[JIRA] (JENKINS-57566) Default security prohibits ResultAction's getResult

34 views
Skip to first unread message

jenkins@email.twam.info (JIRA)

unread,
May 20, 2019, 12:31:02 PM5/20/19
to jenkinsc...@googlegroups.com
Tobias Müller created an issue
 
Jenkins / Bug JENKINS-57566
Default security prohibits ResultAction's getResult
Issue Type: Bug Bug
Assignee: Ulli Hafner
Components: warnings-ng-plugin
Created: 2019-05-20 16:30
Priority: Minor Minor
Reporter: Tobias Müller

The

post {
   always {
     dir("build") {
       script {
         def gccIssues = scanForIssues tool: gcc4(name: 'GCC')
         def action = publishIssues issues: [ gccIssues ], filters: [ excludeFile(".*[/\\\\]src[/\\\\]external.*") ]
         def result = action.getResult()
         def newSize = result.getNewSize()
         echo newSize
         echo result.getNewIssues()
      }   
    }
  }
}

fails with

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method io.jenkins.plugins.analysis.core.model.ResultAction getResult
at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:262)
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

jenkins@email.twam.info (JIRA)

unread,
May 20, 2019, 12:32:01 PM5/20/19
to jenkinsc...@googlegroups.com
Tobias Müller updated an issue
Change By: Tobias Müller
The
{code:java}

post {
   always {
     dir("build") {
       script {
         def gccIssues = scanForIssues tool: gcc4(name: 'GCC')
         def action = publishIssues issues: [ gccIssues ], filters: [ excludeFile(".*[/\\\\]src[/\\\\]external.*") ]
         def result = action.getResult()
         def newSize = result.getNewSize()
         echo newSize
         echo result.getNewIssues()
      }   
    }
  }
}
{code}
fails with
{noformat}

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method io.jenkins.plugins.analysis.core.model.ResultAction getResult
at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:262)
{noformat}
 I also reported this in gitter on 20.05.2019 and was asked to create this bug report here.

ullrich.hafner@gmail.com (JIRA)

unread,
Sep 22, 2019, 5:07:02 PM9/22/19
to jenkinsc...@googlegroups.com
Ulli Hafner resolved as Won't Fix
 

After thinking again in more detail I think that the idea is not so good after all. This change would require to make the whole API part of the whitelist which will make the whole component vulnerable.

Change By: Ulli Hafner
Status: Open Resolved
Resolution: Won't Fix
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

ullrich.hafner@gmail.com (JIRA)

unread,
Dec 27, 2019, 8:07:02 AM12/27/19
to jenkinsc...@googlegroups.com
Ulli Hafner reopened an issue
Change By: Ulli Hafner
Resolution: Won't Fix
Status: Resolved Reopened

ullrich.hafner@gmail.com (JIRA)

unread,
Dec 27, 2019, 8:09:02 AM12/27/19
to jenkinsc...@googlegroups.com
Ulli Hafner commented on Bug JENKINS-57566
 
Re: Default security prohibits ResultAction's getResult

Since a couple of other users requested such a change I am reopening this issue. If we carefully decide which API methods should be made accessible, then we should manage it to make the API not vulnerable.

david.wright@bluewin.ch (JIRA)

unread,
Jan 3, 2020, 5:55:02 AM1/3/20
to jenkinsc...@googlegroups.com

Initially I was struggling to obtain the result of the warnings-ng quality gates, however thanks to this issue and Ulli Hafner's help on Gitter I managed to do so. Since I am one of the admins of the Jenkins instance I was able to whitelist this ResultAction::getResult access. 

I do have a question regarding this though: Is there a reason why recordIssues returns void? I.e. would it be possible to return a result for this step as well?

Also I believe that people would benefit from this being part of the documentation on [GitHub |https://github.com/jenkinsci/warnings-ng-plugin/blob/master/doc/Documentation.md] and [Jenkins IO | https://jenkins.io/doc/pipeline/steps/warnings-ng/]

I would be more than happy to do this myself, but to be honest I think my familiarity with the code is too limited.

david.wright@bluewin.ch (JIRA)

unread,
Jan 3, 2020, 6:02:03 AM1/3/20
to jenkinsc...@googlegroups.com
David Wright edited a comment on Bug JENKINS-57566
Initially I was struggling to obtain the result of the warnings-ng quality gates, however thanks to this issue and [~drulli]'s help on Gitter I managed to do so. Since I am one of the admins of the Jenkins instance I was able to whitelist this {{ResultAction::getResult}} access. 

I do have a question regarding this though: Is there a reason why {{recordIssues}} returns {{void}}? I.e. would it be possible to return a result for this step as well?


Also I believe that people would benefit from this being part of the documentation on [GitHub |[https://github.com/jenkinsci/warnings-ng-plugin/blob/master/doc/Documentation.md]] and [Jenkins IO | [https://jenkins.io/doc/pipeline/steps/warnings-ng/]]

I would be more than happy to do this myself, but to be honest I think my familiarity with the code is too limited.


Below is my code, which is part of a groovy script where I created a custom step which executes some closure before running warnings NG and publishes a build badge and feeds the results to gitlab.

Unfortunately, I was not able to get the {{QualityGateStatus, which would have helped me to set the build badge and Gitlab commit status to unstable. There was a method not found error if I remember correctly. I will have to perform some further analysis on this.}}

 
{code:java}
def runWarningsNGStage(String stageName, analysisTool, int newIssuesThreshold = 1, boolean newIssuesUnstable = false, int totalIssuesThreshold = 0, boolean totalIssuesUnstable = false, Closure body)
{
  def buildBadge = addEmbeddableBadgeConfiguration(id: stageName, subject: stageName)  
  stage(stageName)
  {
    updateGitlabCommitStatus(name: stageName, state: 'running')
    buildBadge.setStatus('running')    

    body()    

    def foundIssues = scanForIssues(tool: analysisTool)    
    def action = publishIssues(issues: [foundIssues],
                     qualityGates:
                     [[threshold: newIssuesThreshold, type: 'NEW', unstable: newIssuesUnstable],
                     [threshold: totalIssuesThreshold, type: 'TOTAL', unstable: totalIssuesUnstable]])    

    // TODO: for some reason action.getQualityGateStatus().getResult() does not work, using this result we could set it to unstable as well.    
    def result = action.isSuccessful()    

    if(result)
    {
        buildBadge.setStatus('passing')
        updateGitlabCommitStatus(name: stageName, state: 'success')
    }
    else
    {
        buildBadge.setStatus('failing')
        updateGitlabCommitStatus(name: stageName, state: 'failed')
    }
  }
}
{code}

ullrich.hafner@gmail.com (JIRA)

unread,
Jan 3, 2020, 3:03:02 PM1/3/20
to jenkinsc...@googlegroups.com

Thanks for the details, I think I can write a test case with the ideas used in the script and add the corresponding whitelisting information.

I do have a question regarding this though: Is there a reason why recordIssues returns void? I.e. would it be possible to return a result for this step as well?

It returns void because the step may create several actions. I can return a list of actions or an aggregation of all actions. What makes more sense to you?

david.wright@bluewin.ch (JIRA)

unread,
Jan 6, 2020, 2:48:02 AM1/6/20
to jenkinsc...@googlegroups.com

Thank you, that would be great! I think a list of actions would be most practical.

david.wright@bluewin.ch (JIRA)

unread,
Jan 6, 2020, 3:57:02 AM1/6/20
to jenkinsc...@googlegroups.com

Ulli Hafner is there any hint you could give me as to why this does not work?
action.getQualityGateStatus().getResult()

david.wright@bluewin.ch (JIRA)

unread,
Jan 6, 2020, 4:00:04 AM1/6/20
to jenkinsc...@googlegroups.com
David Wright updated an issue
 
Change By: David Wright
Comment: [~drulli] is there any hint you could give me as to why this does not work?
action.getQualityGateStatus().getResult()

ullrich.hafner@gmail.com (JIRA)

unread,
Jan 6, 2020, 4:10:05 PM1/6/20
to jenkinsc...@googlegroups.com
Ulli Hafner started work on Bug JENKINS-57566
 
Change By: Ulli Hafner
Status: Reopened In Progress

ullrich.hafner@gmail.com (JIRA)

unread,
Jan 6, 2020, 4:10:05 PM1/6/20
to jenkinsc...@googlegroups.com
Ulli Hafner updated an issue

ullrich.hafner@gmail.com (JIRA)

unread,
Jan 6, 2020, 4:12:03 PM1/6/20
to jenkinsc...@googlegroups.com
Ulli Hafner commented on Bug JENKINS-57566
 
Re: Default security prohibits ResultAction's getResult

I started a pull request. The whitelisted API is listed in the corresponding test case. Please let me know if there are additional methods missing.

david.wright@bluewin.ch (JIRA)

unread,
Jan 7, 2020, 4:34:04 AM1/7/20
to jenkinsc...@googlegroups.com

Thanks to your pull request I managed to get the quality gate result including "unstable" results. My code currently marks unstable results as successful in GitLab, since we use them for recommended static analysis rules, rather than mandatory or highly recommended.

 

I had to add the following signatures to the whitelist:

method io.jenkins.plugins.analysis.core.util.QualityGateStatus getResult

method io.jenkins.plugins.analysis.core.util.StaticAnalysisRun getQualityGateStatus

method io.jenkins.plugins.analysis.core.model.ResultAction getResult

def runWarningsNGStage(String stageName, analysisTool, int newIssuesThreshold = 1, boolean newIssuesUnstable = false, int totalIssuesThreshold = 0, boolean totalIssuesUnstable = false, Closure body) 
{ 
  def buildBadge = addEmbeddableBadgeConfiguration(id: stageName, subject: stageName) 
  stage(stageName) 
  { 
    updateGitlabCommitStatus(name: stageName, state: 'running') 
    buildBadge.setStatus('running') 
    body() 
    def foundIssues = scanForIssues(tool: analysisTool) 
    def action = publishIssues(issues: [foundIssues], qualityGates: [[threshold: newIssuesThreshold, type: 'NEW', unstable: newIssuesUnstable], [threshold: totalIssuesThreshold, type: 'TOTAL'
, unstable: totalIssuesUnstable]]) 
    def result = action.getResult().getQualityGateStatus().getResult().toString() 
    switch(result) 
    { 
      case "SUCCESS": 
        buildBadge.setStatus('passing') 
        updateGitlabCommitStatus(name: stageName, state: 'success') 
        break;
      case "UNSTABLE": 
        buildBadge.setStatus('unstable') 
        updateGitlabCommitStatus(name: stageName, state: 'success') 
        break;
      case "FAILURE": 
      default:
        buildBadge.setStatus('failing') 
        updateGitlabCommitStatus(name: stageName, state: 'failed') 
    }
  }
}

 
                                                            

                                                        
 		 
                                                
 
                                            
                                        
 		 
                                
david.wright@bluewin.ch (JIRA)
unread,
Jan 7, 2020, 4:36:04 AM1/7/20
to jenkinsc...@googlegroups.com
 
                                     
                                        
 
                                            
                                                
 
                                                     
Ulli Hafner I discussed this with my colleague, this completes our requirements, for us there are no methods missing at this point. Thank you very much for your help!
 
 
 		 
                                                
 
                                            
                                        
 		 
                                
ullrich.hafner@gmail.com (JIRA)
unread,
Jan 7, 2020, 1:51:03 PM1/7/20
to jenkinsc...@googlegroups.com


     
         
         
         
         
     
    
 
        
 
             
            
                
 
                     
                        
 
                            
                                
 
                                       
                                     Ulli Hafner resolved as Fixed  
                                
 
                            
                        
 		 
                
 
                
 
                     
                        
 
                            
                                
 
                                     
                                      
                                
 
                                
 
                                     
                                        
 
                                            

                                        
 		 
                                
 
                                
 
                                     
                                        
 
                                            
                                                
 
                                                    Change By: 
                                                     Ulli Hafner  
                                                
 
                                                
 
                                                    Status: 
                                                     In Progress Resolved  
                                                
 
                                                
 
                                                    Resolution: 
                                                     Fixed  
                                                
 
                                                
 
                                                    Released As: 
                                                     https://github.com/jenkinsci/warnings-ng-plugin/releases/tag/warnings-ng-7.3.0  
                                                
 
                                            
                                        
 		 
                                
Reply all
Reply to author
Forward
0 new messages