Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30432

"Scripts not permitted to use method" in Jenkins Workflow

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Inlining the script https://github.com/arun-gupta/javaee7-docker-workflow/blob/master/Jenkinsfile in Jenkins workflow builds the project successfully. But referring as a SCM script gives the following error:

      First time build. Skipping changelog.
      Running: Allocate node : Start
      Running on master in /var/jenkins_home/jobs/hello2/workspace
      Running: Allocate node : Body : Start
      Running: Allocate node : Body : End
      Running: Allocate node : End
      Running: End of Workflow
      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object
      at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:77)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:60)
      at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:103)
      at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:100)
      at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15)
      at WorkflowScript.run(WorkflowScript:2)
      at Unknown.Unknown(Unknown)
      at __cps.transform__(Native Method)
      at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:69)
      at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
      at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
      at sun.reflect.GeneratedMethodAccessor193.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:497)
      at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
      at com.cloudbees.groovy.cps.Next.step(Next.java:58)
      at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:145)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
      at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106)
      at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
      at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:271)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:71)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:180)
      at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:178)
      at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
      at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      Finished: FAILURE

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            Well, you would either use Support Core (plugins/active.txt is almost right—just strip off /:(not-)?pinned$/), or simply look at /pluginManager/installed if there are only a few plugins relevant to the image.

            Show
            jglick Jesse Glick added a comment - Well, you would either use Support Core ( plugins/active.txt is almost right—just strip off /:(not-)?pinned$/ ), or simply look at /pluginManager/installed if there are only a few plugins relevant to the image.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java
            http://jenkins-ci.org/commit/script-security-plugin/7b524139efb32c54be946b5b3fbd6fe01c1abce5
            Log:
            JENKINS-30432 People should not blindly approve dangerous signatures like GroovyObject.invokeMethod.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java http://jenkins-ci.org/commit/script-security-plugin/7b524139efb32c54be946b5b3fbd6fe01c1abce5 Log: JENKINS-30432 People should not blindly approve dangerous signatures like GroovyObject.invokeMethod.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java
            src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist
            src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly
            src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java
            http://jenkins-ci.org/commit/script-security-plugin/0632c7531fbe585c65b19dbdaf1999e4a9a3bb2c
            Log:
            Merge pull request #24 from jglick/dangerous-signatures

            JENKINS-30432 Warn about dangerous signatures

            Compare: https://github.com/jenkinsci/script-security-plugin/compare/b8b421f6836e...0632c7531fbe

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/RejectedAccessException.java src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelist.java src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/StaticWhitelistTest.java http://jenkins-ci.org/commit/script-security-plugin/0632c7531fbe585c65b19dbdaf1999e4a9a3bb2c Log: Merge pull request #24 from jglick/dangerous-signatures JENKINS-30432 Warn about dangerous signatures Compare: https://github.com/jenkinsci/script-security-plugin/compare/b8b421f6836e...0632c7531fbe
            Hide
            arungupta arungupta added a comment -
            Show
            arungupta arungupta added a comment - Can you explain in simple language on how https://github.com/javaee-samples/docker-java/blob/master/attendees/cicd/jenkins/plugins.txt would evolve?
            Hide
            jglick Jesse Glick added a comment -

            Well, if when testing your image in a temporary container you find that (a) updates are available, and (b) you want to use them, then accept updates from the Jenkins UI and see if that works. If so, make the corresponding edits in the versioned file and verify that the resulting image behaves as expected. I do this routinely.

            Show
            jglick Jesse Glick added a comment - Well, if when testing your image in a temporary container you find that (a) updates are available, and (b) you want to use them, then accept updates from the Jenkins UI and see if that works. If so, make the corresponding edits in the versioned file and verify that the resulting image behaves as expected. I do this routinely.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                arungupta arungupta
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: