Script-security

[Marit M]

Hi,

I used script-security plugin in a new developed plugin - https://github.com/jenkinsci/bmc-change-manager-imstm-plugin, but I don't get anything in In-process script approval

BmcDlpBuilder.java:

script = new SecureGroovyScript(groovyScript, false, null).configuring(ApprovalContext.create());
body=script.evaluate(cl, binding).toString().replace(",,","");

Please advise how to proceed.

Thanks,

Marit.

[Daniel Beck]

Are you a Jenkins administrator, whose scripts are automatically approved, while those methods are invoked?

[Jesse Glick]

https://github.com/jenkinsci/bmc-change-manager-imstm-plugin/blob/929fd09178bb30bce1787fe4844a75fcf6751444/src/main/java/com/bmc/ims/BmcDlpBuilder.java#L445-L447 is not how this API is designed to be used at all. From https://javadoc.jenkins.io/plugin/script-security/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.html

May be kept as the value of a field and passed in a DataBoundConstructor parameter

I have no idea what you are attempting to do, but it will probably not work, or if it does, not be secure. I would advise not attempting to use in-process Groovy scripting if you can possibly avoid it.