Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48501

NullPointerException in script-secruity-plugin 1.38

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • script-security-plugin
    • Jenkins LTS 2.89.1 with all latest plugins inclufing script-security-plugin 1.38 as of 12/11/2017 (RHEL 7.3 on both master and build agent)
    • Pipeline - December

      When running with the script-security-plugin 1.38 we get the following NullPointerException  which we don't get with any earlier version.  I have been unable to localize any specific code in my Pipeline that causes the issue.  The line that reports the exception (see brePipeline.groovy below line 25) is the simple creation of a local variable that will be initialized later in the script on "String settingsXml":

      Jenkinsfile:

       

      #!/usr/bin/env groovy
      @Library('GlobalPipelineLibrary@refactor')
      @Library('PipelineLibrary@refactor') _
          brePipeline {
          debug = 'true'
          runbvt = 'true'
          xlReleaseTestPath = 'https://github.standard.com/QA-Test-POC/P2P-Generic-Test-Automation-dev'
      }
      
      

       

      brePipeline.groovy (partial):

       

      #!/usr/bin/env groovy
      import com.standard.bre.jenkins.globalpipeline.DeployitManifest
      import com.standard.bre.jenkins.globalpipeline.ScmExtend
      import com.standard.bre.jenkins.pipeline.BuildEnv
      import com.standard.bre.jenkins.pipeline.Bvt
      import com.standard.bre.jenkins.pipeline.Config
      import com.standard.bre.jenkins.pipeline.GitUtils
      import com.standard.bre.jenkins.pipeline.MavenUtils
      import com.standard.bre.jenkins.pipeline.PackageScript
      import com.standard.bre.jenkins.pipeline.Release
      
      def call(Closure body = {}) {
      Map<String, String> config = new Config(this)(body)
      
      Boolean isDevelop = env.BRANCH_NAME ==~ env.REGEX_DEVELOP
      Boolean isReleaseCandidate = env.BRANCH_NAME ==~ env.REGEX_RELEASE
      Boolean isHotfix = env.BRANCH_NAME ==~ env.REGEX_HOTFIX
      Boolean isRelease = isReleaseCandidate || isHotfix && !(env.BUILD_NUMBER == '1')
      Boolean isReleaseCandidatePR = env.CHANGE_TARGET && env.CHANGE_TARGET ==~ env.REGEX_RELEASE
      Boolean isHotfixPR = env.CHANGE_TARGET && env.CHANGE_TARGET ==~ env.REGEX_HOTFIX
      
      echo "Hello World!"
      echo "$isDevelop"
      
      String settingsXml
      ...

      Log file:

       

