Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50509

Docker Traceability plugin is affected by JEP-200

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      It is a follow-up to the investigation of JENKINS-50480...

      1) Docker Traceability API library has no Whitelist manifest entry, so the classes in it will be likely rejected. There is a critical class for fingerprinting: https://github.com/jenkinsci/docker-traceability-plugin/blob/49141a86d41269799e00161a02ac72e9aa9a3a15/docker-traceability-api/src/main/java/org/jenkinsci/plugins/docker/traceability/api/DockerTraceabilityReport.java#L51
      2) Docker Traceability includes shaded versions of Docker Java classes. Since shading happens in a separate JAR, it likely also needs whittelisting

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Alex Taylor ping, any feedback regarding it?

            Show
            oleg_nenashev Oleg Nenashev added a comment - Alex Taylor ping, any feedback regarding it?
            Hide
            ataylor Alex Taylor added a comment -

            Oleg Nenashev So then I should add a whitelist similar to https://github.com/jenkinsci/docker-plugin/pull/619/files and add the InspectContainerResponse to it?

            Show
            ataylor Alex Taylor added a comment - Oleg Nenashev So then I should add a whitelist similar to https://github.com/jenkinsci/docker-plugin/pull/619/files  and add the InspectContainerResponse to it?
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Alex Taylor Well, you can try it... Note that the library is shaded, so probably you could probably add a "Jenkins-ClassFilter-Whitelisted: true" manifest entry to https://github.com/jenkinsci/docker-traceability-plugin/tree/master/docker-java-shaded if you feel brave. I am not sure how safe is it. https://jenkins.io/blog/2018/01/13/jep-200/#making-plugins-compatible-with-jenkins-2-102-or-above

            If you accept compatibility breakage, you could store the objects as strings and convert them to JSON on loading. But it would drop the history which is probably critical for this plugin

            Show
            oleg_nenashev Oleg Nenashev added a comment - Alex Taylor Well, you can try it... Note that the library is shaded, so probably you could probably add a "Jenkins-ClassFilter-Whitelisted: true" manifest entry to https://github.com/jenkinsci/docker-traceability-plugin/tree/master/docker-java-shaded if you feel brave. I am not sure how safe is it. https://jenkins.io/blog/2018/01/13/jep-200/#making-plugins-compatible-with-jenkins-2-102-or-above If you accept compatibility breakage, you could store the objects as strings and convert them to JSON on loading. But it would drop the history which is probably critical for this plugin
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            After discussing the issue with Alex Taylor, we agreed that JEP-200 maintainers won't be working on this issue. Reasons: no reports from the field + technical debt in the plugin codebase. We will be happy to help with code reviews if needed.

            Show
            oleg_nenashev Oleg Nenashev added a comment - After discussing the issue with Alex Taylor , we agreed that JEP-200 maintainers won't be working on this issue. Reasons: no reports from the field + technical debt in the plugin codebase. We will be happy to help with code reviews if needed.

              People

              Assignee:
              ataylor Alex Taylor
              Reporter:
              oleg_nenashev Oleg Nenashev
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: