-
Bug
-
Resolution: Done
-
Minor
-
Ubuntu (16)
Jenkins (2.164.3) runs as a Docker container
Maven – installed automatically (3.5.4)
Maven Integration Plugin (3.3)
Mask Password Plugin (2.12.0)
Hi all, currently we are facing a problem within a Maven build project. It contains several modules, where each build will be triggered as a separate downstream job. Our credentials are configured as secret text and username/password combinations in the binding section of the parent build project. They are passed as additional properties within “goals and options” to the Maven build (e.g. clean install –Pprofile1 -Dpassword=${SECRET_PASSWORD}). In the first downstream job, Maven is logging all passed parameters UNMASKED, regardless if they are credentials or not.
We already tried a couple of things, like configuring which parameters should be automatically masked, passing credentials by “Inject passwords to the build as environment variables” and “Mask passwords and regexes (and enable global passwords). Nevertheless, nothing seems to work.
If we trigger the Maven build directly by using a Shell and no downstream build jobs are triggered, no credentials are exposed. Somehow Maven is logging our credentials in plain text only in downstream jobs.
Example
Console log of parent project_X__feature_X:
15:14:46 Executing Maven: -B -f /home/jenkins-slave/workspace/feature_X/project_X/pom.xml -Dmaven.repo.local=/home/jenkins-slave/workspace/feature_X/.repository -s /tmp/settings.xml clean install sonar:sonar -Pprofile1 -Dparam1=**** -Dparam2=****
15:14:49 [INFO] Scanning for projects...
Console log of module 1 of project_X__feature_X:
Executing Maven: -B -f /home/jenkins-slave/workspace/feature_X/project_X/pom.xml -Dmaven.repo.local=/home/jenkins-slave/workspace/feature_X/.repository -s /tmp/settings.xml clean install sonar:sonar -Pprofile1 -Dparam1=unmasked-password -Dparam2=unmasked-password
[INFO] Scanning for projects...