Trying to diagnose an issue with Safepoint being rejected.

src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/Whitelist.java

@@ -25,12 +25,14 @@
 package org.jenkinsci.plugins.scriptsecurity.sandbox;
 
 import hudson.Extension;
+import hudson.ExtensionList;
 import hudson.ExtensionPoint;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
 import java.util.Map;
 import java.util.WeakHashMap;
+import java.util.logging.Logger;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import jenkins.model.Jenkins;
@@ -42,6 +44,8 @@
  */
 public abstract class Whitelist implements ExtensionPoint {
 
+    private static final Logger LOGGER = Logger.getLogger(Whitelist.class.getName());
+
     /**
      * Checks whether a given virtual method may be invoked.
      * <p>Note that {@code method} should not be implementing or overriding a method in a supertype;
@@ -73,11 +77,18 @@ public abstract class Whitelist implements ExtensionPoint {
     public static synchronized @Nonnull Whitelist all() {
         Jenkins j = Jenkins.getInstanceOrNull();
         if (j == null) {
+            LOGGER.warning("No Jenkins.instance");
             return new ProxyWhitelist();
         }
         Whitelist all = allByJenkins.get(j);
         if (all == null) {
-            all = new ProxyWhitelist(j.getExtensionList(Whitelist.class));
+            ExtensionList<Whitelist> allWhitelists = j.getExtensionList(Whitelist.class);
+            if (allWhitelists.isEmpty()) {
+                LOGGER.warning("Empty list of Whitelist");
+            } else {
+                /*TODO LOGGER.fine*/System.err.println("Loading whitelists: " + allWhitelists);
+            }
+            all = new ProxyWhitelist(allWhitelists);
             allByJenkins.put(j, all);
         }
         return all;

src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptor.java

@@ -56,6 +56,7 @@
 import org.codehaus.groovy.tools.DgmConverter;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.AnnotatedWhitelist;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.EnumeratingWhitelist;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist;
 import org.kohsuke.groovy.sandbox.GroovyInterceptor;
@@ -185,6 +186,9 @@ final class SandboxInterceptor extends GroovyInterceptor {
         } else if (whitelist.permitsStaticMethod(m, args)) {
             return super.onStaticCall(invoker, receiver, method, args);
         } else {
+            if (m.getDeclaringClass().getName().equals("org.jenkinsci.plugins.workflow.cps.Safepoint")) {
+                LOGGER.warning(() -> "Failed to permit " + m + " defined in " + receiver.getClassLoader() + " with args " + Arrays.toString(args) + " from " + whitelist + "; compare AnnotatedWhitelist: " + new AnnotatedWhitelist().permitsStaticMethod(m, args));
+            }
             throw StaticWhitelist.rejectStaticMethod(m);
         }
     }

src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/ProxyWhitelist.java

@@ -252,4 +252,13 @@ public ProxyWhitelist(Whitelist... delegates) {
         return false;
     }
 
+    @Override public String toString() {
+        lock.readLock().lock();
+        try {
+            return super.toString() + delegates;
+        } finally {
+            lock.readLock().unlock();
+        }
+    }
+
 }