      Started by user s002681_ep
      Replayed #1438
      Connecting to https://github.standard.com/api/v3 using svc_git/****** (github svc_git Personal Access Token (repo) Jenkins GitHub Organization Folder Scan)
      Obtained Jenkinsfile from 98952b793b2805cc94a564b4597e390ac1c63b49
      Loading library PipelineLibrary@refactor
      Attempting to resolve refactor from remote references...
       > git --version # timeout=10
      using GIT_ASKPASS to set credentials github svc_git Personal Access Token (repo) Jenkins GitHub Repository Access
       > git ls-remote -h -t https://github.standard.com/ITSD-BRE/PipelineLibrary.git # timeout=10
      Found match: refs/heads/refactor revision 67ca6d29ee7d6ecc8bec12076275d2e26f119e53
       > git rev-parse --is-inside-work-tree # timeout=10
      Fetching changes from the remote Git repository
       > git config remote.origin.url https://github.standard.com/ITSD-BRE/PipelineLibrary.git # timeout=10
      Fetching without tags
      Fetching upstream changes from https://github.standard.com/ITSD-BRE/PipelineLibrary.git
       > git --version # timeout=10
      using GIT_ASKPASS to set credentials github svc_git Personal Access Token (repo) Jenkins GitHub Repository Access
       > git fetch --no-tags --progress https://github.standard.com/ITSD-BRE/PipelineLibrary.git +refs/heads/*:refs/remotes/origin/*
      Checking out Revision 67ca6d29ee7d6ecc8bec12076275d2e26f119e53 (refactor)
       > git config core.sparsecheckout # timeout=10
       > git checkout -f 67ca6d29ee7d6ecc8bec12076275d2e26f119e53
      Commit message: "Upgrade wrapper to Gradle 4.3.1"
      Replacing contents of src/com/standard/bre/jenkins/pipeline/Release.groovy
      Replacing contents of src/com/standard/bre/jenkins/pipeline/GitUtils.groovy
      Replacing contents of src/com/standard/bre/jenkins/pipeline/PipelineScript.groovy
      Replacing contents of vars/breCloudPipeline.groovy
      Replacing contents of vars/mavenUtils.groovy
      Replacing contents of vars/xldeployPipeline.groovy
      Replacing contents of vars/jbossPipeline.groovy
      Replacing contents of vars/postDeploymentTestPipeline.groovy
      Replacing contents of vars/mavenUtilsTest.groovy
      Replacing contents of vars/clitoolPipeline.groovy
      Replacing contents of src/com/standard/bre/jenkins/pipeline/Bash.groovy
      Replacing contents of vars/jbossPipelineTest.groovy
      Replacing contents of src/com/standard/bre/jenkins/pipeline/PackageScript.groovy
      Replacing contents of vars/mergeMasterPipeline.groovy
      Replacing contents of vars/brePipelineTest.groovy
      Replacing contents of src/com/standard/bre/jenkins/pipeline/Bvt.groovy
      Replacing contents of vars/brePipeline.groovy
      Replacing contents of src/com/standard/bre/jenkins/pipeline/BuildEnv.groovy
      Replacing contents of src/com/standard/bre/jenkins/pipeline/MavenUtils.groovy
      Replacing contents of src/com/standard/bre/jenkins/pipeline/Config.groovy
      Loading library GlobalPipelineLibrary@refactor
      Attempting to resolve refactor from remote references...
       > git --version # timeout=10
      using GIT_ASKPASS to set credentials github svc_git Personal Access Token (repo) Jenkins GitHub Repository Access
       > git ls-remote -h -t https://github.standard.com/ITSD-BRE/GlobalPipelineLibrary.git # timeout=10
      Found match: refs/heads/refactor revision f39889240d2c0ddc5c043760e4b6ac0ac0c65f0a
       > git rev-parse --is-inside-work-tree # timeout=10
      Fetching changes from the remote Git repository
       > git config remote.origin.url https://github.standard.com/ITSD-BRE/GlobalPipelineLibrary.git # timeout=10
      Fetching without tags
      Fetching upstream changes from https://github.standard.com/ITSD-BRE/GlobalPipelineLibrary.git
       > git --version # timeout=10
      using GIT_ASKPASS to set credentials github svc_git Personal Access Token (repo) Jenkins GitHub Repository Access
       > git fetch --no-tags --progress https://github.standard.com/ITSD-BRE/GlobalPipelineLibrary.git +refs/heads/*:refs/remotes/origin/*
      Checking out Revision f39889240d2c0ddc5c043760e4b6ac0ac0c65f0a (refactor)
       > git config core.sparsecheckout # timeout=10
       > git checkout -f f39889240d2c0ddc5c043760e4b6ac0ac0c65f0a
      Commit message: "Update envVars to have the node overrides."
      [Pipeline] libraryResource
      [Pipeline] libraryResource
      [Pipeline] libraryResource
      [Pipeline] libraryResource
      [Pipeline] libraryResource
      [Pipeline] libraryResource
      [Pipeline] libraryResource
      [Pipeline] libraryResource
      [Pipeline] libraryResource
      [Pipeline] echo
      Hello World!
      [Pipeline] echo
      true
      [Pipeline] End of Pipeline
      
      GitHub has been notified of this commit’s build result
      
      [withMaven] pipelineGraphPublisher - triggerDownstreamPipelines
      [withMaven] Skip downstream job triggering for upstream build with ignored result status ITSD/BREJBOSSDeployTestDev/develop #1439: FAILURE
      java.lang.NullPointerException
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.isVarArgsMethod(GroovyCallSiteSelector.java:231)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.findMatchingMethod(GroovyCallSiteSelector.java:200)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.staticMethod(GroovyCallSiteSelector.java:193)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:153)
      	at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:186)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:190)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:97)
      	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
      	at brePipeline.call(/opt/apps/jenkins/jobs/ITSD/jobs/BREJBOSSDeployTestDev/branches/develop/builds/1439/libs/PipelineLibrary/vars/brePipeline.groovy:25)
      	at WorkflowScript.run(WorkflowScript:4)
      	at ___cps.transform___(Native Method)
      	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
      	at sun.reflect.GeneratedMethodAccessor234.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
      	at com.cloudbees.groovy.cps.Next.step(Next.java:83)
      	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:174)
      	at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:163)
      	at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122)
      	at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261)
      	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:163)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:35)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:32)
      	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:174)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:331)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:82)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:243)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:231)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
      	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:748)
      Finished: FAILURE
      

       

          [JENKINS-48501] NullPointerException in script-secruity-plugin 1.38

          I have recognized the same one my Jenkins installation.

