Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28790

Sonar database credentials in build console output not masked since LTS version 1.596.3

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • core
    • Jenkins LTS 1.596.3 / 1.609.1 / 1.609.2 / 1.609.3
      SonarQube plugin version 2.2.1
      Windows 2012 R2
      Java 8
      Browser FireFox

      When using Jenkins LTS version 1.596.3 / 1.609.1 / 1.609.2 / 1.609.3 we've noticed that the passwords from Sonar builds in the buildlog weren't masked anymore but showed as plain text.
      After we downgraded Jenkins to version 1.596.2 the passwords were masked again.
      I've tested several versions of the SonarQube plugin but that didn't had any effect, therefor it seems to be a Jenkins related issue.

          [JENKINS-28790] Sonar database credentials in build console output not masked since LTS version 1.596.3

          Daniel Beck added a comment -

          Are all plugins also the same version between 1.596.2/1.596.3?

          Daniel Beck added a comment - Are all plugins also the same version between 1.596.2/1.596.3?

          Daniel Beck added a comment -

          Are these 'Maven top-level target' build steps in Maven or Freestyle projects? Or what kind of project/build step is affected?

          Daniel Beck added a comment - Are these 'Maven top-level target' build steps in Maven or Freestyle projects? Or what kind of project/build step is affected?

          Can you post surrounding build log lines (with your password erased of course) so we can investigate?

          Oliver Gondža added a comment - Can you post surrounding build log lines (with your password erased of course) so we can investigate?

          All plugin versions used remained the same.
          Here is a part of the logging:

          [xxx_xxxxx-xxxxx-xxxxx_sonar] $ D:\Buildtools\Apache_Maven\Apache-Maven-3.2.5\bin\mvn.bat -f D:\Jenkins_Slave1\workspace\xxx_xxxxx-xxxxx-xxxxx_sonar\pom.xml -e -B xxxxx:xxxxx -Dsonar.jdbc.url=jdbc:jtds:sqlserver://xxxxx;databaseName=xxxxx;SelectMethod=Cursor xxxxx xxxxx -Dsonar.host.url=http://xxxxx.xxxxx.xx:9000 xxxxx xxxxx
          [INFO] Error stacktraces are turned on.
          [INFO] Scanning for projects...

          Jan-Jaap Spijkerman added a comment - All plugin versions used remained the same. Here is a part of the logging: [xxx_xxxxx-xxxxx-xxxxx_sonar] $ D:\Buildtools\Apache_Maven\Apache-Maven-3.2.5\bin\mvn.bat -f D:\Jenkins_Slave1\workspace\xxx_xxxxx-xxxxx-xxxxx_sonar\pom.xml -e -B xxxxx:xxxxx -Dsonar.jdbc.url=jdbc:jtds:sqlserver://xxxxx;databaseName=xxxxx;SelectMethod=Cursor xxxxx xxxxx -Dsonar.host.url= http://xxxxx.xxxxx.xx:9000 xxxxx xxxxx [INFO] Error stacktraces are turned on. [INFO] Scanning for projects...

          Any update on this? And why is this assinged to "Sonar Team" since this seems to be a problem introduced by Jenkins.
          I've tested newer Jenkins releases and they still have this issue, this prevents us from updating to a newer version.

          Jan-Jaap Spijkerman added a comment - Any update on this? And why is this assinged to "Sonar Team" since this seems to be a problem introduced by Jenkins. I've tested newer Jenkins releases and they still have this issue, this prevents us from updating to a newer version.

          Dave Taddei added a comment -

          Also in Jenkins 1.634, SonarQube plugin 2.2.1. This is a MAJOR issue for us. Any idea when this will be repaired?

          Dave Taddei added a comment - Also in Jenkins 1.634, SonarQube plugin 2.2.1. This is a MAJOR issue for us. Any idea when this will be repaired?

          Jan-Jaap Spijkerman added a comment - - edited

          I've found the cause of this issue finally.

          The problem is caused by this change: https://github.com/jenkinsci/jenkins/commit/9e30f50065b8bb213c6571f325e5e1d5008281ce
          The solution for this is to revert the Maven.class file inside the jenkins-core-1.625.3.jar file.

