[JENKINS-49089] UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: maven-plugin
Labels:
- JEP-200
Environment:
Jenkins 2.102

Maven Integration plugin 3.0
Maven Dependency Update Trigger 1.5

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
JEP-200: Switch Remoting/XStream blacklist to a whitelist

After upgrading jenkins and a maven project is triggert by a upstream maven project dependency the build breaks with the following error:

Parsing POMs
java.io.IOException: java.lang.RuntimeException: Failed to serialize hudson.maven.MavenModule#dependencies for class hudson.maven.MavenModule
	at hudson.XmlFile.write(XmlFile.java:201)
	at hudson.model.AbstractItem.save(AbstractItem.java:483)
	at hudson.model.Job.save(Job.java:196)
	at hudson.model.AbstractProject.save(AbstractProject.java:289)
	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.parsePoms(MavenModuleSetBuild.java:1039)
	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:691)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
	at hudson.model.Run.execute(Run.java:1727)
	at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:543)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)
Caused by: java.lang.RuntimeException: Failed to serialize hudson.maven.MavenModule#dependencies for class hudson.maven.MavenModule
	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
	at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
	at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
	at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
	at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
	at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)
	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)
	at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)
	at hudson.XmlFile.write(XmlFile.java:194)
	... 10 more
Caused by: java.lang.RuntimeException: Failed to serialize hudson.maven.ModuleDependency#parsedVersion for class hudson.maven.ModuleDependency
	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
	at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
	at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
	at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
	at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)
	at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)
	at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
	at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
	... 23 more
Caused by: java.lang.UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons; see https://jenkins.io/redirect/class-filter/
	at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:530)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
	at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
	... 38 more

is related to

JENKINS-47736 JEP-200: Switch Remoting/XStream blacklist to a whitelist

Resolved

JENKINS-49130 Sonar Quality Gates run fails after upgrade to Jenkins 2.102/2.103

Resolved

relates to

JENKINS-50251 Rejected: org.apache.maven.model.Notifier

Resolved

links to

PR 112

mentioned in: Page Failed to load

Marco Rothe created issue - 2018-01-23 08:03

Marco Rothe made changes - 2018-01-23 08:03

Epic Link

New: ~~JENKINS-47736~~ [ 186227 ]

Oleg Nenashev added a comment - 2018-01-23 08:07

Seems to be real, CC aheritier. I have never expected MavenInformation whitelisting to be enough

Oleg Nenashev added a comment - 2018-01-23 08:07 Seems to be real, CC aheritier . I have never expected MavenInformation whitelisting to be enough

Marco Rothe made changes - 2018-01-23 08:08

Link

New: This issue is related to ~~JENKINS-47736~~ [ ~~JENKINS-47736~~ ]

Marco Rothe made changes - 2018-01-23 08:09

Description

Original: After upgrading jenkins and a maven project is triggert by a upstream maven project dependency to build breaks with the following error:

{noformat}
Parsing POMs
java.io.IOException: java.lang.RuntimeException: Failed to serialize hudson.maven.MavenModule#dependencies for class hudson.maven.MavenModule
at hudson.XmlFile.write(XmlFile.java:201)
at hudson.model.AbstractItem.save(AbstractItem.java:483)
at hudson.model.Job.save(Job.java:196)
at hudson.model.AbstractProject.save(AbstractProject.java:289)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.parsePoms(MavenModuleSetBuild.java:1039)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:691)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
at hudson.model.Run.execute(Run.java:1727)
at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:543)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)
Caused by: java.lang.RuntimeException: Failed to serialize hudson.maven.MavenModule#dependencies for class hudson.maven.MavenModule
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)
at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)
at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)
at hudson.XmlFile.write(XmlFile.java:194)
... 10 more
Caused by: java.lang.RuntimeException: Failed to serialize hudson.maven.ModuleDependency#parsedVersion for class hudson.maven.ModuleDependency
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)
at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)
at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
... 23 more
Caused by: java.lang.UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons; see https://jenkins.io/redirect/class-filter/
at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:530)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
... 38 more{noformat}

New: After upgrading jenkins and a maven project is triggert by a upstream maven project dependency the build breaks with the following error:

{noformat}
Parsing POMs
java.io.IOException: java.lang.RuntimeException: Failed to serialize hudson.maven.MavenModule#dependencies for class hudson.maven.MavenModule
at hudson.XmlFile.write(XmlFile.java:201)
at hudson.model.AbstractItem.save(AbstractItem.java:483)
at hudson.model.Job.save(Job.java:196)
at hudson.model.AbstractProject.save(AbstractProject.java:289)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.parsePoms(MavenModuleSetBuild.java:1039)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:691)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
at hudson.model.Run.execute(Run.java:1727)
at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:543)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)
Caused by: java.lang.RuntimeException: Failed to serialize hudson.maven.MavenModule#dependencies for class hudson.maven.MavenModule
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)
at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)
at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)
at hudson.XmlFile.write(XmlFile.java:194)
... 10 more
Caused by: java.lang.RuntimeException: Failed to serialize hudson.maven.ModuleDependency#parsedVersion for class hudson.maven.ModuleDependency
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)
at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)
at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
... 23 more
Caused by: java.lang.UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons; see https://jenkins.io/redirect/class-filter/
at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:530)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
... 38 more{noformat}

Oleg Nenashev made changes - 2018-01-23 08:47

Assignee

Original: Olivier Lamy [ olamy ]

New: Oleg Nenashev [ oleg_nenashev ]

Oleg Nenashev made changes - 2018-01-23 08:47

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Oleg Nenashev added a comment - 2018-01-23 09:05

aheritier jglick I am not sure I will have time to review it today. It seems you just need to whitelist dependency model objects, but there are many objects to check. PCT does not help much from what I see

Oleg Nenashev added a comment - 2018-01-23 09:05 aheritier jglick I am not sure I will have time to review it today. It seems you just need to whitelist dependency model objects, but there are many objects to check. PCT does not help much from what I see

Oleg Nenashev made changes - 2018-01-23 09:05

Assignee

Original: Oleg Nenashev [ oleg_nenashev ]

Oleg Nenashev made changes - 2018-01-23 09:05

Component/s

Original: maven-dependency-update-trigger-plugin [ 15756 ]

Assignee:: Jesse Glick

Reporter:: Marco Rothe

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2018-01-23 08:03

Updated:: 2024-07-11 23:33

Resolved:: 2018-01-24 13:20

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Oleg Nenashev added a comment - 2018-01-23 08:07

Expand comment: Oleg Nenashev added a comment - 2018-01-23 08:07

Collapse comment: Oleg Nenashev added a comment - 2018-01-23 09:05

Expand comment: Oleg Nenashev added a comment - 2018-01-23 09:05

People

Dates