Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49089

UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: maven-plugin
    • Labels:
    • Environment:
      Jenkins 2.102

      Maven Integration plugin 3.0
      Maven Dependency Update Trigger 1.5
    • Similar Issues:

      Description

      After upgrading jenkins and a maven project is triggert by a upstream maven project dependency the build breaks with the following error:

       

      Parsing POMs
      java.io.IOException: java.lang.RuntimeException: Failed to serialize hudson.maven.MavenModule#dependencies for class hudson.maven.MavenModule
      	at hudson.XmlFile.write(XmlFile.java:201)
      	at hudson.model.AbstractItem.save(AbstractItem.java:483)
      	at hudson.model.Job.save(Job.java:196)
      	at hudson.model.AbstractProject.save(AbstractProject.java:289)
      	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.parsePoms(MavenModuleSetBuild.java:1039)
      	at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:691)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
      	at hudson.model.Run.execute(Run.java:1727)
      	at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:543)
      	at hudson.model.ResourceController.execute(ResourceController.java:97)
      	at hudson.model.Executor.run(Executor.java:429)
      Caused by: java.lang.RuntimeException: Failed to serialize hudson.maven.MavenModule#dependencies for class hudson.maven.MavenModule
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
      	at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
      	at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
      	at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
      	at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
      	at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
      	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
      	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)
      	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)
      	at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)
      	at hudson.XmlFile.write(XmlFile.java:194)
      	... 10 more
      Caused by: java.lang.RuntimeException: Failed to serialize hudson.maven.ModuleDependency#parsedVersion for class hudson.maven.ModuleDependency
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
      	at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
      	at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
      	at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
      	at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)
      	at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)
      	at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
      	at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
      	... 23 more
      Caused by: java.lang.UnsupportedOperationException: Refusing to marshal org.apache.maven.artifact.versioning.DefaultArtifactVersion for security reasons; see https://jenkins.io/redirect/class-filter/
      	at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:530)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
      	at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
      	... 38 more

       

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Seems to be real, CC Arnaud Héritier. I have never expected MavenInformation whitelisting to be enough

            Show
            oleg_nenashev Oleg Nenashev added a comment - Seems to be real, CC Arnaud Héritier . I have never expected MavenInformation whitelisting to be enough
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Arnaud Héritier Jesse Glick I am not sure I will have time to review it today. It seems you just need to whitelist dependency model objects, but there are many objects to check. PCT does not help much from what I see

            Show
            oleg_nenashev Oleg Nenashev added a comment - Arnaud Héritier Jesse Glick I am not sure I will have time to review it today. It seems you just need to whitelist dependency model objects, but there are many objects to check. PCT does not help much from what I see
            Hide
            jglick Jesse Glick added a comment -

            Is there any known way to reproduce this from scratch? Acceptance tests and plugin functional tests do not cover this code path, whatever it is.

            Show
            jglick Jesse Glick added a comment - Is there any known way to reproduce this from scratch? Acceptance tests and plugin functional tests do not cover this code path, whatever it is.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            IIUC creating multiple modules which have other MavenModule jobs as dependencies.
            But I am not 100% sure

            Show
            oleg_nenashev Oleg Nenashev added a comment - IIUC creating multiple modules which have other MavenModule jobs as dependencies. But I am not 100% sure
            Hide
            jglick Jesse Glick added a comment -

            I think there are functional tests covering that, but cannot recall offhand.

            Show
            jglick Jesse Glick added a comment - I think there are functional tests covering that, but cannot recall offhand.
            Hide
            jglick Jesse Glick added a comment -

            I think I know what is wrong in the code and how it should be fixed, but I want to see if the problem can be reproduced in a test.

            Show
            jglick Jesse Glick added a comment - I think I know what is wrong in the code and how it should be fixed, but I want to see if the problem can be reproduced in a test.
            Hide
            jglick Jesse Glick added a comment -

            Marco Rothe you can try this snapshot build (Plugin Manager » Advanced) if you want to leave feedback.

            Show
            jglick Jesse Glick added a comment - Marco Rothe you can try  this snapshot build  ( Plugin Manager » Advanced ) if you want to leave feedback.
            Hide
            marco_rothe Marco Rothe added a comment -

            Thank you. I will try the snaphot build. 

            Strange enough, the problem doesn't occur on any build triggered by an upstream snapshot build on our jenkins instance. :-/

            On some builds the downstream project fails, on other they start and complete sucessful.

            Show
            marco_rothe Marco Rothe added a comment - Thank you. I will try the snaphot build.  Strange enough, the problem doesn't occur on any build triggered by an upstream snapshot build on our jenkins instance. :-/ On some builds the downstream project fails, on other they start and complete sucessful.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/hudson/maven/ModuleDependency.java
            http://jenkins-ci.org/commit/maven-plugin/fb9fab663b3ccbf7155b4590da3979a15e3933a2
            Log:
            JENKINS-49089 Probably fixing error, without yet knowing how to reproduce it.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/hudson/maven/ModuleDependency.java http://jenkins-ci.org/commit/maven-plugin/fb9fab663b3ccbf7155b4590da3979a15e3933a2 Log: JENKINS-49089 Probably fixing error, without yet knowing how to reproduce it.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            Jenkinsfile
            src/main/java/hudson/maven/ModuleDependency.java
            src/main/java/hudson/maven/SplittableBuildListener.java
            src/test/java/hudson/maven/ModuleDependencyLocator.java
            http://jenkins-ci.org/commit/maven-plugin/ab7e2592e752d2d6a9c31c56a05ae1c2ffdba29c
            Log:
            Merge pull request #112 from jglick/JEP-200-JENKINS-49089

            JENKINS-49089 Whitelist problems

            Compare: https://github.com/jenkinsci/maven-plugin/compare/4c3b42be00ed...ab7e2592e752

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: Jenkinsfile src/main/java/hudson/maven/ModuleDependency.java src/main/java/hudson/maven/SplittableBuildListener.java src/test/java/hudson/maven/ModuleDependencyLocator.java http://jenkins-ci.org/commit/maven-plugin/ab7e2592e752d2d6a9c31c56a05ae1c2ffdba29c Log: Merge pull request #112 from jglick/JEP-200- JENKINS-49089 JENKINS-49089 Whitelist problems Compare: https://github.com/jenkinsci/maven-plugin/compare/4c3b42be00ed...ab7e2592e752
            Hide
            marco_rothe Marco Rothe added a comment -

            Ok, I tested the snapshot version and the error gone away (on projects where the build fail before).

            So the problem seems to be fixed even it can't be reproduced in a reliable manner ;-(

            Show
            marco_rothe Marco Rothe added a comment - Ok, I tested the snapshot version and the error gone away (on projects where the build fail before). So the problem seems to be fixed even it can't be reproduced in a reliable manner ;-(
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            It has been released in 3.1. Let's see whether the current fix is enough

            Show
            oleg_nenashev Oleg Nenashev added a comment - It has been released in 3.1. Let's see whether the current fix is enough

              People

              Assignee:
              jglick Jesse Glick
              Reporter:
              marco_rothe Marco Rothe
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: