Velocity Method Allowlist Issue After Jira 10.5.x Upgrade – Need Generic Solution for Plugins Using

Hi Atlassian Community,

We recently upgraded our Jira Data Center instance from version 10.4. x to 10.5.x, and we are now facing issues with rendering velocity templates in our custom plugin (ARNR Plugin) using com.atlassian.templaterenderer.TemplateRenderer.

Previously, everything worked fine. But after the upgrade, we are encountering method invocation blocked warnings like below:

Invocation blocked as method is not allowlisted: com.amoeboids.apps.arn.service.common.StaticResourceProviderImpl#getResourcePath(java.lang.String)
Invocation blocked as method is not allowlisted: com.amoeboids.apps.arn.service.common.I18nImpl#getText(java.lang.String)

These are coming from Velocity templates that we use for UI and email content rendering. We have over 40 velocity templates referencing numerous Java methods across various classes. While we understand the introduction of stricter security and the use of <velocity-allowlist> in atlassian-plugin.xml Managing and manually whitelisting each method is not scalable for a large plugin like ours.

We applied a workaround using:

 <velocity-allowlist key="arnr-velocity-allowlist" name="ARNR Velocity Allowlist" state="enabled"> 
    <method>com.amoeboids.apps.arn.service.common.StaticResourceProviderImpl#getResourcePath(java.lang.String)</method> 
    <method>com.amoeboids.apps.arn.service.common.I18nImpl#getText(java.lang.String)</method>
</velocity-allowlist>

But this means we now have to track and explicitly list each method used in all templates, which is error-prone and adds significant overhead.

Ask:

Is there a generic or recommended approach for plugin developers to:

• Allowlist all methods of a specific class?

• Allowlist all velocity method invocations from within the plugin?

• Bypass the restriction for trusted internal plugins?

Or is there any Atlassian-supported alternative to simplify the allowlist configuration for large-scale usage of Velocity templates?