Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error passing JAVA_OPTS with spaces and quotes #2282

Open
Silwing opened this issue Oct 24, 2019 · 5 comments
Open

Error passing JAVA_OPTS with spaces and quotes #2282

Silwing opened this issue Oct 24, 2019 · 5 comments
Labels
bug

Comments

@Silwing
Copy link

Silwing commented Oct 24, 2019

Describe the bug
We are using the Dependency Check Jenkins plugin.
To relax the Jenkins content security policy we have set JAVA_OPTS as described here: https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy
However when doing that running dependency-check.sh generates the following error:
Error: Could not find or load main class 'self'

** Version of dependency-check used **
The problem occurs using version 5.2.2 of the the cli.

To Reproduce
Steps to reproduce the behavior:

  1. Run the following: export JAVA_OPTS=-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self' 'unsafe-inline';"
  2. Run dependency-check.sh
  3. See error

Expected behavior
Expected to print usage text.

Additional context
Jenkins has had the same issue described here with attached fix as well: jenkinsci/docker#213
@Silwing Silwing added the bug label Oct 24, 2019
@jeremylong jeremylong mentioned this issue Oct 25, 2019
Open
@jeremylong
Copy link
Owner

The script is generated by the appassembler plugin. I have opened a ticket with the appropriate team.

@vweng
Copy link

vweng commented Nov 1, 2019

This space issue not only exists in JAVA_OPT, but also in any params passed in. e.g. --scan /var/jenkins_home/workspace/jenkins dev/test abc/. The solution is to use bash array feature to replace the exec at the bottom of dependency-check.sh to the following:

CMDS=("$JAVACMD" -classpath "$CLASSPATH" -Dapp.name="dependency-check" -Dapp.pid="$$" -Dapp.repo="$REPO" -Dapp.home="$BASEDIR" -Dbasedir="$BASEDIR" org.owasp.dependencycheck.App)

for arg; do
CMDS+=("$arg")
done
exec "${CMDS[@]}"

jeremylong added a commit that referenced this issue Nov 2, 2019
@jeremylong
add updated unixBinTemplate per #2282 - allows spaces in JVM_OPTS
38615cb
@jeremylong jeremylong mentioned this issue Nov 2, 2019
Merged
jeremylong added a commit that referenced this issue Nov 2, 2019
@jeremylong
add updated unixBinTemplate per #2282 - allows spaces in JVM_OPTS
ecd74f4
jeremylong added a commit that referenced this issue Nov 2, 2019
@jeremylong
Custom unixBinTemplate to allow spaces in JVM_OPTS (#2296)
674372d 
* add updated unixBinTemplate per #2282 - allows spaces in JVM_OPTS

* updated due to changes at the nvd: https://nvd.nist.gov/vuln/detail/CVE-2018-1002201#VulnChangeHistorySection

* add updated unixBinTemplate per #2282 - allows spaces in JVM_OPTS
@jeremylong jeremylong added this to the 5.2.3 milestone Nov 11, 2019
@jeremylong jeremylong reopened this Nov 11, 2019
@jeremylong jeremylong removed this from the 5.2.3 milestone Nov 11, 2019
@jeremylong
Copy link
Owner

@vweng The problem with your solution above is that it removes the $JAVA_OPTS entirely.

@jeremylong
Copy link
Owner

@Silwing can you use:

export JENKINS_OPTS=-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self' 'unsafe-inline';"

jeremylong added a commit that referenced this issue Nov 12, 2019
@jeremylong
revert changes from #2282
d794ec4
@vweng
Copy link

vweng commented Feb 18, 2020

@jeremylong Sorry, here is the scripts with updated JAVA_OPTS included, note the dependency-check.sh must be updated to use #!/bin/bash:

s="${JAVA_OPTS:1} -"
CMDS=("$JAVACMD");
while [[ $s ]]; do
CMDS+=( "-${s%%" -"}" );
s=${s#" -"};
done;

CMDS+=( -classpath "$CLASSPATH" -Dapp.name="dependency-check" -Dapp.pid="$$" -Dapp.repo="$REPO" -Dapp.home="$BASEDIR" -Dbasedir="$BASEDIR" org.owasp.dependencycheck.App )

for arg; do
CMDS+=("$arg")
done

exec "${CMDS[@]}"

@hlovdal hlovdal mentioned this issue Oct 19, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Silwing @jeremylong @vweng