-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
-
3.7
In our pipeline we are using a password parameter with an empty default value. After upgrading to wokflow-cps-plugin version 2.85 we are getting in the build log a warning "A secret was passed to "echo" using Groovy String interpolation, which is insecure." for string interpolations, if the paramater's value is not set for the build.
As an example when running a simple pipeline:
pipeline {
agent any
parameters {
string(name: 'PERSON', defaultValue: 'MrJenkins', description: 'Who should I say hello to?')
password(name: 'PASSWORD', defaultValue: '', description: 'Enter a password')
}
stages {
stage('Example') {
steps {
echo "Hello ${params.PERSON}"
}
}
}
}
we are getting warning:
[Pipeline] } [Pipeline] // stage [Pipeline] withEnv Warning: A secret was passed to "withEnv" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [PASSWORD] See https://jenkins.io/redirect/groovy-string-interpolation for details. [Pipeline] { [Pipeline] stage [Pipeline] { (Example) [Pipeline] echo Warning: A secret was passed to "echo" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [PASSWORD] See https://jenkins.io/redirect/groovy-string-interpolation for details. HelloMrJenkins [Pipeline] }
Looks like the interpolation check looks for an empty value in the string interpolation.
Is it possible not to check in case of an empty secret?
This is probably best handled in workflow-support, but I'm also hardening workflow-cps as well.
workflow-support PR: https://github.com/jenkinsci/workflow-support-plugin/pull/112
workflow-cps PR : https://github.com/jenkinsci/workflow-cps-plugin/pull/401