When running a maven job, it is possible to monitor the maven process.
Upon clicking on the 'Monitor Maven Process' link (http://my-jenkins:8080/job/MyMavenJob/123/probe/?), a page opens with the following options in the left column:
- System Properties
- Environment Variables
- Thread Dump
- Script Console
Clicking on either System Properties (http://my-jenkins:8080/job/MyMavenJob/123/probe/systemProperties) and/or Environment Variables (http://my-jenkins:8080/job/MyMavenJob/123/probe/envVars) it is possible to see all the passwords set in the Jenkins Management pages in plain text.
In contrast, the Environment Variables of a free-style job show the same table, but with the encrypted Password values.
Am I doing anything wrong here or is there a bug in the presentation of such passwords?
Just for completeness, I have the Mask Passwords Plugin installed and the following configured in my Maven Job.
- Inject passwords to the build as environment variables
- Global Passwords
- Mask passwords (and enable global passwords)
Thanks a lot,