3

I have defined a shared library in Jenkins:

import com.codependent.jenkins.pipelines.Utils

def call(List<String> mavenGoals){
  def processedMavenGoals = mavenGoals.join ' '
  pipeline {
    agent any
  ...
}

If i call this from my project's Jenkinsfile like this it works ok:

#!groovy
@Library('jenkins-pipeline-shared-library-example') _
buildPipeline(['clean', 'install'])

However if I omit the parethesis as Groovy syntax allows:

#!groovy
@Library('jenkins-pipeline-shared-library-example') _
buildPipeline ['clean', 'install']

The execution shows the folloing exception. Why?

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified getAt method buildPipeline[java.util.ArrayList]
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetArray(SandboxInterceptor.java:451)
    at org.kohsuke.groovy.sandbox.impl.Checker$10.call(Checker.java:413)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetArray(Checker.java:418)
    at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getArray(SandboxInvoker.java:45)
    at com.cloudbees.groovy.cps.impl.ArrayAccessBlock.rawGet(ArrayAccessBlock.java:21)
    at WorkflowScript.run(WorkflowScript:3)
    at ___cps.transform___(Native Method)
codependent
  • 23,193
  • 31
  • 166
  • 308

2 Answers2

3

I have had a similar issue after updated jenkins.

In my case the stacktrace also showed a org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException[...]

Reason

Jenkins has a security plugin that blocks certain method calls in Jenkinsfile s.

Solution

To allow these calls that sometimes are harmless:

  1. Go to: http://JENKINS_HOST/scriptApproval/ ( Official Documentation )
  2. Approve the action that has been denied in the Jenkinsfile enter image description here
  3. Rerun the failed build to see Jenkinsfile work
Matyas
  • 13,473
  • 3
  • 60
  • 73
0

In most cases <JENKINS_SERVER_URL>/scriptApproval should be enough. However there are cases when the forbidden method does not appear in /scriptApproval due to some reasons. Some of them are explained here: Why-am-I-unable-to-see-a-method-in-In-process-Script-Approval.

In such case you can try either programmatically force the method approval (see the answer here: https://stackoverflow.com/a/48234868/4807875) or manually update the $JENKINS_ROOT/scriptApproval.xml file on the Jenkins server. The latter will require root permissions and Jenkins server restart to take effect (the option "Reload Configuration from Disk" will not work).

P. S.: I did not test how it works with the BlackList methods.

Alexander Samoylov
  • 2,358
  • 2
  • 25
  • 28