Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64631

String interpolation warning too broad; should apply to only passwords not usernames as well.


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None
    • Jenkins version: 2.263.1
      OS: Linux - Official Jenkins docker image from Dockerhub jenkins/jenkins
      JDK master: openjdk version "1.8.0_242" (as bundled in image)
    • 1.27

      Note: I am aware of JENKINS-64282 but this concerns an empty default parameter which seems to be a different situation.

      Jenkins is logging a warning as follows:

      [2021-01-13T09:00:47.805Z] Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
      [2021-01-13T09:00:47.808Z]               Affected argument(s) used the following variable(s): [SOME_USERNAME]

      One of our credentials uses "jenkins" as a username needed by some jobs to speak to an external system. This new warning appears with any use of the string "jenkins" even if it was not sourced and interpolated from the actual secret.

      The credential in question is a "Username with password" type being sourced from a "usernamePassword" Groovy Jenkinsfile step.

      Can this warning only apply to the password itself? Or could there be an opt-in option whereby this warning can be limited to only the password string?

            dnusbaum Devin Nusbaum
            ftclausen Friedrich Clausen
            0 Vote for this issue
            7 Start watching this issue