-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
I'm using Jenkins 2.387.1-alpine with JDK 17 under docker and global-post-script-plugin version 1.1.4
I run a global script that fixes ownership of a workspace directory (in case a developer has managed to create assets owned by a non-Jenkins user, via a docker command) so that the workspace cleanup plugin can dispose of old workspaces.
As of a few weeks ago, the script has a started failing with the following trace:
java.lang.NoClassDefFoundError: org/apache/commons/httpclient/HttpMethod at com.orctom.jenkins.plugin.globalpostscript.GlobalPostScript.onCompleted(GlobalPostScript.java:59) at hudson.model.listeners.RunListener.lambda$fireCompleted$0(RunListener.java:207) at jenkins.util.Listeners.lambda$notify$0(Listeners.java:59) at jenkins.util.Listeners.notify(Listeners.java:67) at hudson.model.listeners.RunListener.fireCompleted(RunListener.java:205) at org.jenkinsci.plugins.workflow.job.WorkflowRun.finish(WorkflowRun.java:644) at org.jenkinsci.plugins.workflow.job.WorkflowRun$GraphL.onNewHead(WorkflowRun.java:1065) at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution.notifyListeners(CpsFlowExecution.java:1588) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$3.run(CpsThreadGroup.java:509) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:38) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:139) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68) at jenkins.util.ErrorLoggingExecutorService.lambda$wrap$0(ErrorLoggingExecutorService.java:51) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.base/java.util.concurrent.FutureTask.run(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source) Caused by: java.lang.ClassNotFoundException: org.apache.commons.httpclient.HttpMethod at java.base/java.net.URLClassLoader.findClass(Unknown Source) at jenkins.util.URLClassLoader2.findClass(URLClassLoader2.java:35) at java.base/java.lang.ClassLoader.loadClass(Unknown Source) at java.base/java.lang.ClassLoader.loadClass(Unknown Source) ... 19 more
Based on some cursory searching, it seems the fix is to add apache-httpcomponents as a dependency in the plugin pom.xml file. I tried to import org.apache.httpcomponents in the groovy script, but that made no difference.
- is duplicated by
-
-
- Closed
-
- links to
[JENKINS-70842] Prepare global post script for removal of Commons HttpClient 3.x
Now look what you made me do!
https://github.com/jenkinsci/global-post-script-plugin/pull/13
If I apply those changes on top of the CVE pull request and build, I end up with a plugin that works like it used to 
The global postscript plugin depends on the forked copy of the Apache httpclient 3.0 library that was previously embedded in Jenkins core. That forked copy of the library has been removed in Jenkins 2.387.1 as described in the changelog. The changelog says:
The global postscript plugin is listed in the tracking sheet. That tracking sheet notes that there is a security vulnerability in the global postscript plugin. If you adopt the plugin, you could modernize the plugin, modify it to use a more modern HttpClient, and fix the security issue as well.
There is an open pull request for the plugin that proposes to fix the security issue and do some modernization.