-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Jenkins version: 2.263.1
OS: Linux - Official Jenkins docker image from Dockerhub jenkins/jenkins
JDK master: openjdk version "1.8.0_242" (as bundled in image)
-
-
1.27
Note: I am aware of JENKINS-64282 but this concerns an empty default parameter which seems to be a different situation.
Jenkins is logging a warning as follows:
[2021-01-13T09:00:47.805Z] Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure. [2021-01-13T09:00:47.808Z] Affected argument(s) used the following variable(s): [SOME_USERNAME]
One of our credentials uses "jenkins" as a username needed by some jobs to speak to an external system. This new warning appears with any use of the string "jenkins" even if it was not sourced and interpolated from the actual secret.
The credential in question is a "Username with password" type being sourced from a "usernamePassword" Groovy Jenkinsfile step.
Can this warning only apply to the password itself? Or could there be an opt-in option whereby this warning can be limited to only the password string?
- depends on
-
JENKINS-44860 Disable masking of usernames
-
- Resolved
-
- relates to
-
JENKINS-63254 Warn against using secrets in groovy strings
-
- Resolved
-
- links to
[JENKINS-64631] String interpolation warning too broad; should apply to only passwords not usernames as well.
This is essentially a duplicate of JENKINS-44860. credentials-binding treats both usernames and passwords as secrets, so I think the fix would be to allow users to change the behavior of that plugin.
This is not a duplicate of JENKINS-44860 which is purely to resolve the masking of usernames in the output. The fix implemented in JENKINS-44860 does not remove the
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
warning.
dnusbaum can the duplicate link be removed and the Jira reopened please?
Warren Humphreys
added a comment - - edited This is not a duplicate of JENKINS-44860 which is purely to resolve the masking of usernames in the output. The fix implemented in JENKINS-44860 does not remove the
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
warning.
dnusbaum can the duplicate link be removed and the Jira reopened please?
woz I think that it was just an accidental oversight that this was not fixed when JENKINS-44860 was fixed. I filed https://github.com/jenkinsci/credentials-binding-plugin/pull/141 as a minor extension to the fix for that issue to address this issue.
Also just FYI, I think anyone with an account on Jira can reopen tickets/change links.
Kalle Niemitalo
added a comment - See also INFRA-2494 regarding Jira permissions. Warren Humphreys
added a comment - dnusbaum apologies missed your earlier update. Thanks for re-opening, I wasn't sure on etiquette - will do it myself next time. Thanks jglick for the fix.
Warren Humphreys
added a comment - dnusbaum apologies missed your earlier update. Thanks for re-opening, I wasn't sure on etiquette - will do it myself next time. Thanks jglick for the fix. 
cc dnusbaum carroll