          1. Extract jenkins-core-1.625.3.jar (Tomcat 8.0\webapps\ROOT\WEB-INF\lib)
          2. Go to the folder /hudson/tasks
          3. Replace the Maven.class file with the version out of Jenkins LTS 1.596.2
          4. Zip all folders again to get your .jar file again.
          5. Override your modded jenkins-core-1.625.3.jar file
          6. Start Jenkins

          The only thing that you have changed with this, is removing the following srouce code from the Maven.class file:

          if (!launcher.isUnix())

          { args = args.toWindowsCommand(); }

          I'm not certain yet what the impact of this is though.

          Jan-Jaap Spijkerman added a comment - - edited I've found the cause of this issue finally. The problem is caused by this change: https://github.com/jenkinsci/jenkins/commit/9e30f50065b8bb213c6571f325e5e1d5008281ce The solution for this is to revert the Maven.class file inside the jenkins-core-1.625.3.jar file. Extract jenkins-core-1.625.3.jar (Tomcat 8.0\webapps\ROOT\WEB-INF\lib) Go to the folder /hudson/tasks Replace the Maven.class file with the version out of Jenkins LTS 1.596.2 Zip all folders again to get your .jar file again. Override your modded jenkins-core-1.625.3.jar file Start Jenkins The only thing that you have changed with this, is removing the following srouce code from the Maven.class file: if (!launcher.isUnix()) { args = args.toWindowsCommand(); } I'm not certain yet what the impact of this is though.

          Daniel Beck added a comment -

          Seems the fix for JENKINS-26684 caused this.

          Daniel Beck added a comment - Seems the fix for JENKINS-26684 caused this.

          Hi danielbeck before that https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/tasks/Maven.java#L327 the ArgumentListBuilder has the masked arguments properly set, but by the execution of args = args.toWindowsCommand(); we are instantiating a new one with three args and none of them masked as you can see https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/util/ArgumentListBuilder.java#L352

          Emilio Escobar added a comment - Hi danielbeck before that https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/tasks/Maven.java#L327 the ArgumentListBuilder has the masked arguments properly set, but by the execution of args = args.toWindowsCommand(); we are instantiating a new one with three args and none of them masked as you can see https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/util/ArgumentListBuilder.java#L352

          Code changed in jenkins
          User: Emilio Escobar
          Path:
          core/src/main/java/hudson/util/ArgumentListBuilder.java
          core/src/test/java/hudson/util/ArgumentListBuilderTest.java
          http://jenkins-ci.org/commit/jenkins/b9a72bcd967fd8b0d422ccf81daf1de576702fd1
          Log:
          JENKINS-28790 solved the issue masked parameters not masked in windows system. toWindowsCommand joins all args in one, missing masked.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/b9a72bcd967fd8b0d422ccf81daf1de576702fd1 Log: JENKINS-28790 solved the issue masked parameters not masked in windows system. toWindowsCommand joins all args in one, missing masked.

          Code changed in jenkins
          User: Emilio Escobar
          Path:
          core/src/test/java/hudson/util/ArgumentListBuilderTest.java
          http://jenkins-ci.org/commit/jenkins/7fb1ac9d9f1bc006ca9d90ccaef402eaba4404a2
          Log:
          JENKINS-28790 Baptiste comments fixed

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/7fb1ac9d9f1bc006ca9d90ccaef402eaba4404a2 Log: JENKINS-28790 Baptiste comments fixed

          Code changed in jenkins
          User: Emilio Escobar
          Path:
          core/src/main/java/hudson/util/ArgumentListBuilder.java
          http://jenkins-ci.org/commit/jenkins/5423f695ab83ec7d49daae538d25177872b0aada
          Log:
          JENKINS-28790 NIT: tabulation issue

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java http://jenkins-ci.org/commit/jenkins/5423f695ab83ec7d49daae538d25177872b0aada Log: JENKINS-28790 NIT: tabulation issue

          Code changed in jenkins
          User: Emilio Escobar
          Path:
          core/src/main/java/hudson/util/ArgumentListBuilder.java
          http://jenkins-ci.org/commit/jenkins/344e917cc4a1096bb1805b14f0f2e45978b62757
          Log:
          JENKINS-28790 added valentina condition when the first argument is quoted.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java http://jenkins-ci.org/commit/jenkins/344e917cc4a1096bb1805b14f0f2e45978b62757 Log: JENKINS-28790 added valentina condition when the first argument is quoted.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/util/ArgumentListBuilder.java
          core/src/test/java/hudson/util/ArgumentListBuilderTest.java
          http://jenkins-ci.org/commit/jenkins/074890c09379b9b3254c71ab90b9db4b134c3628
          Log:
          Merge pull request #2015 from escoem/JENKINS-28790

