[JIRA] [m2release-plugin] (JENKINS-27869) entered SCM password should be masked in output

Thu, 09 Apr 2015 09:39:29 -0700

Issue Type: Improvement Improvement
Assignee: James Nord
Components: m2release-plugin
Created: 09/Apr/15 4:37 PM
Description:

I've a issue with password disclosure when using the M2 Release Plugin and entering the password.

During the release build the SCM Password is passed to a child maven instance and unfortunately dumped in plain text (not masked) to the log output. I would expect that this password is masked using the 'Default' Jenkins mechanism but it is not.

As a easy test I've changed the goal to be executed as "Release goals and options" to "help:system". If I now start a release build and enter scm username/password. I can read in the Log:

<===[JENKINS REMOTING CAPACITY]===>channel started

Executing Maven:  -B -f /export/sbs/jenkins/home/workspace/am-test/pom.xml -DdevelopmentVersion=2-SNAPSHOT -DreleaseVersion=1 -Dusername=jenkins help:system -Dpassword=*********

[INFO] Scanning for projects...

[INFO] --- maven-help-plugin:2.2:system (default-cli) @ my-module ---
...
===============================================================================
System Properties
===============================================================================

JOB_NAME=am-test
...

password=mysecretpassword

...

see also https://groups.google.com/forum/#!topic/jenkinsci-users/uHEszf8DHac (incl. a workaround)
Project: Jenkins
Priority: Critical Critical
Reporter: Andreas Mandel
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to