          In my Pipeline script I use a shared Library "JenkinsHelper" and from that library a "withEMailNotification" skript as shown in the following sample:

          @Library('JenkinsHelper')_
           
          node {
              ws("${env.RAD_WORKSPACE}/${env.JOB_BASE_NAME}") {
              
                  withEMailNotification ([
          {{            recipients: "${env.RECIPIENTS_BVS}"]) }}
                  {
          ...

          The "withEMailNotification" script looks like

          @Field def recipients

          /**
            * Aufruf des Schritts.
            */
          def call (Map p, Closure body) {
              try
              {
                  if ((null == recipients) || (recipients.length() == 0))
                  {
                      echo "Recipients from Member is null, take from params"
                      recipients = p['recipients']
                  }
                  
                  // Aufruf der Unterschritte des aktuellen Schritts.
                  body()
              }
              catch (e)
              {
                  currentBuild.result = 'FAILED'
              }
              finally
              {

          ...

          This produced a stack trace on the Jenkins console
          Obtained MOKKA-Pipeline/Jenkinsfile from git /work/git-repositories/Jenkins.git
          Loading library JenkinsHelper@master
          Attempting to resolve master from remote references...
          > git --version # timeout=10
          > git ls-remote -h -t /work/git-repositories/JenkinsHelper.git # timeout=10
          Found match: refs/heads/master revision f38389c1e9971f1540779271cdc3e9c661634b0d
          > git rev-parse --is-inside-work-tree # timeout=10
          Fetching changes from the remote Git repository
          > git config remote.origin.url /work/git-repositories/JenkinsHelper.git # timeout=10
          Fetching without tags
          Fetching upstream changes from /work/git-repositories/JenkinsHelper.git
          > git --version # timeout=10
          > git fetch --no-tags --progress /work/git-repositories/JenkinsHelper.git +refs/heads/:refs/remotes/origin/
          Checking out Revision f38389c1e9971f1540779271cdc3e9c661634b0d (master)
          > git config core.sparsecheckout # timeout=10
          > git checkout -f f38389c1e9971f1540779271cdc3e9c661634b0d
          Commit message: "Fix Behandlung allowEmptyResults als Boolean."
          > git rev-list f38389c1e9971f1540779271cdc3e9c661634b0d # timeout=10[Pipeline] nodeRunning on
          Jenkins
          in /home/qthuin1/.jenkins/jobs/MOKKA-Pipeline-HCE/workspace[Pipeline] {[Pipeline] wsRunning in /home/qthuin1/rad_workspace/MOKKA-Pipeline-HCE[Pipeline] {[Pipeline] }[Pipeline] // ws[Pipeline] }[Pipeline] // node[Pipeline] End of Pipelinejava.lang.NullPointerException
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.isVarArgsMethod(GroovyCallSiteSelector.java:231)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.findMatchingMethod(GroovyCallSiteSelector.java:200)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.staticMethod(GroovyCallSiteSelector.java:193)
          at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:153)
          at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:186)
          at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:190)
          at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:97)
          at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
           

