-
Type:
Bug
-
Resolution: Not A Defect
-
Priority:
Minor
-
Component/s: credentials-binding-plugin, workflow-cps-plugin
-
None
-
Environment:Jenkins 2.296
credentials-binding 1.27.1
credentials 2.6.1
Straight to example:
withCredentials([usernamePassword(
credentialsId: 'PVS-credentials',
usernameVariable: 'PVS_USER',
passwordVariable: 'PVS_SERIAL'
)]) {
node('meta-job') {
writeFile(
file: 'config.ini',
text: "${PVS_USER}\n${PVS_SERIAL}\n${JOB_NAME}-${BUILD_NUMBER}",
)
}
}
This causes:
17:43:29 Warning: A secret was passed to "writeFile" using Groovy String interpolation, which is insecure. 17:43:29 Affected argument(s) used the following variable(s): [PVS_SERIAL, PVS_USER] 17:43:29 See https://jenkins.io/redirect/groovy-string-interpolation for details.
Yes, writing credentials to files is bad, but unfortunately there are examples of software that operate like this, so... What do? Storing whole files as a secrets is not an option (they may contain additional dynamical data), and I would rather not dug into various templaters like Jinja or groovy's inhouse one.
- relates to
-
-
- Resolved
-
-
JENKINS-63254 Warn against using secrets in groovy strings
-
- Resolved
-
