As a user of script security and especially pipeline code, it is frustrating to have to run code multiple times to identify all cases where methods need whitelisting. 

      Instead, I'd like to be able to run code ONCE in an "audit mode" that listens for script security violations and generates a list of methods that may be whitelist-approved to permit the script to run inside the sandbox.  Additionally, we should log the violations (either in the build log or to an audit file), and note any blacklist violations (which should not be eligible for whitelisting).

      Technical note: because the code is Turing Complete and in the case of Groovy the method dispatch is complex, it's impossible to identify all methods that might be invoked before running.  Thus this is likely the best we'd be able to do.

       

          [JENKINS-47392] Audit mode for script security execution

          Jesse Glick added a comment -

          An arguably more helpful enhancement, which I thought was already logged in script-security somewhere but maybe not, is to have a mode wherein a (non-blacklisted) violation, rather than immediately throwing RejectedAccessException, would instead print a POSTHyperlinkNote noting the method signature and (if you have RUN_SCRIPTS) allowing you to approve it then and there—and continue the build. (Or decline to do so, and abort the build.) The hard part is making the whitelist check blocking without screwing stuff up. I suspect SandboxContinuable could throw CpsCallableInvocation so that the CPS VM continues and the build simply pauses unless and until you approve.

          Jesse Glick added a comment - An arguably more helpful enhancement, which I thought was already logged in script-security somewhere but maybe not, is to have a mode wherein a (non-blacklisted) violation, rather than immediately throwing RejectedAccessException , would instead print a POSTHyperlinkNote noting the method signature and (if you have RUN_SCRIPTS ) allowing you to approve it then and there—and continue the build. (Or decline to do so, and abort the build.) The hard part is making the whitelist check blocking without screwing stuff up. I suspect SandboxContinuable could throw CpsCallableInvocation so that the CPS VM continues and the build simply pauses unless and until you approve.

          Sam Van Oort added a comment -

          jglick I think that's a more fleshed out and useful proposal – this one was rather open ended because I hadn't 100% decided what a version of this feature would look like.  I think recording he method signature for approval gets you 90% there – although I'd debate on whether or not blocking is worth the effort to invest (for users, it may be a better experience to be able to approve en-masse once the script completes). 

          The limitation for all these of course is that it won't cover all paths of the script – you'll only be covering the "happy path" so you might have to run a couple times in audit mode. 

          Sam Van Oort added a comment - jglick I think that's a more fleshed out and useful proposal – this one was rather open ended because I hadn't 100% decided what a version of this feature would look like.  I think recording he method signature for approval gets you 90% there – although I'd debate on whether or not blocking is worth the effort to invest (for users, it may be a better experience to be able to approve en-masse once the script completes).  The limitation for all these of course is that it won't cover all paths of the script – you'll only be covering the "happy path" so you might have to run a couple times in audit mode. 

            Unassigned Unassigned
            svanoort Sam Van Oort
            Votes:
            5 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: