Started by an SCM change
Running as SYSTEM
Building in workspace /var/jenkins_home/jobs/SolidBlue_III/workspace
The recommended git tool is: NONE
Warning: CredentialId "cd8fb110-f9c4-49d8-bd61-e71f44f42830" could not be found.
> git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
> git config remote.origin.url https://tidalwave@bitbucket.org/tidalwave/solidblue3-p-src.git # timeout=10
Fetching upstream changes from https://tidalwave@bitbucket.org/tidalwave/solidblue3-p-src.git
> git --version # timeout=10
> git --version # 'git version 2.20.1'
> git fetch --tags --force --progress -- https://tidalwave@bitbucket.org/tidalwave/solidblue3-p-src.git +refs/heads/*:refs/remotes/origin/* # timeout=10
> git rev-parse refs/remotes/origin/master^{commit} # timeout=10
Checking out Revision da5dde97992ac199d988a8573ac32d989157236b (refs/remotes/origin/master)
> git config core.sparsecheckout # timeout=10
> git checkout -f da5dde97992ac199d988a8573ac32d989157236b # timeout=10
Commit message: "Now it doesn't crash when it finds a file whose id attribute is not found in the db."
> git rev-list --no-walk 0cba188efb3b0c5a85bee0d6a4a0763e86d09148 # timeout=10
[workspace] $ /bin/sh -xe /tmp/jenkins5739634690727174211.sh
+ ./.jenkins-script.sh
================================ git clone asdf
fatal: destination path '/var/jenkins_home/jobs/SolidBlue_III/workspace/.asdf' already exists and is not an empty directory.
================================ asdf plugin-add python
updating plugin repository...
From https://github.com/asdf-vm/asdf-plugins
ca63c59..eabdf06 master -> origin/master
HEAD is now at eabdf06 chore: format README.md
Plugin named python already added
================================ asdf install python 3.9.0
python 3.9.0 is already installed
================================ asdf local python 3.9.0
================================ pip install --user pipenv
./.jenkins-script.sh: line 22: : command not found
rm -rf build __pycache__
echo "================================ Check"
================================ Check
"/var/jenkins_home/.local/bin/pipenv" check
Checking PEP 508 requirements...
Passed!
Checking installed package safety...
44492: pipenv >=2018.10.9,<=2021.11.23 resolved (2020.11.15 installed)!
Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious '--index-url' option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process.
https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w
52365: certifi <2022.12.07 resolved (2020.12.5 installed)!
Certifi 2022.12.07 includes a fix for CVE-2022-23491: Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ
51499: wheel <0.38.1 resolved (0.35.1 installed)!
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
52495: setuptools <65.5.1 resolved (50.3.2 installed)!
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
39611: pyyaml <5.4 resolved (5.3.1 installed)!
Pyyaml version 5.4 includes a fix for CVE-2020-14343: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
https://bugzilla.redhat.com/show_bug.cgi?id=1860466
45185: pylint <2.13.0 resolved (2.6.0 installed)!
Pylint 2.13.0 fixes a crash when using the doc_params extension.
https://github.com/PyCQA/pylint/issues/5322
39621: pylint <2.7.0 resolved (2.6.0 installed)!
Pylint 2.7.0 includes a fix for vulnerable regular expressions in 'pyreverse'.
40291: pip <21.1 resolved (20.2.4 installed)!
Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues.
42559: pip <21.1 resolved (20.2.4 installed)!
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
40072: lxml <4.6.3 resolved (4.6.2 installed)!
Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML.
https://bugs.launchpad.net/lxml/+bug/1888153
43366: lxml <4.6.5 resolved (4.6.2 installed)!
Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch.
50748: lxml <4.9.1 resolved (4.6.2 installed)!
Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
39525: jinja2 <2.11.3 resolved (2.11.2 installed)!
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
47833: click <8.0.0 resolved (7.1.2 installed)!
Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752
make: *** [Makefile:15: check] Error 1
[MyPy] Sleeping for 5 seconds due to JENKINS-32191...
[MyPy] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace')
[MyPy] Successfully parsed console log
[MyPy] -> found 0 issues (skipped 0 duplicates)
[MyPy] Skipping post processing
[MyPy] No filter has been set, publishing all 0 issues
[MyPy] Repository miner is not configured, skipping repository mining
[MyPy] Reference build recorder is not configured
[MyPy] Obtaining reference build from same job (SolidBlue III)
[MyPy] Using reference build 'SolidBlue_III #118' to compute new, fixed, and outstanding issues
[MyPy] Issues delta (vs. reference build): outstanding: 0, new: 0, fixed: 0
[MyPy] No quality gates have been set - skipping
[MyPy] Health report is disabled - skipping
[MyPy] Created analysis result for 0 issues (found 0 new issues, fixed 0 issues)
[MyPy] Attaching ResultAction with ID 'mypy' to build 'SolidBlue_III #119'.
[Checks API] No suitable checks publisher found.
[Pylint] Sleeping for 5 seconds due to JENKINS-32191...
[Pylint] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace')
[Pylint] Successfully parsed console log
[Pylint] -> found 0 issues (skipped 0 duplicates)
[Pylint] Skipping post processing
[Pylint] No filter has been set, publishing all 0 issues
[Pylint] Repository miner is not configured, skipping repository mining
[Pylint] Reference build recorder is not configured
[Pylint] Obtaining reference build from same job (SolidBlue III)
[Pylint] Using reference build 'SolidBlue_III #118' to compute new, fixed, and outstanding issues
[Pylint] Issues delta (vs. reference build): outstanding: 0, new: 0, fixed: 0
[Pylint] No quality gates have been set - skipping
[Pylint] Health report is disabled - skipping
[Pylint] Created analysis result for 0 issues (found 0 new issues, fixed 0 issues)
[Pylint] Attaching ResultAction with ID 'pylint' to build 'SolidBlue_III #119'.
[Checks API] No suitable checks publisher found.
Started calculate disk usage of build
Finished Calculation of disk usage of build in 0 seconds
Started calculate disk usage of workspace
Finished Calculation of disk usage of workspace in 0 seconds
Finished: SUCCESS