[JIRA] (JENKINS-49586) JDepend plugin classes not in JEP-200 whitelist

Issue Type:	Bug
Assignee:	Unassigned
Components:	jdepend-plugin
Created:	2018-02-15 17:39
Priority:	Minor
Reporter:	Chuck Burgess

From what I'm reading about JEP-200, it seems that the (old) JDepend plugin's classes might not have been included in the whitelisting.

WARNING: org.codehaus.mojo.jdepend.objects.JDPackage in file:/var/lib/jenkins/plugins/jdepend/WEB-INF/lib/jdepend-maven-plugin-2.0-beta-2.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

...

org.codehaus.mojo.jdepend.objects.JDPackage in file:/var/lib/jenkins/plugins/jdepend/WEB-INF/lib/jdepend-maven-plugin-2.0-beta-2.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/
Feb 15, 2018 11:20:35 AM SEVERE hudson.model.Run execute
Failed to save build record java.lang.UnsupportedOperationException: Refusing to marshal org.codehaus.mojo.jdepend.objects.JDPackage for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize org.codehaus.mojo.jdepend.JDependXMLReportParser#packages for class hudson.plugins.jdepend.JDependParser at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize hudson.plugins.jdepend.JDependBuildAction#jDependParser for class hudson.plugins.jdepend.JDependBuildAction at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize hudson.model.Actionable#actions for class hudson.model.FreeStyleBuild at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:193) Caused: java.io.IOException at hudson.XmlFile.write(XmlFile.java:200) at hudson.model.Run.save(Run.java:1923) at hudson.model.Run.execute(Run.java:1784) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:429)

This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)

demon.gene@gmail.com (JIRA)

unread,

Feb 15, 2018, 12:41:03 PM2/15/18

to jenkinsc...@googlegroups.com

Chuck Burgess updated an issue

Jenkins /

Change By:	Chuck Burgess
Labels:	JEP-200

demon.gene@gmail.com (JIRA)

unread,

Feb 15, 2018, 12:42:01 PM2/15/18

to jenkinsc...@googlegroups.com

Chuck Burgess commented on

Re: JDepend plugin classes not in JEP-200 whitelist

JDepend plugin affected by JEP-200

o.v.nenashev@gmail.com (JIRA)

unread,

Feb 15, 2018, 3:43:03 PM2/15/18

to jenkinsc...@googlegroups.com

Oleg Nenashev commented on

Re: JDepend plugin classes not in JEP-200 whitelist

It comes from this dependency:

 
                                                                     <dependency>
          <groupId>org.codehaus.mojo</groupId>
          <artifactId>jdepend-maven-plugin</artifactId>
          <version>2.0-beta-2</version>
      </dependency>
 
                                                            

The code is not on GitHub AFAICT. CC Arnaud Héritier Stephen Connolly. Likely does not matter, because the plugin should not persist the parser on the disk: https://github.com/jenkinsci/jdepend-plugin/blob/master/src/main/java/hudson/plugins/jdepend/JDependBuildAction.java#L23-L36

From what I see in the code, the logic can be safely replaced by a transient field

o.v.nenashev@gmail.com (JIRA)

unread,

Feb 16, 2018, 11:19:02 AM2/16/18

to jenkinsc...@googlegroups.com

Oleg Nenashev assigned an issue to Oleg Nenashev

Jenkins /

Change By:	Oleg Nenashev
Assignee:	Oleg Nenashev

o.v.nenashev@gmail.com (JIRA)

unread,

Feb 16, 2018, 11:19:02 AM2/16/18

to jenkinsc...@googlegroups.com

Oleg Nenashev started work on

Change By:	Oleg Nenashev
Status:	Open In Progress

o.v.nenashev@gmail.com (JIRA)

unread,

Feb 16, 2018, 11:38:03 AM2/16/18

to jenkinsc...@googlegroups.com

Oleg Nenashev updated

Jenkins /

Change By:	Oleg Nenashev
Status:	In Progress Review

o.v.nenashev@gmail.com (JIRA)

unread,

Feb 16, 2018, 11:38:03 AM2/16/18

to jenkinsc...@googlegroups.com

Oleg Nenashev commented on

Re: JDepend plugin classes not in JEP-200 whitelist

Created https://github.com/jenkinsci/jdepend-plugin/pull/2. Would it be possible to test the snapshot?

demon.gene@gmail.com (JIRA)

unread,

Feb 21, 2018, 9:01:04 AM2/21/18

to jenkinsc...@googlegroups.com

Chuck Burgess commented on

Re: JDepend plugin classes not in JEP-200 whitelist

Not sure that I could test the snapshot... are there instructions somewhere about pulling a plugin snapshot into a Jenkins instance that would normally only see releases available?

o.v.nenashev@gmail.com (JIRA)

unread,

Feb 21, 2018, 9:12:03 AM2/21/18

to jenkinsc...@googlegroups.com

Oleg Nenashev commented on

Re: JDepend plugin classes not in JEP-200 whitelist

1) Download https://ci.jenkins.io/job/Plugins/job/jdepend-plugin/job/PR-2/1/artifact/target/jdepend.hpi
2) Go to Plugin Manager / Advanced tab
3) Find the "Upload a plugin" control, specify the downloaded file
4) After the plugin is installed, restart the instance

scm_issue_link@java.net (JIRA)

unread,

Feb 22, 2018, 10:39:04 AM2/22/18

to jenkinsc...@googlegroups.com

SCM/JIRA link daemon commented on

Re: JDepend plugin classes not in JEP-200 whitelist

Code changed in jenkins
User: Oleg Nenashev
Path:
Jenkinsfile
pom.xml
src/main/java/hudson/plugins/jdepend/JDependBuildAction.java
src/main/java/hudson/plugins/jdepend/JDependParser.java
src/main/java/hudson/plugins/jdepend/JDependRecorder.java
src/main/resources/hudson/plugins/jdepend/JDependBuildAction/index.jelly
src/main/resources/hudson/plugins/jdepend/JDependProjectAction/index.jelly
src/main/resources/hudson/plugins/jdepend/JDependRecorder/config.jelly
src/main/resources/index.jelly
http://jenkins-ci.org/commit/jdepend-plugin/afcf6bfd27770e813c279927c6020c1fc8f1e071
Log:
Merge pull request #2 from oleg-nenashev/JENKINS-49586

JENKINS-49586 - Stop Serializing JDependParser to the disk (JEP-200 in 2.102+)

Compare: https://github.com/jenkinsci/jdepend-plugin/compare/0c8fbfa25f1d...afcf6bfd2777

scm_issue_link@java.net (JIRA)

unread,

Feb 22, 2018, 10:39:04 AM2/22/18

to jenkinsc...@googlegroups.com

SCM/JIRA link daemon commented on

Re: JDepend plugin classes not in JEP-200 whitelist

Code changed in jenkins
User: Oleg Nenashev
Path:

src/main/java/hudson/plugins/jdepend/JDependBuildAction.java
src/main/java/hudson/plugins/jdepend/JDependRecorder.java
src/main/resources/hudson/plugins/jdepend/JDependBuildAction/index.jelly
http://jenkins-ci.org/commit/jdepend-plugin/54a2c37429dc934055eb563c8e6e416459047835
Log:
JENKINS-49586 - Stop serializing JDependParser to the disk

scm_issue_link@java.net (JIRA)

unread,

Feb 22, 2018, 10:39:04 AM2/22/18

to jenkinsc...@googlegroups.com

SCM/JIRA link daemon commented on