Jenkins CI Pipeline Scripts not permitted to use method groovy.lang.GroovyObject

MavenJenkinsContinuous IntegrationJenkins Pipeline

Maven Problem Overview

I am Using Jenkins 2 for compiling Java Projects, I want to read the version from a pom.xml, I was following this example:

https://github.com/jenkinsci/pipeline-plugin/blob/master/TUTORIAL.md

The example suggest:

Full Jenkins Pipeline with problematic function circled

It seems that there is some security problem accessing the File System but I can't figure out what it is giving (or why) that problem:

I am just doing a little bit different than the example:

def version() {
	String path = pwd();
	def matcher = readFile("${path}/pom.xml") =~ '<version>(.+)</version>'
	return matcher ? matcher[0][1] : null
}

The Error I am getting when running the 'version' method :

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (org.codehaus.groovy.runtime.GStringImpl call org.codehaus.groovy.runtime.GStringImpl)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:165)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:117)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:103)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15)
	at WorkflowScript.run(WorkflowScript:71)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:55)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
	at sun.reflect.GeneratedMethodAccessor408.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:100)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
	at sun.reflect.GeneratedMethodAccessor408.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:601)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
	at sun.reflect.GeneratedMethodAccessor408.invoke(Unknown Source)

I am using these versions: Plugin Pipeline 2.1 Jenkins 2.2

Maven Solutions

Solution 1 - Maven

Quickfix Solution:

I had similar issue and I resolved it doing the following

  1. Navigate to jenkins > Manage jenkins > In-process Script Approval
  2. There was a pending command, which I had to approve.

In process approval link in Jenkins 2.61

Alternative 1: Disable sandbox

As this article explains in depth, groovy scripts are run in sandbox mode by default. This means that a subset of groovy methods are allowed to run without administrator approval. It's also possible to run scripts not in sandbox mode, which implies that the whole script needs to be approved by an administrator at once. This preventing users from approving each line at the time.

Running scripts without sandbox can be done by unchecking this checkbox in your project config just below your script: enter image description here

Alternative 2: Disable script security

As this article explains it also possible to disable script security completely. First install the permissive script security plugin and after that change your jenkins.xml file add this argument:

> -Dpermissive-script-security.enabled=true

So you jenkins.xml will look something like this:

<executable>..bin\java</executable>
<arguments>-Dpermissive-script-security.enabled=true -Xrs -Xmx4096m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=80 --webroot="%BASE%\war"</arguments>

Make sure you know what you are doing if you implement this!

Solution 2 - Maven

You have to disable the sandbox for Groovy in your job configuration.

Currently this is not possible for multibranch projects where the groovy script comes from the scm. For more information see https://issues.jenkins-ci.org/browse/JENKINS-28178

Solution 3 - Maven

I ran into this when I reduced the number of user-input parameters in userInput from 3 to 1. This changed the variable output type of userInput from an array to a primitive.

Example:

myvar1 = userInput['param1']
myvar2 = userInput['param2']

to:

myvar = userInput

Solution 4 - Maven

To get around sandboxing of SCM stored Groovy scripts, I recommend to run the script as Groovy Command (instead of Groovy Script file):

import hudson.FilePath
final GROOVY_SCRIPT = "workspace/relative/path/to/the/checked/out/groovy/script.groovy"

evaluate(new FilePath(build.workspace, GROOVY_SCRIPT).read().text)

in such case, the groovy script is transferred from the workspace to the Jenkins Master where it can be executed as a system Groovy Script. The sandboxing is suppressed as long as the Use Groovy Sandbox is not checked.

Solution 5 - Maven

To get the version of a maven project, I usually use mvn binary in the sh block as follows. No need for admin permissions.

stage("Compile") {
    steps {
       sh """
         mvn help:evaluate -Dexpression=project.version -q -DforceStdout > version.txt
       """
    }
}

Solution 6 - Maven

Following @JavaTechnical's answer herein a Maven project's version can be assigend to a variable:

stage("getPomProjectVersion") {
    steps {
       ...
       def pomProjectVersion = sh script: 'mvn help:evaluate -Dexpression=project.version -q -DforceStdout', returnStdout: true
       ...
    }
}
Categories
Recommended Maven Solutions
Recommended Jenkins Solutions
Recommended Continuous Integration Solutions
Recommended Jenkins Pipeline Solutions

Previous Solution:

How to check the length of an Observable array

AngularObservableAngular2 TemplateAngular2 Services

Next Solution:

Send POST data via raw JSON with Postman

PhpJsonRestPostman

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionDaniel Hern&#225;ndezView Question on Stackoverflow
Solution 1 - MavenMaarten KieftView Answer on Stackoverflow
Solution 2 - MavenAndreView Answer on Stackoverflow
Solution 3 - MavenMarkView Answer on Stackoverflow
Solution 4 - MavenStepan VavraView Answer on Stackoverflow
Solution 5 - MavenJavaTechnicalView Answer on Stackoverflow
Solution 6 - MavenGerold BroserView Answer on Stackoverflow