build.RunWrapper getRawBuild


I am trying to capture the output of a Jenkins pipeline execution in case of errors and send it as an attachment in an email leveraging the AWS SES sendemail feature as part of the post action. However when I try to use “def buildLog = currentBuild.rawBuild.getLog(1000)” n the pipeline post action, it prompts for an administrator to approve the signature “method getRawBuild” which seems to introduce a security vulnerability.

I am trying to understand if there is an alternate solution to get the build output and job link that can be shared in an email as an attachment. Thanks.

Welcome back @cloudy. :wave:

I have not tested it, but you could maybe use the archiveArtifacts step to save the build log as an artifact, and then use the emailext plugin to send the build log as an attachment.

Here’s how you could do it (untested):

First, you can add a step in your pipeline to save the build log as an artifact:

stage('Save build log') {
    steps {
        script {
            // Save the build log to a file
            sh 'echo "Build log" > build.log'
            // Archive the build log
            archiveArtifacts artifacts: 'build.log', fingerprint: true

Then, in the post action, use the emailext plugin to send the build log as an attachment:

post {
    always {
        emailext (
            to: '',
            subject: "Jenkins build ${env.BUILD_NUMBER}",
            body: "See the attached build log for details.",
            attachmentsPattern: '**/build.log',
            mimeType: 'text/plain'

Of course, should be replaced with the actual recipient’s email address.
The attachmentsPattern is a pattern that matches the build.log file.
The mimeType is set to text/plain because the build log is a plain text file (right?).

This approach does not require the use of getRawBuild, so it should not prompt an administrator to approve the signature… at least I hope so. :person_shrugging:

There may be way better ways to address your issue, but this one is the only one that came to my mind. :wink:

Access to RawBuild object is equivalent to giving user full admin rights, so yeah, it should not be done lightly. You have a few options:

1 - as mentioned above, manually log to a file or variable - this will only be useful when you are running shell/batch commands, but you can run your commands with a tee/redirect to a file, and then get that file

2 - You can look for a plugin that does this. I am prettty sure there are some that will capture logs for you. Better yet, there are plugins that will monitor the log for specific output and act accordingly (i.e. detect and ERROR and do something) - this may be a best approach… as long as you find (or write) appropriate plugin that does what you want

3 - Use a Global Pipeline Library. Jenkins has support for pipeline libraries that allow you declare your own code/steps and write simple Groovy code for those. Since Global Pipeline Libraries require admin rights to setup, they run outside of the sandbox environment, meaning you can just get RawBuild and do whatever you want with it. Of course any security issues produced in your code are your responsibility in this case. Similarly, make sure you restrict who has access to write library code) Also, this will ONLY work with Global libs, not folder level or custom ones - latter run in sandbox environment and require approval