Details
-
Type:
Improvement
-
Status: Closed (View Workflow)
-
Priority:
Critical
-
Resolution: Not A Defect
-
Component/s: m2release-plugin
-
Labels:None
-
Similar Issues:
Description
I've a issue with password disclosure when using the M2 Release Plugin and entering the password.
During the release build the SCM Password is passed to a child maven instance and unfortunately dumped in plain text (not masked) to the log output. I would expect that this password is masked using the 'Default' Jenkins mechanism but it is not.
As a easy test I've changed the goal to be executed as "Release goals and options" to "help:system". If I now start a release build and enter scm username/password. I can read in the Log:
<===[JENKINS REMOTING CAPACITY]===>channel started Executing Maven: -B -f /export/sbs/jenkins/home/workspace/am-test/pom.xml -DdevelopmentVersion=2-SNAPSHOT -DreleaseVersion=1 -Dusername=jenkins help:system -Dpassword=********* [INFO] Scanning for projects... [INFO] --- maven-help-plugin:2.2:system (default-cli) @ my-module --- ... =============================================================================== System Properties =============================================================================== JOB_NAME=am-test ... password=mysecretpassword ...
see also https://groups.google.com/forum/#!topic/jenkinsci-users/uHEszf8DHac (incl. a workaround)
Attachments
Issue Links
- links to
Activity
The same will happen if "SCM password environment variable" is configured.
The thing with the output above is that the maven-help-plugin prints all environment variables as part of the Maven build execution. If the Jenkins m2release plugin could mask that it would be great.
However, that is not the only problem as these passwords are also revealed as part of the Jenkins Maven plugin: JENKINS-4428
I think this is rather a bug in maven-release-plugin. It should be forking a child process in a way that does not involve printing the password to stdout.
It looks like the upstream bug in maven-release-plugin is fixed.
https://issues.apache.org/jira/browse/SCM-811
Since the fix is from May of this year, I'm closing this as Invalid/Won't Fix.
Ryan Campbell
added a comment - It looks like the upstream bug in maven-release-plugin is fixed.
https://issues.apache.org/jira/browse/SCM-811
Since the fix is from May of this year, I'm closing this as Invalid/Won't Fix. Why not store the password parameter as PasswordParameterValue so that it can be handled as such?
Anders Hammar Sorry I did not get this before, you can use the Password Mask functionality of the EnvInject or the Mask Passwords Plugin.
Andreas Mandel
added a comment - Why not store the password parameter as PasswordParameterValue so that it can be handled as such?
Anders Hammar Sorry I did not get this before, you can use the Password Mask functionality of the EnvInject or the Mask Passwords Plugin . 
maven-release-plugin should not by default show the password - so this is an issue with the upstream plugin.
Will attempt to see if a workaround is possible