-
Improvement
-
Resolution: Not A Defect
-
Critical
-
None
I've a issue with password disclosure when using the M2 Release Plugin and entering the password.
During the release build the SCM Password is passed to a child maven instance and unfortunately dumped in plain text (not masked) to the log output. I would expect that this password is masked using the 'Default' Jenkins mechanism but it is not.
As a easy test I've changed the goal to be executed as "Release goals and options" to "help:system". If I now start a release build and enter scm username/password. I can read in the Log:
<===[JENKINS REMOTING CAPACITY]===>channel started Executing Maven: -B -f /export/sbs/jenkins/home/workspace/am-test/pom.xml -DdevelopmentVersion=2-SNAPSHOT -DreleaseVersion=1 -Dusername=jenkins help:system -Dpassword=********* [INFO] Scanning for projects... [INFO] --- maven-help-plugin:2.2:system (default-cli) @ my-module --- ... =============================================================================== System Properties =============================================================================== JOB_NAME=am-test ... password=mysecretpassword ...
see also https://groups.google.com/forum/#!topic/jenkinsci-users/uHEszf8DHac (incl. a workaround)
- links to
