Enable Jenkins Security Scan and bypass CodeQL's JavaCompiler to support JDK 17+

[dwnusbaum]

Experimental workaround based on the stack trace observed in #901. Undoes #915.

Testing done

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[dwnusbaum]

Does not work:

[2024-08-08 22:22:09] [autobuild] Selected JavaCompiler implementation: com.sun.tools.javac.api.JavacTool
  [2024-08-08 22:22:10] [autobuild] Exception in thread "main" java.lang.RuntimeException: Unknown file object: JarFileObject[/home/runner/work/workflow-cps-plugin/workflow-cps-plugin/lib/target/groovy-cps-dgm-builder-999999-SNAPSHOT-jar-with-dependencies.jar:/org/codehaus/groovy/runtime/StringGroovyMethods.java]
  [2024-08-08 22:22:10] [autobuild] 	at com.semmle.extractor.java.interceptors.JavacToolInterceptor.getTask(JavacToolInterceptor.java:216)
  [2024-08-08 22:22:10] [autobuild] 	at jdk.compiler/com.sun.tools.javac.api.JavacTool.SEMMLE_INTERCEPT$1(JavacTool.java)
  [2024-08-08 22:22:10] [autobuild] 	at jdk.compiler/com.sun.tools.javac.api.JavacTool.getTask(JavacTool.java:200)
  [2024-08-08 22:22:10] [autobuild] 	at jdk.compiler/com.sun.tools.javac.api.JavacTool.getTask(JavacTool.java:119)
  [2024-08-08 22:22:10] [autobuild] 	at jdk.compiler/com.sun.tools.javac.api.JavacTool.getTask(JavacTool.java:68)
  [2024-08-08 22:22:10] [autobuild] 	at com.cloudbees.groovy.cps.tool.Driver.run(Driver.java:59)
  [2024-08-08 22:22:10] [autobuild] 	at com.cloudbees.groovy.cps.tool.Driver.main(Driver.java:23)
  [2024-08-08 22:22:10] [autobuild] Caused by: java.lang.reflect.InaccessibleObjectException: Unable to make public java.net.URI com.sun.tools.javac.file.PathFileObject$JarFileObject.toUri() accessible: module jdk.compiler does not "opens com.sun.tools.javac.file" to unnamed module @531d72ca
  [2024-08-08 22:22:10] [autobuild] 	at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:354)
  [2024-08-08 22:22:10] [autobuild] 	at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:297)
  [2024-08-08 22:22:10] [autobuild] 	at java.base/java.lang.reflect.Method.checkCanSetAccessible(Method.java:200)
  [2024-08-08 22:22:10] [autobuild] 	at java.base/java.lang.reflect.Method.setAccessible(Method.java:194)
  [2024-08-08 22:22:10] [autobuild] 	at com.semmle.extractor.java.interceptors.JavacToolInterceptor.getTask(JavacToolInterceptor.java:196)
  [2024-08-08 22:22:10] [autobuild] 	... 6 more

I guess though this should have been obvious looking at the first part of the stack trace. jdk.compiler/com.sun.tools.javac.api.JavacTool.getTask(JavacTool.java:200) suddenly calls jdk.compiler/com.sun.tools.javac.api.JavacTool.SEMMLE_INTERCEPT$1(JavacTool.java), so perhaps the library is doing something exotic like patching bytecode and/or using a java agent.

[jglick]

Maybe just try adding something like --add-opens com.sun.tools.javac.file=ALL-UNNAMED to

workflow-cps-plugin/lib/pom.xml

Line 63 in a6f67a8

<arguments>

?

[jglick]

I think this should be in draft for now?

[dwnusbaum]

The CodeQL action does not seem to be using a Maven cache, so it takes forever to download dependencies, and I wonder if this is a problem in terms of trying to reduce bandwidth usage on https://repo.jenkins-ci.org. Maybe I misunderstand the setup though.

[dwnusbaum]

01feb61 seems to work (lib has been built and dependencies for the plugin are being downloaded now according to the action's log).

[dwnusbaum]

I mentioned this upstream in github/codeql#7535 (comment).

[jglick]

I wonder if this is a problem in terms of trying to reduce bandwidth usage

Seems worthwhile to file a helpdesk to investigate.