Resolution: Unresolved
Hi team
I have 2 examples where I have parametrized build which supposed to create a pipelines. But when running in sandbox it failing and asking for approvals of :
method groovy.lang.GroovyObject getProperty java.lang.String
method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
which are highlighted red as dangerous by jenkins
here are examples
multibranchPipelineJob("${JENKINS_PROJECT_NAME}/CI Build") { branchSources { github { scanCredentialsId("${GIT_CREDENTIALS_ID}") repoOwner("${GITHUB_REPO_OWNER}") repository("${GITHUB_REPO_NAME}") } } }
ERROR: Scripts not permitted to use method groovy.lang.GroovyObject getProperty java.lang.String (javaposse.jobdsl.dsl.helpers.workflow.GitHubBranchSourceContext.GIT_CREDENTIALS_ID)
I think problem here is usage of DELEGATE_FIRST mode without whitelisting (if it even possible to whitelist)
second example
pipelineJob("${rootFolderPath}/SomeName") { definition { cpsScm { scm { git { remote { url(jenkinsfilesRepo) credentials('github-access') } branches('master') scriptPath("${microservicesScriptsPath}/somepath/Jenkinsfile") lightweight(false) extensions { relativeTargetDirectory("DSL") } configure { node -> node / extensions / 'hudson.plugins.git.extensions.impl.PathRestriction' { excludedRegions "${rootScriptPath}" } } } } } } }
ERROR: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (javaposse.jobdsl.dsl.helpers.scm.GitContext scriptPath org.codehaus.groovy.runtime.GStringImpl)
Do you think it can be fixed ob job dsl plugin side? Jenkins is warning it is not safe to whitelist those signatures globally.
Thank you!
[JENKINS-50712] branchSources in MultibranchWorkflowJob and PipelineJob asking for vulnerable signature approvals when running in sandbox
Summary | Original: branchSources in MultibranchWorkflowJob asking for vulnerable signature approvals when running in sandbox | New: branchSources in MultibranchWorkflowJob and PipelineJob asking for vulnerable signature approvals when running in sandbox |
Component/s | New: script-security-plugin [ 18520 ] |
Assignee | Original: Daniel Spilker [ daspilker ] |
Ah, this seems to be a problem of the Groovy Sandbox because Job DSL is using DELEGATE_FIRST as you mentioned.
As a workaround, you can copy the binding variables to local variables:
To you second problem. The scriptPath and lightweight options must be within the scm context. The error message is misleading, but again, that is a limitation of the Groovy Sandbox.
And configure blocks currently do not work with the sandbox. That is a documented limitation. But you can use the Dynamic DSL to add any extension.
Next time, please open separate issue for distinct problems or ask on Stack Overflow or the Job DSL mailing list.