[
https://issues.apache.org/jira/browse/MRELEASE-928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15081918#comment-15081918
]
Michael Osipov commented on MRELEASE-928:
-----------------------------------------
Yes, go ahead and close it.
> exposing the password for SCM URL if build failed to commit files to SCM
> ------------------------------------------------------------------------
>
> Key: MRELEASE-928
> URL: https://issues.apache.org/jira/browse/MRELEASE-928
> Project: Maven Release Plugin
> Issue Type: Bug
> Components: Git, prepare, scm
> Affects Versions: 2.5.2, 2.5.3
> Reporter: vishal sahasrabuddhe
> Priority: Critical
> Labels: security
>
> Hi,
> When we run the release prepare and perform, if it fails to commit files
> due to any reason (tag exist, wrong passwd, wrong URL etc), it exposes the
> password along with error, here is the sample log.
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-release-plugin:2.5.3:prepare (default-cli) on
> project device: Unable to commit files
> [ERROR] Provider message:
> [ERROR] The git-push command failed.
> [ERROR] Command output:
> [ERROR] remote: Not Found
> [ERROR] fatal: repository
> 'https://bot:bot123@gitlab.<something>.com/sandbox1/device.git/' not found
> [ERROR] -> [Help 1]
> [ERROR]
> [ERROR] To see the full stack trace of the errors, re-run Maven with the -e
> switch.
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> [ERROR]
> [ERROR] For more information about the errors and possible solutions, please
> read the following articles:
> [ERROR] [Help 1]
> http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
> I have tested with other types of error to like tag exist, and found similar
> error message with exposed password with error.
> My SCM is git
> maven version is Apache Maven 3.2.5
> -Vishal
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
