• Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Minor Minor
    • doktor-plugin
    • debian jessie

      Doktor plugin is affected by JEP-200 :

      I use the step doktor and in the log there is this message :
      java.util.concurrent.ExecutionException: java.lang.SecurityException: Rejected: kotlin.collections.EmptyList; see https://jenkins.io/redirect/class-filter/
      and in catalina.out :

      AVERTISSEMENT: org.jgrapht.DirectedGraph in file:/data/jenkins/plugins/build-flow-plugin/WEB-INF/lib/jgrapht-jdk1.5-0.7.3.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/
      févr. 22, 2018 5:44:17 PM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
      AVERTISSEMENT: kotlin.collections.EmptyList in file:/data/jenkins/plugins/doktor/WEB-INF/lib/kotlin-stdlib-1.1.51.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

          [JENKINS-49699] Doktor plugin affected by JEP-200

          Oleg Nenashev added a comment -

          The plugin is based on Gradle, so I cannot run PCT against it. It's also hard to say how many Kotlin libs we will need to whitelist in order to make it working. Currently there are 44 installations of the plugin, so for JEP-200 maintainers it has a low priority being compared to other affected plugins. For now I will leave it to madhead, happy to advice if needed.

          Oleg Nenashev added a comment - The plugin is based on Gradle, so I cannot run PCT against it. It's also hard to say how many Kotlin libs we will need to whitelist in order to make it working. Currently there are 44 installations of the plugin, so for JEP-200 maintainers it has a low priority being compared to other affected plugins. For now I will leave it to madhead , happy to advice if needed.

          oleg_nenashev, can you please take a look at this commit and tell whether it will be enough?

          Thanks a lot!

          Siarhei Krukau added a comment - oleg_nenashev , can you please take a look at this commit and tell whether it will be enough? Thanks a lot!

          Oleg Nenashev added a comment -

          madhead IIUC it won't be enough, the warning also mentions "kotlin.collections.EmptyList".

          There are testing guidelines here: https://jenkins.io/blog/2018/01/13/jep-200/#testing-plugins-against-jenkins-2-102-and-above
          Although the section is not applicable to Gradle builds, it may give you some idea how to run autotests (dependency bump generally)

          Oleg Nenashev added a comment - madhead IIUC it won't be enough, the warning also mentions "kotlin.collections.EmptyList". There are testing guidelines here: https://jenkins.io/blog/2018/01/13/jep-200/#testing-plugins-against-jenkins-2-102-and-above Although the section is not applicable to Gradle builds, it may give you some idea how to run autotests (dependency bump generally)

          Oleg Nenashev added a comment -

          madhead Hi, any updates? 2.107.1 lands in public next week, there will be a broader impact on users after that

          Oleg Nenashev added a comment - madhead Hi, any updates? 2.107.1 lands in public next week, there will be a broader impact on users after that

          Sorry, not yet. I guess 44 installations are not very critical.

          Siarhei Krukau added a comment - Sorry, not yet. I guess 44 installations are not very critical.

          Just released kotlin-v1-stdlib-jdk8 which has the "kotlin.collections.EmptyList" as the initial classFilter

          Going to suggest a PR at doktor

          Joseph Petersen (old) added a comment - Just released kotlin-v1-stdlib-jdk8 which has the "kotlin.collections.EmptyList" as the initial classFilter Going to suggest a PR at doktor

          oleg_nenashev I've tested this change: https://github.com/madhead/doktor/commit/d00e3f24d1b1be92391f3983405b58345b514135 and it seems to be working. I mean, listing those classes in META-INF/hudson.remoting.ClassFilter was enough. I have not seen any warnings about kotlin.collections.EmptyList.

          casz, oleg_nenashev I decided not to depend on other plugins. This forces me to use pluginFirstClassLoader is this a bad practice or not? I've seen no issues with it.

          Siarhei Krukau added a comment - oleg_nenashev I've tested this change: https://github.com/madhead/doktor/commit/d00e3f24d1b1be92391f3983405b58345b514135 and it seems to be working. I mean, listing those classes in META-INF/hudson.remoting.ClassFilter was enough. I have not seen any warnings about kotlin.collections.EmptyList . casz , oleg_nenashev I decided not to depend on other plugins. This forces me to use pluginFirstClassLoader is this a bad practice or not? I've seen no issues with it.

          Oleg Nenashev added a comment -

          usage of pluginFirstClassLoader is a really bad practice, because you may corrupt other plugins if they use higher dependency versions. I would advice to use the plugin or shade the libraries

          Oleg Nenashev added a comment - usage of pluginFirstClassLoader is a really bad practice, because you may corrupt other plugins if they use higher dependency versions. I would advice to use the plugin or shade the libraries

          I couldn't do that because of AsciidoctorJ library / JRuby runtime that fails, if I am not using this setting. Though, I didn't dig that a lot.

          Siarhei Krukau added a comment - I couldn't do that because of AsciidoctorJ library / JRuby runtime that fails, if I am not using this setting. Though, I didn't dig that a lot.

          So it is no longer possible to use this plugin?

          Christian Kipping added a comment - So it is no longer possible to use this plugin?

            Unassigned Unassigned
            laurent_dufour Laurent Dufour
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: