warnings in files 'foo.txt' with parser Dummy Parser
          [WARNINGS] Searching for all files in C:\Program Files (x86)\Jenkins\workspace\TestWarnings that match the pattern foo.txt
          [WARNINGS] Parsing 1 file in C:\Program Files (x86)\Jenkins\workspace\TestWarnings
          [WARNINGS] Successfully parsed file C:\Program Files (x86)\Jenkins\workspace\TestWarnings\foo.txt with 1 unique warning and 0 duplicates.
          [WARNINGS] Computing warning deltas based on reference build #9
          Finished: SUCCESS
          7) Change  "Restrict where this project can be run" to a node (yes, sorry, you need to have a node) and start the job again. Now, you always see a pending approval which was already approved. After approving, you can run the job again on the node and the signature needs approval again. The console output of the job is like:
          [WARNINGS] Parsing warnings in files 'foo.txt' with parser Dummy Parser
          [WARNINGS] Groovy sandbox rejected the parsing script for parser Dummy Parser: Scripts not permitted to use new hudson.plugins.warnings.parser.Warning java.lang.String int java.lang.String java.lang.String java.lang.String. You will need to manually approve the call in the Script Approval UI.
          [WARNINGS] Computing warning deltas based on reference build #8
          You see, that parsing the script was rejected!

          Let me know if you need further information.

          Thanks again!

           

           

          Nico Falk added a comment - Thanks for the response. Steps to reproduce: 1) Install latest warnings plugin 2) Go to "Manage Jenkins" -> "Configure System" -> "Compiler Warnings" 3) Add parser as shown in attached screenshot (parser.PNG) 4) Generate freestyle job and add a build step (here: Windows batch) and post build action as shown in attached screenshot (job.PNG) 5) Run the job on master (therefore, you can select "Restrict where this project can be run" to "master" in the job configuration) 6) It should work (probably you need to approve permissions) and you should see the following console output: [WARNINGS] Parsing warnings in files 'foo.txt' with parser Dummy Parser [WARNINGS] Searching for all files in C:\Program Files (x86)\Jenkins\workspace\TestWarnings that match the pattern foo.txt [WARNINGS] Parsing 1 file in C:\Program Files (x86)\Jenkins\workspace\TestWarnings [WARNINGS] Successfully parsed file C:\Program Files (x86)\Jenkins\workspace\TestWarnings\foo.txt with 1 unique warning and 0 duplicates. [WARNINGS] Computing warning deltas based on reference build #9 Finished: SUCCESS 7) Change  "Restrict where this project can be run" to a node (yes, sorry, you need to have a node) and start the job again. Now, you always see a pending approval which was already approved. After approving, you can run the job again on the node and the signature needs approval again. The console output of the job is like: [WARNINGS] Parsing warnings in files 'foo.txt' with parser Dummy Parser [WARNINGS] Groovy sandbox rejected the parsing script for parser Dummy Parser: Scripts not permitted to use new hudson.plugins.warnings.parser.Warning java.lang.String int java.lang.String java.lang.String java.lang.String. You will need to manually approve the call in the Script Approval UI. [WARNINGS] Computing warning deltas based on reference build #8 You see, that parsing the script was rejected! Let me know if you need further information. Thanks again!    

          Jesse Glick added a comment -

          Possibly a bug in warnings.

          Jesse Glick added a comment - Possibly a bug in warnings .

          Ulli Hafner added a comment - - edited

          Hmm, I haven't looked deeper into this issue but from reading the steps to reproduce this, it looks like a bug in Jenkins remoting or script approval. The method the sandbox is complaining is already whitelisted in my plug-in: https://github.com/jenkinsci/warnings-plugin/blob/master/src/main/resources/hudson/plugins/warnings/parser/groovy.whitelist

          jglick: Is this file (or data) not automatically passed to the slave when using the Groovy sandbox? Or is there something special I need to do in my plugin that the sandbox also works on slaves?

          Ulli Hafner added a comment - - edited Hmm, I haven't looked deeper into this issue but from reading the steps to reproduce this, it looks like a bug in Jenkins remoting or script approval. The method the sandbox is complaining is already whitelisted in my plug-in: https://github.com/jenkinsci/warnings-plugin/blob/master/src/main/resources/hudson/plugins/warnings/parser/groovy.whitelist jglick : Is this file (or data) not automatically passed to the slave when using the Groovy sandbox? Or is there something special I need to do in my plugin that the sandbox also works on slaves?

          Jesse Glick added a comment -

          Huh?? script-security applies to scripts run on the master only.

          Jesse Glick added a comment - Huh?? script-security  applies to scripts run on the master only.

          Ulli Hafner added a comment -

          Are you kidding me? You let me spend several valuable days of my spare time to fix SECURITY-297 and SECURITY-405 and now you say that it was not required????

          Ulli Hafner added a comment - Are you kidding me? You let me spend several valuable days of my spare time to fix SECURITY-297 and SECURITY-405 and now you say that it was not required????

          Peter Wiseman added a comment -

          I'm experiencing these symptoms on Jenkins 2.73.  I haven't attempted to re-produce, but I do get pending signatures reappearing some time after being approved.  Not sure what's triggering it.  I do have the Permissive Script Security Plugin installed and enabled.

          Peter Wiseman added a comment - I'm experiencing these symptoms on Jenkins 2.73.  I haven't attempted to re-produce, but I do get pending signatures reappearing some time after being approved.  Not sure what's triggering it.  I do have the Permissive Script Security Plugin installed and enabled.

          Ulli Hafner added a comment -

          The Jenkins version is irrelevant, did you upgrade the warnings plug-in?

          Ulli Hafner added a comment - The Jenkins version is irrelevant, did you upgrade the warnings plug-in?

          Peter Wiseman added a comment -

          All plugins are up to date with Jenkins 2.73.  In particular, script-security-plugin is at 1.31, permissive-script-security-plugin is at 0.1.

          Peter Wiseman added a comment - All plugins are up to date with Jenkins 2.73.  In particular, script-security-plugin is at 1.31, permissive-script-security-plugin is at 0.1.

          Ulli Hafner added a comment -

          Maybe there are some old object flying around. Is the warnings plugin at 4.63?

          Ulli Hafner added a comment - Maybe there are some old object flying around. Is the warnings plugin at 4.63?

            Unassigned Unassigned
            nify Nico Falk
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: