-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Minor
-
Component/s: core
-
Environment:Jenkins version: 2.263.1
OS: Linux - Official Jenkins docker image from Dockerhub jenkins/jenkins
JDK master: openjdk version "1.8.0_242" (as bundled in image)
-
1.27
Note: I am aware of JENKINS-64282 but this concerns an empty default parameter which seems to be a different situation.
Jenkins is logging a warning as follows:
[2021-01-13T09:00:47.805Z] Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure. [2021-01-13T09:00:47.808Z] Affected argument(s) used the following variable(s): [SOME_USERNAME]
One of our credentials uses "jenkins" as a username needed by some jobs to speak to an external system. This new warning appears with any use of the string "jenkins" even if it was not sourced and interpolated from the actual secret.
The credential in question is a "Username with password" type being sourced from a "usernamePassword" Groovy Jenkinsfile step.
Can this warning only apply to the password itself? Or could there be an opt-in option whereby this warning can be limited to only the password string?
- depends on
-
JENKINS-44860 Disable masking of usernames
-
- Resolved
-
- relates to
-
JENKINS-63254 Warn against using secrets in groovy strings
-
- Resolved
-
- links to