          [FIX JENKINS-28790] Masked parameters are now hidden on Windows

          Compare: https://github.com/jenkinsci/jenkins/compare/2d9d7bbe214f...074890c09379

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/util/ArgumentListBuilder.java core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/074890c09379b9b3254c71ab90b9db4b134c3628 Log: Merge pull request #2015 from escoem/ JENKINS-28790 [FIX JENKINS-28790] Masked parameters are now hidden on Windows Compare: https://github.com/jenkinsci/jenkins/compare/2d9d7bbe214f...074890c09379

          dogfood added a comment -

          Integrated in jenkins_main_trunk #4491

          Result = SUCCESS

          dogfood added a comment - Integrated in jenkins_main_trunk #4491 Result = SUCCESS

          Code changed in jenkins
          User: Emilio Escobar
          Path:
          core/src/main/java/hudson/util/ArgumentListBuilder.java
          core/src/test/java/hudson/util/ArgumentListBuilderTest.java
          http://jenkins-ci.org/commit/jenkins/0782aa567b4d2cf52aec5f5f5e0e8440c01edae4
          Log:
          JENKINS-28790 solved the issue masked parameters not masked in windows system. toWindowsCommand joins all args in one, missing masked.

          (cherry picked from commit b9a72bcd967fd8b0d422ccf81daf1de576702fd1)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/0782aa567b4d2cf52aec5f5f5e0e8440c01edae4 Log: JENKINS-28790 solved the issue masked parameters not masked in windows system. toWindowsCommand joins all args in one, missing masked. (cherry picked from commit b9a72bcd967fd8b0d422ccf81daf1de576702fd1)

          Code changed in jenkins
          User: Emilio Escobar
          Path:
          core/src/test/java/hudson/util/ArgumentListBuilderTest.java
          http://jenkins-ci.org/commit/jenkins/f6db6670a8f9107f189fedc4fed07b1bbc6a7dc3
          Log:
          JENKINS-28790 Baptiste comments fixed

          (cherry picked from commit 7fb1ac9d9f1bc006ca9d90ccaef402eaba4404a2)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/f6db6670a8f9107f189fedc4fed07b1bbc6a7dc3 Log: JENKINS-28790 Baptiste comments fixed (cherry picked from commit 7fb1ac9d9f1bc006ca9d90ccaef402eaba4404a2)

          Code changed in jenkins
          User: Emilio Escobar
          Path:
          core/src/main/java/hudson/util/ArgumentListBuilder.java
          http://jenkins-ci.org/commit/jenkins/717c5f56bcaa8fcfae109dd87a7c6e4069a3baed
          Log:
          JENKINS-28790 NIT: tabulation issue

          (cherry picked from commit 5423f695ab83ec7d49daae538d25177872b0aada)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java http://jenkins-ci.org/commit/jenkins/717c5f56bcaa8fcfae109dd87a7c6e4069a3baed Log: JENKINS-28790 NIT: tabulation issue (cherry picked from commit 5423f695ab83ec7d49daae538d25177872b0aada)

          Code changed in jenkins
          User: Emilio Escobar
          Path:
          core/src/main/java/hudson/util/ArgumentListBuilder.java
          http://jenkins-ci.org/commit/jenkins/f24c536676fe9df50fd499b51c4b4ff2e6edc40c
          Log:
          JENKINS-28790 added valentina condition when the first argument is quoted.

          (cherry picked from commit 344e917cc4a1096bb1805b14f0f2e45978b62757)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java http://jenkins-ci.org/commit/jenkins/f24c536676fe9df50fd499b51c4b4ff2e6edc40c Log: JENKINS-28790 added valentina condition when the first argument is quoted. (cherry picked from commit 344e917cc4a1096bb1805b14f0f2e45978b62757)

            escoem Emilio Escobar
            janjaap Jan-Jaap Spijkerman
            Votes:
            7 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: