Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50981

AppScanSourceBuilder persists PrintStream to the disk (JEP-200)

XMLWordPrintable

      According to the code inspection, there is a JEP-200 issue in the plugin:

      This code likely causes a JEP-200 security exception when the object gets persisted to the disk. "java.io.PrintStream" is not whitelisted in Jenkins for a reason, because loggers are not expected reliably after being deserialized from the disk.

      Useful links about JEP-200:

          [JENKINS-50981] AppScanSourceBuilder persists PrintStream to the disk (JEP-200)

          Oleg Nenashev created issue -
          Oleg Nenashev made changes -
          Component/s New: ibm-security-appscansource-scanner-plugin [ 21460 ]
          Component/s Original: loaderio-jenkins [ 17658 ]
          Oleg Nenashev made changes -
          Description Original: According to the code inspection, there is a JEP-200 issue in the plugin:
          * https://github.com/jenkinsci/loaderio-plugin/blob/987a638da8cfeda2f7cbe7bfab0d71ca920289bc/src/main/java/io/loader/jenkins/LoaderPublisher.java#L73

          This code likely causes a JEP-200 security exception when the object gets persisted to the disk. "java.io.PrintStream" is not whitelisted in Jenkins for a reason, because loggers are not expected reliably after being deserialized from the disk.

          Useful links about JEP-200:

          * Blog post for users: https://jenkins.io/blog/2018/03/15/jep-200-lts/
          * JEP-200 guidelines for plugin developers: https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers
          		 New: According to the code inspection, there is a JEP-200 issue in the plugin:
          * https://github.com/jenkinsci/ibm-security-appscansource-scanner-plugin/blob/3a925c5b9016a6a5db8c5c68d2764805a4603f94/src/main/java/com/aspectsecurity/automationservices/plugins/jenkins/appscansource/AppScanSourceBuilder.java#L55

          This code likely causes a JEP-200 security exception when the object gets persisted to the disk. "java.io.PrintStream" is not whitelisted in Jenkins for a reason, because loggers are not expected reliably after being deserialized from the disk.

          Useful links about JEP-200:

          * Blog post for users: https://jenkins.io/blog/2018/03/15/jep-200-lts/
          * JEP-200 guidelines for plugin developers: https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers
          Oleg Nenashev made changes -
          Assignee New: Kevin Fealey [ kevinfealey ]

            kevinfealey Kevin Fealey
            oleg_nenashev Oleg Nenashev
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: