-
Bug
-
Resolution: Fixed
-
Minor
-
Jenkins Android Lint Plugin version: 2.5
Debian Linux Jessie
Jenkins 2.102 (Linux Master - Linux Slave/OSX Slave)
Jenkins build fails after upgrading jenkins to 2.102.
Error from log:
[android-lint] Collecting Android Lint files... ERROR: Build step failed with exception java.lang.SecurityException: Rejected: com.google.common.collect.AbstractMultimap at hudson.remoting.ClassFilter.check(ClassFilter.java:75) at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1613) at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1623) at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1623) at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1774) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351) at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2000) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1924) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371) at hudson.remoting.UserRequest.deserialize(UserRequest.java:277) at hudson.remoting.UserResponse.retrieve(UserRequest.java:310) at hudson.remoting.Channel.call(Channel.java:909) at hudson.FilePath.act(FilePath.java:998) at hudson.FilePath.act(FilePath.java:987) at org.jenkinsci.plugins.android_lint.LintPublisher.perform(LintPublisher.java:126) at hudson.plugins.analysis.core.HealthAwarePublisher.perform(HealthAwarePublisher.java:69) at hudson.plugins.analysis.core.HealthAwareRecorder.perform(HealthAwareRecorder.java:298) at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:81) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744) at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690) at hudson.model.Build$BuildExecution.post2(Build.java:186) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635) at hudson.model.Run.execute(Run.java:1752) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:429) Build step 'Publish Android Lint results' marked build as failure
Adding
-Dhudson.remoting.ClassFilter=com.google.common.collect.AbstractMultimap to the JVM args didn't fix the issue, as was suggested on https://jenkins.io/blog/2018/01/13/jep-200/
From the jenkins.log:
Jan 18, 2018 11:16:59 AM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1 WARNING: com.google.common.collect.AbstractMultimap in file:/var/cache/jenkins/war/WEB-INF/lib/guava-11.0.1.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/
- is related to
-
JENKINS-47736
JEP-200: Switch Remoting/XStream blacklist to a whitelist
-
- Resolved
-
-
JENKINS-49000 Add common Guava collection classes to the core's whitelist
-
- Resolved
-
-
-
- Resolved
-
- links to
[JENKINS-49016] Android-lint plugin affected by JEP in 2.102
| Epic Link |
New:
|
| Link |
New:
This issue is related to |
| Link |
New:
This issue is related to |
https://github.com/jenkinsci/android-lint-plugin is based on Analysis POM, so I cannot run PCT against it directly.
It would require manual update and tests.
Regarding the workaround, added the suggested parm on the wrong place.
/usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /usr/bin/java -Djava.awt.headless=true -Djenkins.CLI.disabled=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 -Dhudson.remoting.ClassFilter=com.google.common.collect.AbstractMultimap
After adding it the the correct place, as JAVA_ARG, not JENKINS_ARG, resulting in following command, it works correctly:
/usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /usr/bin/java -Djava.awt.headless=true -Djenkins.CLI.disabled=true -Dhudson.remoting.ClassFilter=com.google.common.collect.AbstractMultimap -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080
| Assignee | Original: Christopher Orr [ orrc ] | New: Oleg Nenashev [ oleg_nenashev ] |
| Component/s | New: analysis-core-plugin [ 15709 ] |
From what I see this issue potentially affects all plugins using ParserResult from Analysis Core plugin.
ParserResult includes "fileNameCache" field which is HashMultimap. It is whitelisted in the core, so maybe I am wrong (there is extra processing doe abstract classes). Need to reproduce that in tests.
Unfortunately for Remoting we do not get info which particular field is rejected. Maybe it is something to improve jglick
This particular issue will be solved by https://github.com/jenkinsci/jenkins/pull/3241 in the core (ETA: Sunday)
A workaround should work though, could you please provide a command sample you're running?