The following code works well on Pipeline: Supporting APIs v 2.17 but stoped working after upgrading to 2.18:

class Emails implements Serializable {
public final static List<String> TEAM_FOO = [NO_REPLY, NO_REPLY2]
public final static String NO_REPLY = "no-reply@example.com"
public final static String NO_REPLY2 = "no-reply@example.com"
}
timestamps {{{ node('master') {
 def emails = Emails.TEAM_FOO}
 }
}

Exception is:

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticField Emails NO_REPLY
at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectStaticField(StaticWhitelist.java:199)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$14.reject(SandboxInterceptor.java:372)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:381)
at org.kohsuke.groovy.sandbox.impl.Checker$6.call(Checker.java:284)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:288)
at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty.callStatic(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)
at Emails.<clinit>(WorkflowScript:5)
 

It can be partially fixed by whitelisting following signatures: 

public final static String NO_REPLY

public final static String NO_REPLY2 

etc...

The problem is there are LOTS of such constants in real code, that makes difficult to whitelist em all.