          Ulrich Lohrmann added a comment - I have recognized the same one my Jenkins installation. In my Pipeline script I use a shared Library "JenkinsHelper" and from that library a "withEMailNotification" skript as shown in the following sample: @Library('JenkinsHelper')_   node {     ws("${env.RAD_WORKSPACE}/${env.JOB_BASE_NAME}") {              withEMailNotification ([ {{            recipients: "${env.RECIPIENTS_BVS}"]) }}         { ... The "withEMailNotification" script looks like @Field def recipients /**   * Aufruf des Schritts.   */ def call (Map p, Closure body) {     try     {         if ((null == recipients) || (recipients.length() == 0))         {             echo "Recipients from Member is null, take from params"             recipients = p ['recipients']         }                  // Aufruf der Unterschritte des aktuellen Schritts.         body()     }     catch (e)     {         currentBuild.result = 'FAILED'     }     finally     { ... This produced a stack trace on the Jenkins console Obtained MOKKA-Pipeline/Jenkinsfile from git /work/git-repositories/Jenkins.git Loading library JenkinsHelper@master Attempting to resolve master from remote references... > git --version # timeout=10 > git ls-remote -h -t /work/git-repositories/JenkinsHelper.git # timeout=10 Found match: refs/heads/master revision f38389c1e9971f1540779271cdc3e9c661634b0d > git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository > git config remote.origin.url /work/git-repositories/JenkinsHelper.git # timeout=10 Fetching without tags Fetching upstream changes from /work/git-repositories/JenkinsHelper.git > git --version # timeout=10 > git fetch --no-tags --progress /work/git-repositories/JenkinsHelper.git +refs/heads/ :refs/remotes/origin/ Checking out Revision f38389c1e9971f1540779271cdc3e9c661634b0d (master) > git config core.sparsecheckout # timeout=10 > git checkout -f f38389c1e9971f1540779271cdc3e9c661634b0d Commit message: "Fix Behandlung allowEmptyResults als Boolean." > git rev-list f38389c1e9971f1540779271cdc3e9c661634b0d # timeout=10 [Pipeline] node Running on Jenkins in /home/qthuin1/.jenkins/jobs/MOKKA-Pipeline-HCE/workspace [Pipeline] { [Pipeline] ws Running in /home/qthuin1/rad_workspace/MOKKA-Pipeline-HCE [Pipeline] { [Pipeline] } [Pipeline] // ws [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline java.lang.NullPointerException at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.isVarArgsMethod(GroovyCallSiteSelector.java:231) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.findMatchingMethod(GroovyCallSiteSelector.java:200) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovyCallSiteSelector.staticMethod(GroovyCallSiteSelector.java:193) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onStaticCall(SandboxInterceptor.java:153) at org.kohsuke.groovy.sandbox.impl.Checker$2.call(Checker.java:186) at org.kohsuke.groovy.sandbox.impl.Checker.checkedStaticCall(Checker.java:190) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:97) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)  

          Andrew Bayer added a comment -

          Well, this is nasty. Something as trivial as just String foo as the entire Pipeline script blows up. Digging now.

          Andrew Bayer added a comment - Well, this is nasty. Something as trivial as just String foo as the entire Pipeline script blows up. Digging now.

          Andrew Bayer added a comment -

          Also, this is only happening in Pipelines, not any other script security context...

          Andrew Bayer added a comment - Also, this is only happening in Pipelines, not any other script security context...

          Andrew Bayer added a comment -

          Specific problem was when a method that takes an array as its its last argument is called passing in varargs for the array, with at least one of the vararg parameters as null.

          Anyway - https://github.com/jenkinsci/script-security-plugin/pull/173, and https://github.com/jenkinsci/workflow-cps-plugin/pull/193 verifying it downstream as well.

          Andrew Bayer added a comment - Specific problem was when a method that takes an array as its its last argument is called passing in varargs for the array, with at least one of the vararg parameters as null. Anyway - https://github.com/jenkinsci/script-security-plugin/pull/173 , and https://github.com/jenkinsci/workflow-cps-plugin/pull/193 verifying it downstream as well.

          Code changed in jenkins
          User: Andrew Bayer
          Path:
          src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java
          src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java
          http://jenkins-ci.org/commit/script-security-plugin/1e7155787f9c59bb66d7bd2f7bee788f98adc706
          Log:
          [FIXED JENKINS-48501] Null-safety in varargs->array check

          Added some more null checks in the vicinity just to be safe, but the
          main thing here is that we needed to avoid an NPE and treat a null
          arg as if it were of the target method's trailing array parameter's
          component type, since, well, null is every type.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andrew Bayer Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovyCallSiteSelector.java src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java http://jenkins-ci.org/commit/script-security-plugin/1e7155787f9c59bb66d7bd2f7bee788f98adc706 Log: [FIXED JENKINS-48501] Null-safety in varargs->array check Added some more null checks in the vicinity just to be safe, but the main thing here is that we needed to avoid an NPE and treat a null arg as if it were of the target method's trailing array parameter's component type, since, well, null is every type.

          Andrew Bayer added a comment -

          Releasing fix as script-security 1.39 right now. Sorry for the regression!

          Andrew Bayer added a comment - Releasing fix as script-security 1.39 right now. Sorry for the regression!

            abayer Andrew Bayer
            flstaats Frederick Staats
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: