When I'm masing a password by using MaskPasswordsBuildWrapper the password will be shown with ***** on the jenkins console, while in the blue ocean on the step header description (class="result-item-label-desc")

       

       

      how to reproduce 

      wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: app_password, var: 'SECRET']]]) {      
        def APP_TOKEN = sh(returnStdout: true, script: "curl -fsSL -X POST "$APP_URL\" -H 'Content-Type: application/json' --data {\"email\":\"user@bla.com\",\"password\":\"$app_password\"}' | jq -r data.token").trim()
      }
      

       

       

          [JENKINS-68062] blueocean not respect masked passwords

          You need to use  the function withCredentials() and do the the command inside the closure

           

          withCredentials(...)

          {   ... your thinks ... }

           

          see also

          https://www.youtube.com/watch?v=yfjtMIDgmfs

          Martin Pokorny added a comment - You need to use  the function withCredentials() and do the the command inside the closure   withCredentials(...) {   ... your thinks ... }   see also https://www.youtube.com/watch?v=yfjtMIDgmfs

          dor s added a comment -

          Hi mpokornyetm ,

          Thank you for your reply, but what I'm trying to do is to mask a dynamic variable value (in my case app_password) in run time, without keeping it on the credentials store.

           

          I couldn't find a way to use the method withCredentials() on run time variable (in my case app_password), because withCredentials() is looking for a credentialsId from the secret store, and my app_password variable value is dynamic and created in run time.

           

          Therefore, I had to use MaskPasswordsBuildWrapper method, and it seems that the blueocean header description is not respect it, while the console log respect it and masking the value of the variable app_password 

          dor s added a comment - Hi mpokornyetm  , Thank you for your reply, but what I'm trying to do is to mask a dynamic variable value (in my case app_password ) in run time, without keeping it on the credentials store.   I couldn't find a way to use the method  withCredentials () on run time variable (in my case app_password ), because withCredentials() is looking for a  credentialsId from the secret store, and my  app_password  variable value is dynamic and created in run time.   Therefore, I had to use  MaskPasswordsBuildWrapper method, and it seems that the blueocean header description is not respect it, while the console log respect it and masking the value of the variable  app_password  

          I does not know how the MaskPasswordsBuildWrapper  works. May be a workaround like set credentials dynamically in your pipe will help ??

          Martin Pokorny added a comment - I does not know how the  MaskPasswordsBuildWrapper   works. May be a workaround like set credentials dynamically in your pipe will help ??

          dor s added a comment -

          Hi mpokornyetm ,

          instead of "interrupting" the Jenkins secret store with multiple jobs that are run in parallel, and can cause race condition or some leftovers, it will be awesome to mask any dynamic string var in run time.

          alternative solution might be hiding the blue ocean step description, but I can't find a way to achieve this also. 

          dor s added a comment - Hi  mpokornyetm  , instead of "interrupting" the Jenkins secret store with multiple jobs that are run in parallel, and can cause race condition or some leftovers, it will be awesome to mask any dynamic string var in run time. alternative solution might be hiding the blue ocean step description, but I can't find a way to achieve this also. 

          I am not sure why you think it can raise a condition. We use this function in several scopes / function s... And it works as well.

           

          About blue ocean. Yes you true, it shall be better. There a re a lot of thinks, like trimmed stage names / parallel in parallel or performance issues. But I think this is other discussion.

           

          Anyway the best way to hide userNames && PWs is tu use the function withCredentials(...).

           

          Martin Pokorny added a comment - I am not sure why you think it can raise a condition. We use this function in several scopes / function s... And it works as well.   About blue ocean. Yes you true, it shall be better. There a re a lot of thinks, like trimmed stage names / parallel in parallel or performance issues. But I think this is other discussion.   Anyway the best way to hide userNames && PWs is tu use the function withCredentials(...).  

          Brian Beversdorf added a comment - - edited

          FWIW. I do not see a "dynamic" password being leaked when I used var 'PASSWORD' (versus 'SECRET'). Also, since Jenkins uses the same string interpolation as Groovy, it is suggested to use single quotes [Source].

          EX:
           

          script { env.NEW_PASSWORD = 'secret' }
          wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: "$NEW_PASSWORD", var: 'PASSWORD']]]){
              echo 'Showing $NEW_PASSWORD'
              sh 'echo $NEW_PASSWORD'
          }

           
          Output:

          [Pipeline] script[Pipeline]
          {[Pipeline] }
          [Pipeline] // script[Pipeline] maskPasswords[Pipeline]
          {[Pipeline] echoShowing $NEW_PASSWORD[Pipeline] sh+ echo ******** ********[Pipeline] }
          [Pipeline] // maskPasswords
          

           
          BO Output:
           

          Brian Beversdorf added a comment - - edited FWIW. I do not see a "dynamic" password being leaked when I used var 'PASSWORD' (versus 'SECRET'). Also, since Jenkins uses the same string interpolation as Groovy, it is suggested to use single quotes [Source ]. EX:   script { env.NEW_PASSWORD = 'secret' } wrap([$class: 'MaskPasswordsBuildWrapper' , varPasswordPairs: [[password: "$NEW_PASSWORD" , var : 'PASSWORD' ]]]){ echo 'Showing $NEW_PASSWORD'     sh 'echo $NEW_PASSWORD' }   Output: [Pipeline] script[Pipeline] {[Pipeline] } [Pipeline] // script[Pipeline] maskPasswords[Pipeline] {[Pipeline] echoShowing $NEW_PASSWORD[Pipeline] sh+ echo ******** ********[Pipeline] } [Pipeline] // maskPasswords   BO Output:  

          Colin added a comment -

          Confirming this issue still applies to the current blueocean.

           

          Yes we should use "withCredentials()" but we should also block passwords from being shown.

          Colin added a comment - Confirming this issue still applies to the current blueocean.   Yes we should use "withCredentials()" but we should also block passwords from being shown.

            Unassigned Unassigned
            dordor dor s
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: