-
Bug
-
Resolution: Unresolved
-
Trivial
-
None
-
1366.vd44b_49a_5c85c
[JENKINS-74781] Jenkins asking for same script approval even after script is approved with the latest release plugin
FNU
added a comment - Hi Mark,
Our pipeline scripts were working fine until we updated the plugin to latest version 1366.vd44b_49a_5c85c.
After updating the plugin we started getting the failure complaining about the script needs to approved as below
We tried to approve the script multiple times and executed the scripts again. and still was not resolved. (Every time we run we see that JsonSluperClassic is in both "pending signature approvals" and "Signatures already approved" section, )
Later on we installed the previous version of the script security plugin and pipeline got executed successfully.
We are trying to execute the jenkinsfile from the Bitbucket which uses the groovy.json.JsonSlurperClassic.
Please let me know if you need more information
FNU
added a comment - Hi Mark,
Our pipeline scripts were working fine until we updated the plugin to latest version 1366.vd44b_49a_5c85c.
After updating the plugin we started getting the failure complaining about the script needs to approved as below
We tried to approve the script multiple times and executed the scripts again. and still was not resolved. (Every time we run we see that JsonSluperClassic is in both "pending signature approvals" and "Signatures already approved" section, )
Later on we installed the previous version of the script security plugin and pipeline got executed successfully.
We are trying to execute the jenkinsfile from the Bitbucket which uses the groovy.json.JsonSlurperClassic.
Please let me know if you need more information Please let me know if you need more information
Please provide an example script that shows the failure. Others are much more likely to investigate if there is an example script that shows the issue.
FNU
added a comment - Please find the sample script below.
import groovy.json.JsonSlurperClassic
pipeline {
agent any
stages {
stage('List Credentials') {
steps {
script
]"
println(input)
def inputJSON = new JsonSlurperClassic().parseText(input)
def keys = inputJSON.toSet() as List
println(keys)
}
}
}
}
}
FNU
added a comment - Please find the sample script below.
import groovy.json.JsonSlurperClassic
pipeline {
agent any
stages {
stage('List Credentials') {
steps {
script
{
input = "[\{\"test\":\"test12\"}
]"
println(input)
def inputJSON = new JsonSlurperClassic().parseText(input)
def keys = inputJSON.toSet() as List
println(keys)
}
}
}
}
}
Thanks. Using that script, I can see the message the first time when it reports that JSONSlurper requires approval. After approval of that class, then the second run wants approval of a method on the JSONSlurper class. Once I've approved those two items, then no further approvals are required.
I see no difference whether I use the previous release 1365.v4778ca_84b_de5 or the most recent release 1366.vd44b_49a_5c85c. With both releases, it requires two approvals for the JSONSlurper.parseText(String) method to be approved. Do you see something different?
I modified your script slightly to be this:
import groovy.json.JsonSlurperClassic pipeline { agent any stages { stage('Script approval test') { steps { script { input = '[{"test":"test12"}]' println(input) def inputJSON = new JsonSlurperClassic().parseText(input) def keys = inputJSON.toSet() as List println(keys) } } } } }
FNU
added a comment - This is the error we were getting in jenkins system console.
That exception seems to point to StaticWhiteList.parse line175 where the line that is being parsed is not recognized as a valid line. The first token on the parsed line is expected to be either "method" or "new" or "staticMethod" or "field" or "staticField" but the first token seems to be "SHA512:..."
I think that indicates that the scriptApproval.xml file in the Jenkins home directory has been damaged or contains incorrect content. After interactive testing of the two test jobs that I was using, my scriptApproval.xml file looks like this:
<?xml version='1.1' encoding='UTF-8'?> <scriptApproval plugin="script-security@1365.v4778ca_84b_de5"> <approvedScriptHashes/> <approvedSignatures> <string>method groovy.json.JsonSlurperClassic parseText java.lang.String</string> <string>new groovy.json.JsonSlurperClassic</string> <string>staticMethod org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval get</string> </approvedSignatures> <aclApprovedSignatures/> <approvedClasspathEntries/> <pendingScripts/> <pendingSignatures/> <pendingClasspathEntries/> </scriptApproval>
However, I see in my own archived scriptApproval.xml file, I have lines that starts with "SHA152" as well, though they are in a configuration section called "approvedScriptHashes" and not in the section called "approvedSignatures".
I think with the latest version of script security plugin the entry SHA152 was added. When we downgraded the plugin we had to delete this entry from the scriptApproval.xml for the downgraded version to work.
I will try to replicate this on my local jenkins and update you.
FNU
added a comment - - edited I think with the latest version of script security plugin the entry SHA152 was added. When we downgraded the plugin we had to delete this entry from the scriptApproval.xml for the downgraded version to work.
I will try to replicate this on my local jenkins and update you. I think that you have an entry in "approvedSignatures" that belongs in "approvedScriptHashes". There should be no "SHA512" entries in the XML section for "approvedSignatures"
Basil Crow
added a comment - Please provide steps to reproduce the problem from scratch on a clean Jenkins installation. For example, "install version X, run script Y, click button Z, and observe that a SHA512 entry is incorrectly present in the approved signatures section."
Basil Crow
added a comment - Please provide steps to reproduce the problem from scratch on a clean Jenkins installation. For example, "install version X, run script Y, click button Z, and observe that a SHA512 entry is incorrectly present in the approved signatures section." FNU
added a comment - In our organization we update all the jenkins plugins every month. and we started observing this issue for the pipeline using groovy.json.JsonSlurperClassic
after the script security plugin was updated last week(same pipeline was working before). And we downgraded the script security plugin to make it work for now.
I will try to replicate this issue on by installing the jenkins on my personal computer and update you.
FNU
added a comment - In our organization we update all the jenkins plugins every month. and we started observing this issue for the pipeline using groovy.json.JsonSlurperClassic
after the script security plugin was updated last week(same pipeline was working before). And we downgraded the script security plugin to make it work for now.
I will try to replicate this issue on by installing the jenkins on my personal computer and update you. Basil Crow
added a comment - Thanks prakashshetty1990 ! Were you able to reproduce the problem? 
I'm unable to duplicate the problem as described. You'll need to provide much more information so that others can duplicate the issue. "How to report an issue" describes the type of information needed. Steps that I took while trying to duplicate the issue:
pipeline { agent any stages { stage('get script approval') { steps { script { org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval scriptApproval = org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get() } } } } }If additional information is not provided, this issue will be closed as "Cannot reproduce".