• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • analysis-core-plugin, core
    • Jenkins Android Lint Plugin version: 2.5
      Debian Linux Jessie
      Jenkins 2.102 (Linux Master - Linux Slave/OSX Slave)

      Jenkins build fails after upgrading jenkins to 2.102.

      Error from log:

      [android-lint] Collecting Android Lint files...
      ERROR: Build step failed with exception
      java.lang.SecurityException: Rejected: com.google.common.collect.AbstractMultimap
      	at hudson.remoting.ClassFilter.check(ClassFilter.java:75)
      	at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129)
      	at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1613)
      	at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
      	at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1623)
      	at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
      	at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1623)
      	at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
      	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1774)
      	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
      	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2000)
      	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1924)
      	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
      	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
      	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
      	at hudson.remoting.UserRequest.deserialize(UserRequest.java:277)
      	at hudson.remoting.UserResponse.retrieve(UserRequest.java:310)
      	at hudson.remoting.Channel.call(Channel.java:909)
      	at hudson.FilePath.act(FilePath.java:998)
      	at hudson.FilePath.act(FilePath.java:987)
      	at org.jenkinsci.plugins.android_lint.LintPublisher.perform(LintPublisher.java:126)
      	at hudson.plugins.analysis.core.HealthAwarePublisher.perform(HealthAwarePublisher.java:69)
      	at hudson.plugins.analysis.core.HealthAwareRecorder.perform(HealthAwareRecorder.java:298)
      	at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:81)
      	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690)
      	at hudson.model.Build$BuildExecution.post2(Build.java:186)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635)
      	at hudson.model.Run.execute(Run.java:1752)
      	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      	at hudson.model.ResourceController.execute(ResourceController.java:97)
      	at hudson.model.Executor.run(Executor.java:429)
      Build step 'Publish Android Lint results' marked build as failure
      

      Adding 

      -Dhudson.remoting.ClassFilter=com.google.common.collect.AbstractMultimap to the JVM args didn't fix the issue, as was suggested on https://jenkins.io/blog/2018/01/13/jep-200/

       

      From the jenkins.log:

      Jan 18, 2018 11:16:59 AM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
      
      WARNING: com.google.common.collect.AbstractMultimap in file:/var/cache/jenkins/war/WEB-INF/lib/guava-11.0.1.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

          [JENKINS-49016] Android-lint plugin affected by JEP in 2.102

          Oleg Nenashev added a comment -

          This particular issue will be solved by https://github.com/jenkinsci/jenkins/pull/3241 in the core (ETA: Sunday)
          A workaround should work though, could you please provide a command sample you're running?

          Oleg Nenashev added a comment - This particular issue will be solved by https://github.com/jenkinsci/jenkins/pull/3241 in the core (ETA: Sunday) A workaround should work though, could you please provide a command sample you're running?

          Oleg Nenashev added a comment -

          https://github.com/jenkinsci/android-lint-plugin is based on Analysis POM, so I cannot run PCT against it directly.
          It would require manual update and tests.

          Oleg Nenashev added a comment - https://github.com/jenkinsci/android-lint-plugin is based on Analysis POM, so I cannot run PCT against it directly. It would require manual update and tests.

          Regarding the workaround, added the suggested parm on the wrong place.

           

          /usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /usr/bin/java -Djava.awt.headless=true -Djenkins.CLI.disabled=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 -Dhudson.remoting.ClassFilter=com.google.common.collect.AbstractMultimap

          After adding it the the correct place, as JAVA_ARG, not JENKINS_ARG, resulting in following command, it works correctly:

          /usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /usr/bin/java -Djava.awt.headless=true -Djenkins.CLI.disabled=true -Dhudson.remoting.ClassFilter=com.google.common.collect.AbstractMultimap -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

          Walter den Besten added a comment - Regarding the workaround, added the suggested parm on the wrong place.   /usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /usr/bin/java -Djava.awt.headless=true -Djenkins.CLI.disabled=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 -Dhudson.remoting.ClassFilter=com.google.common.collect.AbstractMultimap After adding it the the correct place, as JAVA_ARG, not JENKINS_ARG, resulting in following command, it works correctly: /usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /usr/bin/java -Djava.awt.headless=true -Djenkins.CLI.disabled=true -Dhudson.remoting.ClassFilter=com.google.common.collect.AbstractMultimap -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

          Oleg Nenashev added a comment -

          From what I see this issue potentially affects all plugins using ParserResult from Analysis Core plugin.
          ParserResult includes "fileNameCache" field which is HashMultimap. It is whitelisted in the core, so maybe I am wrong (there is extra processing doe abstract classes). Need to reproduce that in tests.

          Unfortunately for Remoting we do not get info which particular field is rejected. Maybe it is something to improve jglick

          Oleg Nenashev added a comment - From what I see this issue potentially affects all plugins using ParserResult from Analysis Core plugin. ParserResult includes "fileNameCache" field which is HashMultimap. It is whitelisted in the core, so maybe I am wrong (there is extra processing doe abstract classes). Need to reproduce that in tests. Unfortunately for Remoting we do not get info which particular field is rejected. Maybe it is something to improve jglick

          Jesse Glick added a comment -

           for Remoting we do not get info which particular field is rejected. Maybe it is something to improve

          I see no way to improve it. ObjectInputStreamEx.resolveClass is not offered any further information. We could override some other method to capture context, but I do not see any—AFAICT this is ultimately called in a loop from GetFieldImpl.readFields which does not call any protected methods. Maybe there is some more complicated trick. Or you can just reproduce the problem in a debugger and inspect private state.

          Jesse Glick added a comment -  for Remoting we do not get info which particular field is rejected. Maybe it is something to improve I see no way to improve it. ObjectInputStreamEx.resolveClass is not offered any further information. We could override some other method to capture context, but I do not see any—AFAICT this is ultimately called in a loop from GetFieldImpl.readFields which does not call any protected methods. Maybe there is some more complicated trick. Or you can just reproduce the problem in a debugger and inspect private state.

          Oleg Nenashev added a comment -

          I have created https://github.com/jenkinsci/android-lint-plugin/pull/12 . Should be superseded by the core update though

          Oleg Nenashev added a comment - I have created https://github.com/jenkinsci/android-lint-plugin/pull/12 . Should be superseded by the core update though

          Jesse Glick added a comment -

          The field in question is ParserResult.fileNameCache. That is in analysis-core and so presumably the issue would affect any Analysis plugin. I will file a workaround PR in that plugin. The core patch would also solve it, I think.

          Jesse Glick added a comment - The field in question is ParserResult.fileNameCache . That is in analysis-core and so presumably the issue would affect any Analysis plugin. I will file a workaround PR in that plugin. The core patch would also solve it, I think.

          Oleg Nenashev added a comment -

          I have an idea how to add diagnostics for Remoting. Will try it next week if time allows

          Oleg Nenashev added a comment - I have an idea how to add diagnostics for Remoting. Will try it next week if time allows

          Oleg Nenashev added a comment -

          Fixed by JENKINS-49000 in the Jenkins core. Please update to Jenkins 2.103

          Oleg Nenashev added a comment - Fixed by JENKINS-49000 in the Jenkins core. Please update to Jenkins 2.103

            jglick Jesse Glick
            walterngti Walter den Besten
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: