Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50502

JEP-200: Refusing to marshal com.blackducksoftware.integration.hub.report.api.ReportData for security reasons

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      After upgrading to Jenkins 2.107.1, the following is seen in the Jenkins logs with regards to the blackduck plugin:

      java.io.IOException: java.lang.RuntimeException: Failed to serialize hudson.model.Actionable#actions for class hudson.model.FreeStyleBuild

              at hudson.XmlFile.write(XmlFile.java:200)

              at hudson.model.Run.save(Run.java:1923)

              at hudson.model.Run.execute(Run.java:1784)

              at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)

              at hudson.model.ResourceController.execute(ResourceController.java:97)

              at hudson.model.Executor.run(Executor.java:429)

      Caused by: java.lang.RuntimeException: Failed to serialize hudson.model.Actionable#actions for class hudson.model.FreeStyleBuild

              at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)

              at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)

              at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)

              at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)

              at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)

              at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)

              at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)

              at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)

              at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)

              at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)

              at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)

              at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)

              at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)

              at hudson.XmlFile.write(XmlFile.java:193)

              ... 5 more

      Caused by: java.lang.RuntimeException: Failed to serialize com.blackducksoftware.integration.hub.jenkins.action.HubReportV2Action#reportData for class com.blackducksoftware.integration.hub.jenkins.action.HubReportV2Action

              at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)

              at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)

              at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)

              at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)

              at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)

              at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)

              at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)

              at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)

              at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)

              at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)

              at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)

              at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)

              at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)

              at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)

              at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)

              at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)

              ... 18 more

      Caused by: java.lang.UnsupportedOperationException: Refusing to marshal com.blackducksoftware.integration.hub.report.api.ReportData for security reasons; see https://jenkins.io/redirect/class-filter/

              at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)

              at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)

              at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)

              at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)

              at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)

              at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)

              ... 33 more

       

        Attachments

          Activity

          Hide
          akamen Ari Kamen added a comment -

          Linda Springsteen we will look into this issue, but we have also announced an EOL for this product.  We recommend that users transition to our Detect product, we also have a Detect for Jenkins if interested.  

          https://wiki.jenkins.io/display/JENKINS/Black+Duck+Detect+Plugin

           

          Show
          akamen Ari Kamen added a comment - Linda Springsteen we will look into this issue, but we have also announced an EOL for this product.  We recommend that users transition to our Detect product, we also have a Detect for Jenkins if interested.   https://wiki.jenkins.io/display/JENKINS/Black+Duck+Detect+Plugin  
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Ari Kamen Thanks for the response! BTW, it may make sense to verify the compatibility of the new plugin with JEP-200.
          I do not see code which is obviously impacted, but I may be missing sosmething. The new plugin is based on Gradle, so we cannot run plugin compatibility tester against it

          Show
          oleg_nenashev Oleg Nenashev added a comment - Ari Kamen Thanks for the response! BTW, it may make sense to verify the compatibility of the new plugin with JEP-200. I do not see code which is obviously impacted, but I may be missing sosmething. The new plugin is based on Gradle, so we cannot run plugin compatibility tester against it
          Hide
          akamen Ari Kamen added a comment -

          Oleg Nenashev indeed we have switched to gradle as all of our plugins are now gradle based with a common gradle plugin for consistency and ease of deployment.  

          Want to thank you for bringing this to our attention, the list of compatibility issues does seem rather substantial, I assume you are referring to this:  https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200

           

           

          Show
          akamen Ari Kamen added a comment - Oleg Nenashev indeed we have switched to gradle as all of our plugins are now gradle based with a common gradle plugin for consistency and ease of deployment.   Want to thank you for bringing this to our attention, the list of compatibility issues does seem rather substantial, I assume you are referring to this:  https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200    
          Hide
          lspringsteen Linda Springsteen added a comment -

          I hope this can be fixed as we have contractual agreements to black duck scan all source code we deliver.

          Thanks, Linda

          Show
          lspringsteen Linda Springsteen added a comment - I hope this can be fixed as we have contractual agreements to black duck scan all source code we deliver. Thanks, Linda
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          OK, as JEP-200 maintainers we will assume that the ticket is going to be handled by the vendor.
          Please do not hesitate to ping me and Jesse Glick if any reviews/expertise are required

          > Want to thank you for bringing this to our attention, the list of compatibility issues does seem rather substantial, I assume you are referring to this: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200

          Yes. JEP-200 is pretty big. https://jenkins.io/blog/2018/03/15/jep-200-lts/ includes overview of the change from the User PoV.
          Regarding the plugin maintainer side, see the embedded presentation and links (unfortunately not really applicable to Gradle, manual testing steps are required).

          Show
          oleg_nenashev Oleg Nenashev added a comment - OK, as JEP-200 maintainers we will assume that the ticket is going to be handled by the vendor. Please do not hesitate to ping me and Jesse Glick if any reviews/expertise are required > Want to thank you for bringing this to our attention, the list of compatibility issues does seem rather substantial, I assume you are referring to this: https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200 Yes. JEP-200 is pretty big. https://jenkins.io/blog/2018/03/15/jep-200-lts/ includes overview of the change from the User PoV. Regarding the plugin maintainer side, see the embedded presentation and links (unfortunately not really applicable to Gradle, manual testing steps are required).
          Hide
          jrichard James Richard added a comment -

          We are handling this now. It should be fixed in the next release, coming soon

          Show
          jrichard James Richard added a comment - We are handling this now. It should be fixed in the next release, coming soon
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Thanks James Richard. Let us know once it is released, we will update the status documentation

          Show
          oleg_nenashev Oleg Nenashev added a comment - Thanks James Richard . Let us know once it is released, we will update the status documentation
          Hide
          jrichard James Richard added a comment -

          Oleg Nenashev This problem should be resolved now in release 3.1.0

          Show
          jrichard James Richard added a comment - Oleg Nenashev This problem should be resolved now in release 3.1.0

            People

            Assignee:
            jrichard James Richard
            Reporter:
            lspringsteen Linda Springsteen
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: