Hi, I've a issue with password disclosure when using the M2 Release Plugin and entering the password.
During the release build the SCM Password is passed to a child maven instance and unfortunately dumped in plain text (not masked) to the log output. I would expect that this password is masked using the 'Default' Jenkins mechanism but it is not. As a easy test I've changed the goal to be executed as "Release goals and options" to "help:system". If I now start a release build and enter scm username/password. I can read in the Log: <===[JENKINS REMOTING CAPACITY]===>channel started Executing Maven: -B -f /export/sbs/jenkins/home/workspace/am-test/pom.xml -DdevelopmentVersion=2-SNAPSHOT -DreleaseVersion=1 -Dusername=jenkins help:system -Dpassword=********* [INFO] Scanning for projects... [INFO] *--- maven-help-plugin:2.2:system (default-cli) @ my-module --- *... =============================================================================== System Properties =============================================================================== JOB_NAME=am-test ... password=mysecretpassword ... Bug or usage error? Any hint would be appreciated. Kind Regards, Andreas. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/8ca244f0-6803-4860-987d-0c99d54cf772%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
