Jenkins管道-收到安全错误,如何防止引发该错误? [英] Jenkins pipeline - getting a security error, how can I prevent the error from being raised?
问题描述
我正在Jenkins管道中以代码形式编写Android构建过程. 脚本的相关部分是:
I'm writing an Android build prcoess in Jenkins pipeline as a code. The relevant portion of the script is:
def notifyStarted() {
// send to Slack
slackSend (channel: '#slack-test', color: 'warning', message: "STARTED: Job '${env.JOB_NAME} [${env.BUILD_NUMBER}]' (${env.BUILD_URL})")
}
def get_current_time_date() {
Date date = new Date(); // given date
Calendar calendar = GregorianCalendar.getInstance(); // creates a new calendar instance
calendar.setTime(date); // assigns calendar to given date
TIMEH = calendar.get(Calendar.HOUR_OF_DAY); // gets hour in 24h format
TIMEM = calendar.get(Calendar.MINUTE);
TIMES = calendar.get(Calendar.SECOND);
newdate = date.format( 'yyyy-MM-dd' );
def result = newdate + '%' + TIMEH + ':' + TIMEM + ':' + TIMES
result
}
// Mixpanel parameters
// End of Mixpanel parameters
node ('master') {
notifyStarted()
sh '( git reset --hard; git clean -fxd; git tag -d $(git tag) ) &>/dev/null || true'
checkout scm
MP_VERSION_NAME = sh '(git tag | grep '^[0-9]' | tail -n 1)'
MP_API_KEY = "cXXXXXXXXXf"
MP_API_SECRET = "4XXXXXXXXX4"
MP_EXPIRE = "1588896000"
MP_APP_PLATFORM = "Android"
MP_BASE_URL = "http://mixpanel.com/api/2.0/annotations/create?"
//RELEASE_DATE = get_current_time_date()
MP_RELEASE_NOTES = ""
DESCRIPTION = "${MP_APP_PLATFORM}%v${MP_VERSION_NAME}${MP_RELEASE_NOTES}"
REQUEST_URL = "api_key=${MP_API_KEY}&date=${RELEASE_DATE}&description=${DESCRIPTION}&expire=${MP_EXPIRE}"
REQUEST_URL_NO_AMPERSAND = REQUEST_URL.replaceAll('&','')
REQUEST_URL_API_SECRET = "${REQUEST_URL_NO_AMPERSAND}${MP_API_SECRET}"
SIGNATURE = "md5 -q -s ${REQUEST_URL_API_SECRET}".execute().text
CURL_COMMAND = "${MP_BASE_URL}${REQUEST_URL}&sig=${SIGNATURE}".replaceAll(' ','%20')
def cwd = pwd()
stage ('Compilation environement preparation') {
// Build parameters
NDK_VER="r12b"
SDK_VER="r24.4.1"
GRADLE_USER_HOME="${cwd}/.gradle"
NDK_DIR="${GRADLE_USER_HOME}/android-ndk-${NDK_VER}"
SDK_DIR="${GRADLE_USER_HOME}/android-sdk-linux"
SDK_TOOLS="${SDK_DIR}/tools"
AAPT="${SDK_DIR}/build-tools/23.0.3"
运行构建时,出现以下错误:
When running the build, I get the following error:
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method java.lang.String xor java.util.ArrayList
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:113)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)
at WorkflowScript.run(WorkflowScript:30)
at ___cps.transform___(Native Method)
at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:48)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
at sun.reflect.GeneratedMethodAccessor243.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.CollectionLiteralBlock$ContinuationImpl.dispatch(CollectionLiteralBlock.java:55)
at com.cloudbees.groovy.cps.impl.CollectionLiteralBlock$ContinuationImpl.item(CollectionLiteralBlock.java:45)
at sun.reflect.GeneratedMethodAccessor244.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:50)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
at sun.reflect.GeneratedMethodAccessor243.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
at com.cloudbees.groovy.cps.Next.step(Next.java:58)
at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:163)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:324)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:78)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:236)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:224)
at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:63)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE
我相信该问题与get_current_time_date函数有关,但我不确定如何处理.
I believe the issue has something to do with the get_current_time_date function but I'm not sure how.
我已在Internet上阅读了该错误,发现我可以去Jenkins-> Manage Jenkins->进程内脚本批准并批准某些代码运行,但是如何防止这种情况发生?我不确定应该批准哪个代码(不超过3个)或哪个签名(不超过3个),无论如何我都希望管道能够在没有人工干预的情况下自动运行.
I've read about the error on the internet and found that I can go to Jenkins -> Manage Jenkins -> In-process Script Approval and approve certain code runs but how can I prevent this from happening? I'm not sure which code (out of 3) or which signature (out of 3) are the ones I should approve and in any case I want the pipeline to be able to run automatically, without human intervention.
您知道导致此错误的原因是什么吗?
Any idea what causes this error?
推荐答案
您需要通过在Jenkins -> Manage Jenkins -> In-process Script Approval中进行操作来手动批准某些方法签名.这是一个安全系统,可对Groovy代码执行进行沙箱处理,因此您不会执行危险/恶意代码.您无法避免,但是您需要一次批准每个签名,而不是每次运行都批准一次.
As you mentionned, you need to manually approve some methods signatures by doing it in Jenkins -> Manage Jenkins -> In-process Script Approval. It is a security system that sandboxes Groovy code execution so you don't execute dangerous/malicious code. You can't really avoid it, however you will need to approve each signature just once, not at every run.
简而言之,请手动批准签名,直到对所有签名进行了处理,然后就可以了.
In short, approve manually the signatures until you have treated them all, and then you should be fine.
这篇关于Jenkins管道-收到安全错误,如何防止引发该错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
