Warning about secrets in string interpolation ignores concatenated strings

XMLWordPrintable

    • Type: Bug
    • Resolution: Won't Fix
    • Priority: Minor
    • Component/s: workflow-cps-plugin
    • None
    • Environment:
      Jenkins 2.296
      credentials-binding 1.27.1
      credentials 2.6.1
      workflow-cps 2.94

      This snippet causes a warning:

          withCredentials([
        usernamePassword(
            credentialsId: 'jenkins-ldap',
            usernameVariable: 'LDAP_USERNAME',
            passwordVariable: 'LDAP_PASSWORD'
        )
    ]) {
        sh script: "echo ${LDAP_USERNAME}"
    }
  

      18:27:26 Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
      18:27:26 Affected argument(s) used the following variable(s): [LDAP_USERNAME]

       

      This does not:

          withCredentials([
        usernamePassword(
            credentialsId: 'jenkins-ldap',
            usernameVariable: 'LDAP_USERNAME',
            passwordVariable: 'LDAP_PASSWORD'
        )
    ]) {
        sh script: "echo " + "${LDAP_USERNAME}"
    }

       

      Also tested on the fresh installation of Jenkins (2.324), the behavior is the same with workflow-cps 2648.va9433432b33c

            Assignee:
            Unassigned
            Reporter:
            Artalus S.
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: