[JIRA] (JENKINS-58860) Skipped parameter which is defined in a job

[julien.breda74@gmail.com (JIRA)]

Julien Bréda updated an issue

Jenkins / JENKINS-58860 Skipped parameter which is defined in a job Change By: Julien Bréda Since my update to Jenkins version 2.176.1, I get some warnings in logs about 'Skipped parameter', which relates to SECURITY-170. The log says :   {code:java} "WARNING: Skipped parameter `artifactVersion` as it is undefined on `JOB-XX`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters=true` to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach or `-Dhudson.model.ParametersAction.keepUndefinedParameters=false` to no longer show this message." but the problem is that this job is defining such parameter. (see attachment) {code}     I don't want to set `-Dhudson.model.ParametersAction.keepUndefinedParameters=true` only to evict some logs. I could see this issue twice : * one time with a pipeline job : this job defines the parameter and the scripted pipeline is retrieved on SCM. This pipeline uses this parameter. * another time with a freestyle job : this job also defines the parameter and the build task is nothing more than executing a shell script on a remote SSH. This script uses the parameter. In these both cases I need the parameter and, one more time, it is clearly defined.   Why are my logs spammed with such lines ? The message is maybe missleading because my jobs are very simple and I can't see what's wrong. Is that because these jobs are launched from another job (which, of course, set the parameter) ? Is that because of the old builds ? I see somewhere a guy talking about old builds AND SECURITY-170. I think the log could be improved. Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[julien.breda74@gmail.com (JIRA)]

Julien Bréda created an issue

Jenkins / JENKINS-58860 Skipped parameter which is defined in a job

Issue Type: Bug Assignee: Unassigned Attachments: JobParameter.png Components: core, pipeline Created: 2019-08-08 13:18 Environment: Jenkins v2.176.1, RedHat7, Oracle Java8 Priority: Minor Reporter: Julien Bréda

Since my update to Jenkins version 2.176.1, I get some warnings in logs about 'Skipped parameter', which relates to SECURITY-170. The log says :

"WARNING: Skipped parameter `artifactVersion` as it is undefined on `JOB-XX`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters=true` to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach or `-Dhudson.model.ParametersAction.keepUndefinedParameters=false` to no longer show this message."

but the problem is that this job is defining such parameter. (see attachment)

I don't want to set `-Dhudson.model.ParametersAction.keepUndefinedParameters=true` only to evict some logs.

I could see this issue twice :

one time with a pipeline job : this job defines the parameter and the scripted pipeline is retrieved on SCM. This pipeline uses this parameter.

another time with a freestyle job : this job also defines the parameter and the build task is nothing more than executing a shell script on a remote SSH. This script uses the parameter.

In these both cases I need the parameter and, one more time, it is clearly defined.   Why are my logs spammed with such lines ? The message is maybe missleading because my jobs are very simple and I can't see what's wrong. Is that because these jobs are launched from another job (which, of course, set the parameter) ? Is that because of the old builds ? I see somewhere a guy talking about old builds AND SECURITY-170. I think the log could be improved.

Add Comment

[julien.breda74@gmail.com (JIRA)]

Julien Bréda updated an issue

Jenkins / JENKINS-58860 Skipped parameter which is defined in a job

Change By: Julien Bréda

Since my update to Jenkins version 2.176.1, I get some warnings in logs about 'Skipped parameter', which relates to SECURITY-170. The log says :

{code:java}

"WARNING: Skipped parameter `artifactVersion` as it is undefined on `JOB-XX`. Set `-Dhudson.model.ParametersAction.keepUndefinedParameters=true` to allow undefined parameters to be injected as environment variables or `-Dhudson.model.ParametersAction.safeParameters=[comma-separated list]` to whitelist specific parameter names, even though it represents a security breach or `-Dhudson.model.ParametersAction.keepUndefinedParameters=false` to no longer show this message." but the problem is that this job is defining such parameter. (see attachment)

{code}

I don't want to set `-Dhudson.model.ParametersAction.keepUndefinedParameters=true` only to evict some logs. I could see this issue twice :

* one time with a pipeline job : this job defines the parameter and the scripted pipeline is retrieved on SCM. This pipeline uses this parameter. * another time with a freestyle job : this job also defines the parameter and the build task is nothing more than executing a shell script on a remote SSH. This script uses the parameter.

In these both cases I need the parameter and, one more time, it is clearly defined.   Why are my logs spammed with such lines ? The message is maybe missleading because my jobs are very simple and I can't see what's wrong. Is that because these jobs are launched from another job (which, of course, set the parameter) ? Is that because of the old builds ? I see somewhere a guy talking about old builds AND SECURITY-170. I think the log could be improved.

Add Comment

[julien.breda74@gmail.com (JIRA)]

Julien Bréda updated an issue

Jenkins / JENKINS-58860 Skipped parameter which is defined in a job

Change By: Julien Bréda Priority: Minor Major

Add Comment

[julien.breda74@gmail.com (JIRA)]

Julien Bréda commented on JENKINS-58860

Re: Skipped parameter which is defined in a job I changed priority since the logs are growing quickly

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-58860

Re: Skipped parameter which is defined in a job

since the logs are growing quickly The log message explains how you can remove it. Please provide the complete config.xml file for the job in question, as well as the build.xml file for a build showing this message.

Add Comment

[julien.breda74@gmail.com (JIRA)]

Julien Bréda commented on JENKINS-58860

Re: Skipped parameter which is defined in a job

config.xml and build.xml uploaded.

Add Comment

[julien.breda74@gmail.com (JIRA)]

Julien Bréda updated an issue

Jenkins / JENKINS-58860

Skipped parameter which is defined in a job

Change By: Julien Bréda Attachment: build.xml Attachment: config.xml

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck updated an issue

Jenkins / JENKINS-58860 Skipped parameter which is defined in a job

Change By: Daniel Beck Priority: Major Minor

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-58860

Re: Skipped parameter which is defined in a job Which version of Jenkins were you running before? When you add a shell/batch build step to the downstream job, and have it output the value of the artifactVersion environment variable ( echo "$artifactVersion" or echo %artifactVersion% respectively), what happens?

Add Comment

[julien.breda74@gmail.com (JIRA)]

Julien Bréda commented on JENKINS-58860

Re: Skipped parameter which is defined in a job

I was running v2.107.3. I've added a shell execution but nothing has changed : I still get the log.

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-58860

Re: Skipped parameter which is defined in a job

Right, but does the shell step do what you would expect, or print an empty line?

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[julien.breda74@gmail.com (JIRA)]

Julien Bréda commented on JENKINS-58860

Re: Skipped parameter which is defined in a job

It prints the var, which is valued, as expected.

Add Comment

[julien.breda74@gmail.com (JIRA)]

Julien Bréda commented on JENKINS-58860

Re: Skipped parameter which is defined in a job

Any feedback on this issue Daniel Beck ? It seems you unassigned it despite of you were the author of https://jenkins.io/blog/2016/05/11/security-update/ I thought you were the best analyst for this one.

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-58860

Re: Skipped parameter which is defined in a job

It seems you unassigned it This issue was never assigned (and I generally reject assignments from others). I was unable to reproduce this issue despite the information you provided, and there are only so many hours in a day. in 3+ years it seems you're the first one to encounter this issue, indicating there's perhaps something unusual about your configuration that so far isn't apparent here.

Add Comment