Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49586

JDepend plugin classes not in JEP-200 whitelist

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      From what I'm reading about JEP-200, it seems that the (old) JDepend plugin's classes might not have been included in the whitelisting.

       

      WARNING: org.codehaus.mojo.jdepend.objects.JDPackage in file:/var/lib/jenkins/plugins/jdepend/WEB-INF/lib/jdepend-maven-plugin-2.0-beta-2.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

      ...

       

      org.codehaus.mojo.jdepend.objects.JDPackage in file:/var/lib/jenkins/plugins/jdepend/WEB-INF/lib/jdepend-maven-plugin-2.0-beta-2.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/
      Feb 15, 2018 11:20:35 AM SEVERE hudson.model.Run execute
      Failed to save build record java.lang.UnsupportedOperationException: Refusing to marshal org.codehaus.mojo.jdepend.objects.JDPackage for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize org.codehaus.mojo.jdepend.JDependXMLReportParser#packages for class hudson.plugins.jdepend.JDependParser at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize hudson.plugins.jdepend.JDependBuildAction#jDependParser for class hudson.plugins.jdepend.JDependBuildAction at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize hudson.model.Actionable#actions for class hudson.model.FreeStyleBuild at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:193) Caused: java.io.IOException at hudson.XmlFile.write(XmlFile.java:200) at hudson.model.Run.save(Run.java:1923) at hudson.model.Run.execute(Run.java:1784) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:429)

       

        Attachments

          Issue Links

            Activity

            thenazg Chuck Burgess created issue -
            thenazg Chuck Burgess made changes -
            Field Original Value New Value
            Labels JEP-200
            Hide
            thenazg Chuck Burgess added a comment -

            JDepend plugin affected by JEP-200

            Show
            thenazg Chuck Burgess added a comment - JDepend plugin affected by JEP-200
            thenazg Chuck Burgess made changes -
            Link This issue relates to JENKINS-47736 [ JENKINS-47736 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            It comes from this dependency:

                 <dependency>
                      <groupId>org.codehaus.mojo</groupId>
                      <artifactId>jdepend-maven-plugin</artifactId>
                      <version>2.0-beta-2</version>
                  </dependency>
            

            The code is not on GitHub AFAICT. CC Arnaud Héritier Stephen Connolly. Likely does not matter, because the plugin should not persist the parser on the disk: https://github.com/jenkinsci/jdepend-plugin/blob/master/src/main/java/hudson/plugins/jdepend/JDependBuildAction.java#L23-L36

            From what I see in the code, the logic can be safely replaced by a transient field

            Show
            oleg_nenashev Oleg Nenashev added a comment - It comes from this dependency: <dependency> <groupId> org.codehaus.mojo </groupId> <artifactId> jdepend-maven-plugin </artifactId> <version> 2.0-beta-2 </version> </dependency> The code is not on GitHub AFAICT. CC Arnaud Héritier Stephen Connolly . Likely does not matter, because the plugin should not persist the parser on the disk: https://github.com/jenkinsci/jdepend-plugin/blob/master/src/main/java/hudson/plugins/jdepend/JDependBuildAction.java#L23-L36 From what I see in the code, the logic can be safely replaced by a transient field
            oleg_nenashev Oleg Nenashev made changes -
            Assignee Oleg Nenashev [ oleg_nenashev ]
            oleg_nenashev Oleg Nenashev made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Created https://github.com/jenkinsci/jdepend-plugin/pull/2. Would it be possible to test the snapshot?

            Show
            oleg_nenashev Oleg Nenashev added a comment - Created https://github.com/jenkinsci/jdepend-plugin/pull/2 . Would it be possible to test the snapshot?
            oleg_nenashev Oleg Nenashev made changes -
            Remote Link This issue links to "https://github.com/jenkinsci/jdepend-plugin/pull/2 (Web Link)" [ 20091 ]
            oleg_nenashev Oleg Nenashev made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            Hide
            thenazg Chuck Burgess added a comment -

            Not sure that I could test the snapshot... are there instructions somewhere about pulling a plugin snapshot into a Jenkins instance that would normally only see releases available?

            Show
            thenazg Chuck Burgess added a comment - Not sure that I could test the snapshot... are there instructions somewhere about pulling a plugin snapshot into a Jenkins instance that would normally only see releases available?
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            1) Download https://ci.jenkins.io/job/Plugins/job/jdepend-plugin/job/PR-2/1/artifact/target/jdepend.hpi
            2) Go to Plugin Manager / Advanced tab
            3) Find the "Upload a plugin" control, specify the downloaded file
            4) After the plugin is installed, restart the instance

            Show
            oleg_nenashev Oleg Nenashev added a comment - 1) Download https://ci.jenkins.io/job/Plugins/job/jdepend-plugin/job/PR-2/1/artifact/target/jdepend.hpi 2) Go to Plugin Manager / Advanced tab 3) Find the "Upload a plugin" control, specify the downloaded file 4) After the plugin is installed, restart the instance
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            pom.xml
            src/main/java/hudson/plugins/jdepend/JDependBuildAction.java
            src/main/java/hudson/plugins/jdepend/JDependParser.java
            src/main/resources/hudson/plugins/jdepend/JDependBuildAction/index.jelly
            src/main/resources/hudson/plugins/jdepend/JDependProjectAction/index.jelly
            src/main/resources/hudson/plugins/jdepend/JDependRecorder/config.jelly
            src/main/resources/index.jelly
            http://jenkins-ci.org/commit/jdepend-plugin/baad82043487526f1925e16bf416355d33213c10
            Log:
            JENKINS-49586 - Update Parent POM and resolve reported issues

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml src/main/java/hudson/plugins/jdepend/JDependBuildAction.java src/main/java/hudson/plugins/jdepend/JDependParser.java src/main/resources/hudson/plugins/jdepend/JDependBuildAction/index.jelly src/main/resources/hudson/plugins/jdepend/JDependProjectAction/index.jelly src/main/resources/hudson/plugins/jdepend/JDependRecorder/config.jelly src/main/resources/index.jelly http://jenkins-ci.org/commit/jdepend-plugin/baad82043487526f1925e16bf416355d33213c10 Log: JENKINS-49586 - Update Parent POM and resolve reported issues
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            src/main/java/hudson/plugins/jdepend/JDependBuildAction.java
            src/main/java/hudson/plugins/jdepend/JDependRecorder.java
            src/main/resources/hudson/plugins/jdepend/JDependBuildAction/index.jelly
            http://jenkins-ci.org/commit/jdepend-plugin/54a2c37429dc934055eb563c8e6e416459047835
            Log:
            JENKINS-49586 - Stop serializing JDependParser to the disk

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: src/main/java/hudson/plugins/jdepend/JDependBuildAction.java src/main/java/hudson/plugins/jdepend/JDependRecorder.java src/main/resources/hudson/plugins/jdepend/JDependBuildAction/index.jelly http://jenkins-ci.org/commit/jdepend-plugin/54a2c37429dc934055eb563c8e6e416459047835 Log: JENKINS-49586 - Stop serializing JDependParser to the disk
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            Jenkinsfile
            pom.xml
            http://jenkins-ci.org/commit/jdepend-plugin/a8c8e300b287d946e45c058f0f1b71116e4a200b
            Log:
            JENKINS-49586 - Add Jenkinsfile and resolve upper bounds for 2.104

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: Jenkinsfile pom.xml http://jenkins-ci.org/commit/jdepend-plugin/a8c8e300b287d946e45c058f0f1b71116e4a200b Log: JENKINS-49586 - Add Jenkinsfile and resolve upper bounds for 2.104
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            Jenkinsfile
            pom.xml
            src/main/java/hudson/plugins/jdepend/JDependBuildAction.java
            src/main/java/hudson/plugins/jdepend/JDependParser.java
            src/main/java/hudson/plugins/jdepend/JDependRecorder.java
            src/main/resources/hudson/plugins/jdepend/JDependBuildAction/index.jelly
            src/main/resources/hudson/plugins/jdepend/JDependProjectAction/index.jelly
            src/main/resources/hudson/plugins/jdepend/JDependRecorder/config.jelly
            src/main/resources/index.jelly
            http://jenkins-ci.org/commit/jdepend-plugin/afcf6bfd27770e813c279927c6020c1fc8f1e071
            Log:
            Merge pull request #2 from oleg-nenashev/JENKINS-49586

            JENKINS-49586 - Stop Serializing JDependParser to the disk (JEP-200 in 2.102+)

            Compare: https://github.com/jenkinsci/jdepend-plugin/compare/0c8fbfa25f1d...afcf6bfd2777

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: Jenkinsfile pom.xml src/main/java/hudson/plugins/jdepend/JDependBuildAction.java src/main/java/hudson/plugins/jdepend/JDependParser.java src/main/java/hudson/plugins/jdepend/JDependRecorder.java src/main/resources/hudson/plugins/jdepend/JDependBuildAction/index.jelly src/main/resources/hudson/plugins/jdepend/JDependProjectAction/index.jelly src/main/resources/hudson/plugins/jdepend/JDependRecorder/config.jelly src/main/resources/index.jelly http://jenkins-ci.org/commit/jdepend-plugin/afcf6bfd27770e813c279927c6020c1fc8f1e071 Log: Merge pull request #2 from oleg-nenashev/ JENKINS-49586 JENKINS-49586 - Stop Serializing JDependParser to the disk (JEP-200 in 2.102+) Compare: https://github.com/jenkinsci/jdepend-plugin/compare/0c8fbfa25f1d...afcf6bfd2777
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            The fix has been released in 1.3.0. Note that the release also includes this commit: https://github.com/jenkinsci/jdepend-plugin/commit/0c8fbfa25f1dac94b1df242578b12da2cd4ac7ec . If it causes any issues, raise the flag

            Show
            oleg_nenashev Oleg Nenashev added a comment - The fix has been released in 1.3.0. Note that the release also includes this commit: https://github.com/jenkinsci/jdepend-plugin/commit/0c8fbfa25f1dac94b1df242578b12da2cd4ac7ec . If it causes any issues, raise the flag
            oleg_nenashev Oleg Nenashev made changes -
            Status In Review [ 10005 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            thenazg Chuck Burgess added a comment -

            1.3.0 seems to have fixed it for me... thanks Oleg Nenashev !

            Show
            thenazg Chuck Burgess added a comment - 1.3.0 seems to have fixed it for me... thanks Oleg Nenashev !
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            you are welcome

            Show
            oleg_nenashev Oleg Nenashev added a comment - you are welcome

              People

              • Assignee:
                oleg_nenashev Oleg Nenashev
                Reporter:
                thenazg Chuck Burgess
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: