[ANNOUNCE] Active Choices (née Uno-Choice) plugin release v1.5.0

3 views
Skip to first unread message

Bruno P. Kinoshita

unread,
Nov 4, 2016, 4:13:29 AM11/4/16
to BioUno Developers, BioUno Users
The BioUno community is pleased to announce the release of the Active Choices Plug-in v1.5.0 [1], previously known as Uno-Choice Plug-in. The release is available from Jenkins Update Center so you can install it from any Jenkins instance.

This release 

* JENKINS-36590: Active-Choice jenkinsProject variable is not available under Folder or Multibranch-Multiconfiguration job
* JENKINS-37027: 'View selected script option' in build configuration displays wrong scriptler script
* JENKINS-34988: this.binding.jenkinsProject not returning project of current build
* Upgraded build plug-ins
* Fixed Findbugs issues
* Upgraded parent in order to be able to release to Jenkins plug-in repositories

This issue is related to security, and will change the way your scripts are evaluated in Jenkins. Right now parameters can execute any kind of code, regardless of how dangerous that code can be.

With the script-security-plugin integration, some of these scripts can be sandboxed, allowing only approved scripts to be executed.

Jenkins infrastructure changed since the last release, and we had to update the pom, in order to be able to release new versions. This release includes a few issues that were fixed in the master branch, but not released. As well as the changes to the plug-in dependencies.

Remember to try this version on a testbed server before installing it in production.

Ioannis Moutsatsos

unread,
Nov 7, 2016, 5:39:16 PM11/7/16
to BioUno Developers, biouno...@googlegroups.com, brunod...@yahoo.com.br
Thanks Bruno;

I need to understand how security now works to enable the scripts and the dynamic HTML in AC v1.5
After approving 189 sciprts (little bits of groovy scripts in all main and fallback scripts) that were pending approval I'm still not able to render some forms.
Some work and some don't. I need some more time to investigate what's going on.

Any pointers would be greatly appreciated!!

Best regards
Ioannis

Bruno P. Kinoshita

unread,
Nov 7, 2016, 8:14:10 PM11/7/16
to biouno-d...@googlegroups.com, biouno...@googlegroups.com
Hi Ioannis,

I remember seeing similar behavior. Then after approving scripts, and also the method calls (I think) it worked.
Let me know in a few days if it still doesn't work well. I can take another look at the security-plugin integration, try to help debugging it, and we can release a new version in the next days too :)

Cheers
Bruno


From: Ioannis Moutsatsos <imout...@gmail.com>
To: BioUno Developers <biouno-d...@googlegroups.com>
Cc: biouno...@googlegroups.com; brunod...@yahoo.com.br
Sent: Tuesday, 8 November 2016 11:39 AM
Subject: Re: [ANNOUNCE] Active Choices (née Uno-Choice) plugin release v1.5.0

--
You received this message because you are subscribed to the Google Groups "BioUno Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to biouno-develop...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Ioannis Moutsatsos

unread,
Nov 9, 2016, 9:52:22 AM11/9/16
to BioUno Developers, biouno...@googlegroups.com, brunod...@yahoo.com.br
Hi Bruno;

I was able to track down what was going on with the build form that was not working. It was not related to the new code for Active Choices.
I'm upgrading my Jenkins instance to v2.19.2 and have also upgraded several other plugins so I have quite a few changes to keep track off.

I really like the fix JENKINS-37027: 'View selected script option'. Works great and I can finally easily check out the parameters defined for the scriptlet!

If I understand correctly, the 'Use Groovy Sandbox' and 'Additional classpath' options are only available for custom scripts but not scriptlets. Scriptlet security is defined from within the scriptler environment. Is this correct?

Thank you, great job!

Best regards
Ioannis


On Monday, November 7, 2016 at 8:14:10 PM UTC-5, Bruno Kinoshita wrote:
Hi Ioannis,

I remember seeing similar behavior. Then after approving scripts, and also the method calls (I think) it worked.
Let me know in a few days if it still doesn't work well. I can take another look at the security-plugin integration, try to help debugging it, and we can release a new version in the next days too :)

Cheers
Bruno


From: Ioannis Moutsatsos <imout...@gmail.com>
To: BioUno Developers <biouno-developers@googlegroups.com>
To unsubscribe from this group and stop receiving emails from it, send an email to biouno-developers+unsubscribe@googlegroups.com.

Bruno P. Kinoshita

unread,
Nov 9, 2016, 3:52:05 PM11/9/16
to biouno-d...@googlegroups.com, biouno...@googlegroups.com
Hi Ioannis,

Great to hear JENKINS-37027 is working fine :)

>If I understand correctly, the 'Use Groovy Sandbox' and 'Additional classpath' options are only available for custom scripts but not scriptlets. Scriptlet security is defined from within the scriptler environment. Is this correct?

The scriptler plug-in has also a dependency to the script-security plug-in. But we force normal Groovy Scripts to be 'audited' too.

Basically, instead of a String, now the Jelly form submits the text, which gets wrapped in a SecureScript (if memory serves me well). Then when users try to execute it, instead of using the normal API to create a context (with the binding, injected variables) and simply executing the Groovy script; it is now calling a method in SecureScript that confirms it has been approved, or is considered safe to be run :)

HTH
Bruno


From: Ioannis Moutsatsos <imout...@gmail.com>
Sent: Thursday, 10 November 2016 3:52 AM

Subject: Re: [ANNOUNCE] Active Choices (née Uno-Choice) plugin release v1.5.0
To unsubscribe from this group and stop receiving emails from it, send an email to biouno-develop...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages