Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54226

Script not approved for use exception at the end of every build log - even for jobs with no groovy scripts

      org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException: script not yet approved for use*10:39:55* at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.using(ScriptApproval.java:466)10:39:55 at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval$using$0.call(Unknown Source)10:39:55 at com.splunk.splunkjenkins.UserActionDSL.perform(UserActionDSL.groovy:41)10:39:55 at com.splunk.splunkjenkins.listeners.LoggingRunListener.onCompleted(LoggingRunListener.java:85)10:39:55 at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:211)10:39:55 at hudson.model.Run.execute(Run.java:1864)10:39:55 at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)10:39:55 at hudson.model.ResourceController.execute(ResourceController.java:97)10:39:55 at hudson.model.Executor.run(Executor.java:429)
      This exception is being thrown and logged at the end of every jenkins job invocation on our server, even jobs that have 0 groovy scripts in them.

      Because the exception is thrown at the end of the job and appears as the last thing in the log, save for perhaps the line saying it has FAILED, this causes developers to assume that the exception is the cause of the build failure when it actually doesn't cause anything to break.

      There are no unapproved script or method invocations in the script approval page. 

          [JENKINS-54226] Script not approved for use exception at the end of every build log - even for jobs with no groovy scripts

          Ankur added a comment - - edited

          I am facing the same issue. This is coming at end of every job. There is no script pending for approval.

           

          This is the message I see in logs:

          org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException: script not yet approved for use
          at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.using(ScriptApproval.java:474)
          at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval$using$0.call(Unknown Source)
          at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
          at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
          at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:133)
          at com.splunk.splunkjenkins.UserActionDSL.perform(UserActionDSL.groovy:39)
          at com.splunk.splunkjenkins.listeners.LoggingRunListener.onCompleted(LoggingRunListener.java:85)
          at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:209)
          at org.jenkinsci.plugins.workflow.job.WorkflowRun.finish(WorkflowRun.java:587)
          at org.jenkinsci.plugins.workflow.job.WorkflowRun.access$800(WorkflowRun.java:133)
          at org.jenkinsci.plugins.workflow.job.WorkflowRun$GraphL.onNewHead(WorkflowRun.java:1014)
          at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.notifyListeners(CpsFlowExecution.java:1463)
          at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$3.run(CpsThreadGroup.java:493)
          at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:38)
          at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131)
          at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
          at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
          at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
          at java.util.concurrent.FutureTask.run(Unknown Source)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
          at java.lang.Thread.run(Unknown Source)

          Ankur added a comment - - edited I am facing the same issue. This is coming at end of every job. There is no script pending for approval.   This is the message I see in logs: org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException: script not yet approved for use at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.using(ScriptApproval.java:474) at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval$using$0.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:133) at com.splunk.splunkjenkins.UserActionDSL.perform(UserActionDSL.groovy:39) at com.splunk.splunkjenkins.listeners.LoggingRunListener.onCompleted(LoggingRunListener.java:85) at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:209) at org.jenkinsci.plugins.workflow.job.WorkflowRun.finish(WorkflowRun.java:587) at org.jenkinsci.plugins.workflow.job.WorkflowRun.access$800(WorkflowRun.java:133) at org.jenkinsci.plugins.workflow.job.WorkflowRun$GraphL.onNewHead(WorkflowRun.java:1014) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.notifyListeners(CpsFlowExecution.java:1463) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$3.run(CpsThreadGroup.java:493) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:38) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)

          Elad added a comment - - edited

          We have the same issue

          org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException: script not yet approved for use
          	at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.using(ScriptApproval.java:474)
          	at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval$using$0.call(Unknown Source)
          	at com.splunk.splunkjenkins.UserActionDSL.perform(UserActionDSL.groovy:39)
          	at com.splunk.splunkjenkins.listeners.LoggingRunListener.onCompleted(LoggingRunListener.java:85)
          	at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:209)
          	at org.jenkinsci.plugins.workflow.job.WorkflowRun.finish(WorkflowRun.java:610)
          	at org.jenkinsci.plugins.workflow.job.WorkflowRun.access$800(WorkflowRun.java:137)
          	at org.jenkinsci.plugins.workflow.job.WorkflowRun$GraphL.onNewHead(WorkflowRun.java:1037)
          	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.notifyListeners(CpsFlowExecution.java:1473)
          	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$3.run(CpsThreadGroup.java:489)
          	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:38)
          	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:136)
          	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
          	at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
          	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
          	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
          	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
          	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
          	at java.lang.Thread.run(Thread.java:748)
          

          Elad added a comment - - edited We have the same issue org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException: script not yet approved for use at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.using(ScriptApproval.java:474) at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval$using$0.call(Unknown Source) at com.splunk.splunkjenkins.UserActionDSL.perform(UserActionDSL.groovy:39) at com.splunk.splunkjenkins.listeners.LoggingRunListener.onCompleted(LoggingRunListener.java:85) at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:209) at org.jenkinsci.plugins.workflow.job.WorkflowRun.finish(WorkflowRun.java:610) at org.jenkinsci.plugins.workflow.job.WorkflowRun.access$800(WorkflowRun.java:137) at org.jenkinsci.plugins.workflow.job.WorkflowRun$GraphL.onNewHead(WorkflowRun.java:1037) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.notifyListeners(CpsFlowExecution.java:1473) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$3.run(CpsThreadGroup.java:489) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:38) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:136) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang. Thread .run( Thread .java:748)

          Kalle Niemitalo added a comment - - edited

          The stack traces that were posted in this issue include com.splunk.splunkjenkins.UserActionDSL.perform(UserActionDSL.groovy:39) in the Splunk plugin, which intentionally calls ScriptApproval.using. That was added in PR #3 to fix SECURITY-479 in Jenkins Security Advisory 2017-04-10. According to commentary on the PR, an administrator should then be able to approve the script.

          When UserActionDSL.perform is called by LoggingRunListener.onCompleted, the script comes from SplunkJenkinsInstallation.getCode(). A default script is defined in sample.groovy, and a Jenkins administrator can edit the script or specify the path of a file from which SplunkJenkinsInstallation reads the script.

          If an administrator edits and saves the script in the Splunk plugin configuration, then SplunkJenkinsInstallation.checkApprove calls ScriptApproval.configuring (javadoc), which should automatically approve the script. However, I'm not sure whether the Splunk plugin does that when it automatically replaces the default script after you upgrade the plugin. The last such change was in 1.5.0 (April 16, 2017). The change log of that version indeed mentions that it can cause UnapprovedUsageException and that an administrator should go to "Manage Jenkins -> In-process Script Approval" and approve the script.

          According to the description of this issue though, "There are no unapproved script or method invocations in the script approval page." That may be a bug in the Script Security plugin, but the Splunk plugin is at least involved here and could be changed to log a more descriptive error, so I'm adding splunk-devops-plugin as a component. It would be interesting to know which version of the Splunk plugin you are using.

          Kalle Niemitalo added a comment - - edited The stack traces that were posted in this issue include com.splunk.splunkjenkins.UserActionDSL.perform(UserActionDSL.groovy:39) in the Splunk plugin , which intentionally calls ScriptApproval.using. That was added in PR #3 to fix SECURITY-479 in Jenkins Security Advisory 2017-04-10 . According to commentary on the PR, an administrator should then be able to approve the script. When UserActionDSL.perform is called by LoggingRunListener.onCompleted, the script comes from SplunkJenkinsInstallation.getCode() . A default script is defined in sample.groovy , and a Jenkins administrator can edit the script or specify the path of a file from which SplunkJenkinsInstallation reads the script. If an administrator edits and saves the script in the Splunk plugin configuration, then SplunkJenkinsInstallation.checkApprove calls ScriptApproval.configuring ( javadoc ), which should automatically approve the script. However, I'm not sure whether the Splunk plugin does that when it automatically replaces the default script after you upgrade the plugin. The last such change was in 1.5.0 (April 16, 2017) . The change log of that version indeed mentions that it can cause UnapprovedUsageException and that an administrator should go to "Manage Jenkins -> In-process Script Approval" and approve the script. According to the description of this issue though, "There are no unapproved script or method invocations in the script approval page." That may be a bug in the Script Security plugin, but the Splunk plugin is at least involved here and could be changed to log a more descriptive error, so I'm adding splunk-devops-plugin as a component. It would be interesting to know which version of the Splunk plugin you are using.

          > If an administrator edits and saves the script in the Splunk plugin configuration, then SplunkJenkinsInstallation.checkApprove calls ScriptApproval.configuring (javadoc), which should automatically approve the script.

          Maybe not anymore since https://github.com/jenkinsci/script-security-plugin/commit/f4c0bb9b58e105b4fc6b62be0f7f2daa46178190. And that could actually be the problem here, that the splunk plugin may need to adapt to that security change.

          Allan BURDAJEWICZ added a comment - > If an administrator edits and saves the script in the Splunk plugin configuration, then SplunkJenkinsInstallation.checkApprove calls ScriptApproval.configuring (javadoc), which should automatically approve the script. Maybe not anymore since https://github.com/jenkinsci/script-security-plugin/commit/f4c0bb9b58e105b4fc6b62be0f7f2daa46178190 . And that could actually be the problem here, that the splunk plugin may need to adapt to that security change.

            Unassigned Unassigned
            jaxley Jason Axley
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: