Script Security plugin dry-run for pre-approval?

[Andrew Bayer]

So I couldn't figure out a good way to word the subject line, but!

I've had a few cases where I've needed to go through multiple iterations of "Run a Workflow via a Jenkinsfile" or "Run a system Groovy step", etc, where each time I run, a new method causes the run to fail and is queued up for script approval. Since it barfs out as soon as one method is hit that isn't whitelisted, you can end up needing to do this a *lot* for a long script...and that's annoying. Very annoying. =)

I don't believe there is currently any way to do something like a dry run (or AST parsing, or whatever) that finds and queues up multiple method calls for approval, rather than one-at-a-time, but that sure seems it'd be handy. Does anyone know of anything along those lines currently, or have any ideas/interest in getting that sort of functionality implemented?

A.

[Craig Rodrigues]

Hi,

I would suggest that you go to https://isues.jenkins-ci.org and file a New Feature request,

to have a way to test a workflow, and find out up front what all the security problems are with the

workflow, without having to execute the workflow.

In this post: https://groups.google.com/d/msg/jenkinsci-users/jSKwSKbaXq8/dG2mn6iyDQAJ

I mentioned a workflow I was working on.  This workflow takes over one hour to run.

As I was developing the workflow, I hit multiple problems which required getting approval

from the Script Security plugin.

However, I did not find out all the issues at once.  I had to:

  1. run the workflow

  2. find a security problem

  3. add the problem to the script security plugin whitelist

  4. go back to 1. (repeat for the next problem)

It was annoying to have to repeat this problem for every security problem, instead of

finding out all the security problems up front.

--

Craig

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPbPdOZqDuFppVO4rBCLOtforyCaPK8aCRjyDBwHFgFAABcmRA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Jesse Glick]

On Wed, Dec 30, 2015 at 3:21 PM, Andrew Bayer <andrew...@gmail.com> wrote:

> have any ideas/interest in getting that sort of functionality implemented?

I think it boils down to creating some manner of test harness for
Workflow scripts. There have been some thoughts, but no concrete
plans.

[ogondza]

I would welcome if there ware multiple strategies aside of Whitelist-ing. I have got several plugins to update, but as those started to use script-security, I have to check it is not going to break anything first. What would help me (and Andrew) in this case is something akin permissive selinux mode - do not interrupt any operation for now, but report what the problems are. Once all are ironed out, I will switch to enforcing mode again. I promise.

--
oliver

[Jesse Glick]

On Wed, Jan 6, 2016 at 7:13 AM, ogondza <ogo...@gmail.com> wrote:
> something akin permissive selinux mode - do not interrupt any operation for now, but report what the problems are

Should be easy to write a plugin registering a `Whitelist` which
always returns true, but first logs what it ran on.