-
Bug
-
Resolution: Unresolved
-
Minor
It is a follow-up to the investigation of JENKINS-50480...
1) Docker Traceability API library has no Whitelist manifest entry, so the classes in it will be likely rejected. There is a critical class for fingerprinting: https://github.com/jenkinsci/docker-traceability-plugin/blob/49141a86d41269799e00161a02ac72e9aa9a3a15/docker-traceability-api/src/main/java/org/jenkinsci/plugins/docker/traceability/api/DockerTraceabilityReport.java#L51
2) Docker Traceability includes shaded versions of Docker Java classes. Since shading happens in a separate JAR, it likely also needs whittelisting
- relates to
-
-
- Resolved
-
[JENKINS-50509] Docker Traceability plugin is affected by JEP-200
oleg_nenashev So then I should add a whitelist similar to https://github.com/jenkinsci/docker-plugin/pull/619/files and add the InspectContainerResponse to it?
ataylor Well, you can try it... Note that the library is shaded, so probably you could probably add a "Jenkins-ClassFilter-Whitelisted: true" manifest entry to https://github.com/jenkinsci/docker-traceability-plugin/tree/master/docker-java-shaded if you feel brave. I am not sure how safe is it. https://jenkins.io/blog/2018/01/13/jep-200/#making-plugins-compatible-with-jenkins-2-102-or-above
If you accept compatibility breakage, you could store the objects as strings and convert them to JSON on loading. But it would drop the history which is probably critical for this plugin
After discussing the issue with ataylor, we agreed that JEP-200 maintainers won't be working on this issue. Reasons: no reports from the field + technical debt in the plugin codebase. We will be happy to help with code reviews if needed.
ataylor ping, any feedback regarding it?