[JENKINS-48925] - Whitelist safe model classes from the tap4j library

[oleg-nenashev]

It makes the Tap Plugin to pass existing tests against Jenkins 2.102 in Plugin Compat Tester. I do not think it is enough in general, because TapElement in that class includes the following object:

    /**
     * Iterable object returned by SnakeYAML.
     */
    private Map<String, Object> diagnostic = new LinkedHashMap<String, Object>();

I am not sure when this map contains restricted classes, but from Jenkins JEP-200 PoV is seems to be a dangerous construct.

https://issues.jenkins-ci.org/browse/JENKINS-48925

@reviewbybees @kinow @jglick

[ghost]

This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation.

[jglick]

OK, assuming you actually looked at these classes and confirm they look safe.

FindBugs is failing but presumably that is also true in master. Needs to be suppressed for now.

[oleg-nenashev]

sorry, forgot to push the FindBugs commit

[oleg-nenashev]

Yes, all classes have been verified

[oleg-nenashev]

@reviewbybees done

[oleg-nenashev]

@kinow Please let me know if you need any additional info to review/release it. Currently the plugin is broken for Jenkins 2.102+

[kinow]

Thanks @oleg-nenashev ! I didn't follow what happened in JEP-200, so I want to finish reading it in order to review and test it.

I assume once this is done, and the pull request has been merged, we should release a new version? Or are there other changes required?

[oleg-nenashev]

@kinow no other changes needed, I hope. Though in Testlink plugin I missed the TestNG support logic during the first iteration (see jenkinsci/testlink-plugin#29).

But yes, this patch should close some issues at least

[dreis2211]

Hi @oleg-nenashev ? Any ETA when this could be released?

[oleg-nenashev]

@dreis2211 It depends on @kinow . I proposed a fix, but I do not maintain the plugin. If you need a quick fix, you can take the HPI file from the pull request builder

[kinow]

Just released 2.2. Should be available through the update centre in the next hours.

Thanks a lot @oleg-nenashev !