Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48983

Artifactory Plugin is affected by JEP-200 in Jenkins 2.102+

      got the following error while deploy artifact in a freestyle job using generic-artifactory integration.
      ERROR: Rejected: org.jfrog.build.api.Artifact
      java.lang.SecurityException: Rejected: org.jfrog.build.api.Artifact
      at hudson.remoting.ClassFilter.check(ClassFilter.java:75)
      at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129)
      at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1863)
      at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1746)
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2037)
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1568)
      at java.io.ObjectInputStream.readObject(ObjectInputStream.java:428)
      at java.util.ArrayList.readObject(ArrayList.java:797)
      at sun.reflect.GeneratedMethodAccessor18.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158)
      at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2173)
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2064)
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1568)
      at java.io.ObjectInputStream.readObject(ObjectInputStream.java:428)
      at hudson.remoting.UserRequest.deserialize(UserRequest.java:277)
      at hudson.remoting.UserResponse.retrieve(UserRequest.java:310)
      at hudson.remoting.Channel.call(Channel.java:909)
      at hudson.FilePath.act(FilePath.java:998)
      at hudson.FilePath.act(FilePath.java:987)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer.deploy(GenericArtifactsDeployer.java:76)
      at org.jfrog.hudson.generic.ArtifactoryGenericConfigurator$1.tearDown(ArtifactoryGenericConfigurator.java:401)
      at hudson.model.Build$BuildExecution.doRun(Build.java:174)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
      at hudson.model.Run.execute(Run.java:1727)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:97)
      at hudson.model.Executor.run(Executor.java:429)

          [JENKINS-48983] Artifactory Plugin is affected by JEP-200 in Jenkins 2.102+

          Jesse Glick added a comment -

          cdenneen no, I mean deploy your artifacts to Artifactory using plain Maven commands rather than going through the plugin.

          Jesse Glick added a comment - cdenneen no, I mean deploy your artifacts to Artifactory using plain Maven commands rather than going through the plugin.

          Chris Denneen added a comment -

          jglick yeah we aren't doing maven builds. We use the artifactory plugin to upload and download array of assets to jobs... ranging from rpm builds to simple text files. So not sure mvn deploy will work for non-Maven repositories.

           

          Chris Denneen added a comment - jglick yeah we aren't doing maven builds. We use the artifactory plugin to upload and download array of assets to jobs... ranging from rpm builds to simple text files. So not sure mvn deploy will work for non-Maven repositories.  

          Jesse Glick added a comment -

          cdenneen well, I was using mvn deploy as an example only. Presumably there is some documented REST API for uploading and downloading artifacts in general repository formats, which you could invoke from curl or the like, given suitable withCredentials.

          Jesse Glick added a comment - cdenneen well, I was using mvn deploy as an example only. Presumably there is some documented REST API for uploading and downloading artifacts in general repository formats, which you could invoke from curl or the like, given suitable withCredentials .

          Oleg Nenashev added a comment -

          cdenneen if you are a JFrog customer, submit a ticket to them. I have submitted my one, but more tickets would raise the priority I'd guess

          Oleg Nenashev added a comment - cdenneen if you are a JFrog customer, submit a ticket to them. I have submitted my one, but more tickets would raise the priority I'd guess

          Chris Denneen added a comment -

          oleg_nenashev We are but a PRO customer which doesn't have "support". So best I could do is open issue on their public board. Hopefully your ticket will get some traction.

          Until then does the snapshot of the plugin work or the sysconfig changes work for now as work around enough?

          Chris Denneen added a comment - oleg_nenashev We are but a PRO customer which doesn't have "support". So best I could do is open issue on their public board. Hopefully your ticket will get some traction. Until then does the snapshot of the plugin work or the sysconfig changes work for now as work around enough?

          Oleg Nenashev added a comment - - edited

          cdenneen the Snapshot will work in some case, e.g. Maven publishing.
          I cannot guarantee stability of other case (most likely "no"), but I am happy to update the pull request according to the feedback.

          The plugin has no tests, and JEP-200 maintainers have no time to setup a test environment for every case

          Oleg Nenashev added a comment - - edited cdenneen the Snapshot will work in some case, e.g. Maven publishing. I cannot guarantee stability of other case (most likely "no"), but I am happy to update the pull request according to the feedback. The plugin has no tests, and JEP-200 maintainers have no time to setup a test environment for every case

          Chris Denneen added a comment -

          oleg_nenashev looks like 2.104 might have added the whitelists?

          Any idea what could be causing this?

          java.lang.SecurityException: Rejected: org.jfrog.build.api.Dependency

          Chris Denneen added a comment - oleg_nenashev looks like 2.104 might have added the whitelists? Any idea what could be causing this? java.lang.SecurityException: Rejected: org.jfrog.build.api.Dependency

          Oleg Nenashev added a comment -

          > looks like 2.104 might have added the whitelists?

          It has added only few basic types which impact the plugin, but not the 3rd-party libraries.
          So the patch on the core's side is not going to resolve the issue

          Oleg Nenashev added a comment - > looks like 2.104 might have added the whitelists? It has added only few basic types which impact the plugin, but not the 3rd-party libraries. So the patch on the core's side is not going to resolve the issue

          Ajit Surana added a comment -

          Is this JIRA resolved? I'm facing the same issue.

          I'm trying to use the command -Djenkins.security.ClassFilterImpl.SUPPRESS_WHITELIST=true but don't know how to use it. It would be helpful if you provide the resolution or workaround step in little more detail.

          Ajit Surana added a comment - Is this JIRA resolved? I'm facing the same issue. I'm trying to use the command -Djenkins.security.ClassFilterImpl.SUPPRESS_WHITELIST=true but don't know how to use it. It would be helpful if you provide the resolution or workaround step in little more detail.

          Oleg Nenashev added a comment -

          The fix has been finally released in 2.15.0

          Oleg Nenashev added a comment - The fix has been finally released in 2.15.0

            oleg_nenashev Oleg Nenashev
            maksonlee Makson Lee
            Votes:
            14 Vote for this issue
            Watchers:
            20 Start watching this issue

              Created:
              Updated:
              Resolved: