[JIRA] [m2release-plugin] (JENKINS-27869) entered SCM password should be masked in output

Thu, 09 Apr 2015 09:39:29 -0700

Issue Type: Improvement Improvement
Assignee: James Nord
Components: m2release-plugin
Created: 09/Apr/15 4:37 PM
Description:

I've a issue with password disclosure when using the M2 Release Plugin and entering the password.

During the release build the SCM Password is passed to a child maven instance and unfortunately dumped in plain text (not masked) to the log output. I would expect that this password is masked using the 'Default' Jenkins mechanism but it is not.

As a easy test I've changed the goal to be executed as "Release goals and options" to "help:system". If I now start a release build and enter scm username/password. I can read in the Log:

<===[JENKINS REMOTING CAPACITY]===>channel started

Executing Maven:  -B -f /export/sbs/jenkins/home/workspace/am-test/pom.xml -DdevelopmentVersion=2-SNAPSHOT -DreleaseVersion=1 -Dusername=jenkins help:system -Dpassword=*********

[INFO] Scanning for projects...

[INFO] --- maven-help-plugin:2.2:system (default-cli) @ my-module ---
...
===============================================================================
System Properties
===============================================================================

JOB_NAME=am-test
...

password=mysecretpassword

...

see also https://groups.google.com/forum/#!topic/jenkinsci-users/uHEszf8DHac (incl. a workaround)
Project: Jenkins
Priority: Critical Critical
Reporter: Andreas Mandel
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to