gnodet commented on PR #22344:
URL: https://github.com/apache/camel/pull/22344#issuecomment-4168403737
_Claude Code on behalf of Guillaume Nodet_
Correction to my previous suggestion — generic XPath paths aren't specific
enough. A `<password>` element means different things in different plugin
configurations. The approach should be **plugin/mojo-aware**:
### Refined approach: plugin-aware sensitive parameter catalog
1. **Maintain a catalog of known plugins and their sensitive configuration
parameters:**
```
maven-deploy-plugin → [password]
maven-jarsigner-plugin → [storepass, keypass]
docker-maven-plugin → [password, authConfig/password]
sql-maven-plugin → [password]
maven-scm-plugin → [password, passphrase]
...
```
2. **Parse the POM as XML**, identify each `<plugin>` by its `<artifactId>`,
look up its sensitive config params in the catalog.
3. **Trace property references**: if a sensitive param uses `${prop.name}`,
resolve it back to `<properties>` and mask the property value there.
4. **Known property conventions**: some plugins use well-known Maven
properties by convention (e.g., `${gpg.passphrase}`, `${docker.password}`) —
these can be flagged directly in `<properties>` even without tracing.
This is more work than the current regex, but it's precise — no false
positives on `<token-refresh-interval>`, no false negatives on credentials in
non-obviously-named elements, and no need to strip entire POM sections.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
