-
Bug
-
Resolution: Fixed
-
Major
-
Jenkins: 2.401.1
OS: Linux - 5.10.179-168.710.amzn2.x86_64
Java: 11.0.19 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
active-directory:2.30
analysis-model-api:11.3.0
ansicolor:1.0.2
ant:487.vd79d090d4ea_e
antisamy-markup-formatter:159.v25b_c67cd35fb_
apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5
artifactory:3.18.4
authentication-tokens:1.53.v1c90fd9191a_b_
authorize-project:1.7.0
azure-ad:306.va_7083923fd50
azure-sdk:132.v62b_48eb_6f32f
basic-branch-build-strategies:71.vc1421f89888e
bitbucket:223.vd12f2bca5430
blueocean:1.27.4
blueocean-bitbucket-pipeline:1.27.4
blueocean-commons:1.27.4
blueocean-config:1.27.4
blueocean-core-js:1.27.4
blueocean-dashboard:1.27.4
blueocean-display-url:2.4.2
blueocean-events:1.27.4
blueocean-git-pipeline:1.27.4
blueocean-github-pipeline:1.27.4
blueocean-i18n:1.27.4
blueocean-jwt:1.27.4
blueocean-personalization:1.27.4
blueocean-pipeline-api-impl:1.27.4
blueocean-pipeline-editor:1.27.4
blueocean-pipeline-scm-api:1.27.4
blueocean-rest:1.27.4
blueocean-rest-impl:1.27.4
blueocean-web:1.27.4
bootstrap5-api:5.3.0-1
bouncycastle-api:2.28
branch-api:2.1109.vdf225489a_16d
build-timestamp:1.0.3
caffeine-api:3.1.6-115.vb_8b_b_328e59d8
checks-api:2.0.0
cloudbees-bitbucket-branch-source:809.vc1d904b_30426
cloudbees-disk-usage-simple:182.v62ca_0c992a_f3
cloudbees-folder:6.815.v0dd5a_cb_40e0e
command-launcher:100.v2f6722292ee8
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.10.0-36.vc008c8fcda_7b_
config-file-provider:938.ve2b_8a_591c596
configuration-as-code:1647.ve39ca_b_829b_42
credentials:1254.vb_96f366e7b_a_d
credentials-binding:604.vb_64480b_c56ca_
data-tables-api:1.13.4-2
delivery-pipeline-plugin:1.4.2
deployit-plugin:23.1.0
display-url-api:2.3.7
docker-commons:419.v8e3cd84ef49c
docker-workflow:563.vd5d2e5c4007f
dtkit-api:3.0.2
durable-task:507.v050055d0cb_dd
echarts-api:5.4.0-5
email-ext:2.99
favorite:2.4.2
font-awesome-api:6.4.0-1
forensics-api:2.3.0
git:5.1.0
git-client:4.4.0
github:1.37.1
github-api:1.314-431.v78d72a_3fe4c3
github-branch-source:1728.v859147241f49
gradle:2.8
greenballs:1.15.1
groovy:453.vcdb_a_c5c99890
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
hashicorp-vault-plugin:360.v0a_1c04cf807d
htmlpublisher:1.31
http_request:1.16
instance-identity:173.va_37c494ec4e5
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.15.2-350.v0c2f3f8fc595
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:233.vdc1a_ec702cff
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-8
jaxb:2.3.8-1
jdk-tool:66.vd8fa_64ee91b_d
jenkins-design-language:1.27.4
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.84
jquery:1.12.4-1
jquery3-api:3.7.0-1
jsch:0.2.8-65.v052c39de79b_2
junit:1207.va_09d5100410f
kubernetes:3950.v581298fa_e4e7
kubernetes-client-api:6.4.1-215.v2ed17097a_8e9
kubernetes-credentials:0.10.0
mailer:457.v3f72cb_e015e5
matrix-auth:3.1.8
matrix-project:789.v57a_725b_63c79
maven-plugin:3.22
mercurial:1260.vdfb_723cdcc81
metrics:4.2.18-439.v86a_20b_a_8318b_
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
oidc-provider:47.v182a_02f5b_771
okhttp-api:4.11.0-145.vcb_8de402ef81
opentelemetry:1.2.1
parameterized-trigger:2.45
pipeline-build-step:496.v2449a_9a_221f2
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7
pipeline-input-step:468.va_5db_051498a_4
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2141.v5402e818a_779
pipeline-model-definition:2.2141.v5402e818a_779
pipeline-model-extensions:2.2141.v5402e818a_779
pipeline-rest-api:2.33
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2141.v5402e818a_779
pipeline-stage-view:2.33
pipeline-utility-steps:2.15.4
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.3.0
prism-api:1.29.0-7
pubsub-light:1.17
resource-disposer:0.22
scm-api:676.v886669a_199a_a_
script-security:1251.vfe552ed55f8d
skip-notifications-trait:198.vc48f25a_18f41
snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4
sse-gateway:1.26
ssh-credentials:305.v8f4381501156
ssh-slaves:2.877.v365f5eb_a_b_eec
sshd:3.249.v2dc2ea_416e33
startup-trigger-plugin:2.9.3
statistics-gatherer:2.0.3
structs:324.va_f5d6774f3a_d
timestamper:1.25
token-macro:359.vb_cde11682e0c
trilead-api:2.84.v72119de229b_7
variant:59.vf075fe829ccb
violation-comments-to-stash:1.130
warnings-ng:10.2.0
workflow-aggregator:596.v8c21c963d92d
workflow-api:1215.v2b_ee3e1b_dd39
workflow-basic-steps:1017.vb_45b_302f0cea_
workflow-cps:3691.v28b_14c465a_b_b_
workflow-durable-task-step:1247.v7f9dfea_b_4fd0
workflow-job:1308.v58d48a_763b_31
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:839.v35e2736cfd5c
ws-cleanup:0.45
xunit:3.1.2Jenkins: 2.401.1 OS: Linux - 5.10.179-168.710.amzn2.x86_64 Java: 11.0.19 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- active-directory:2.30 analysis-model-api:11.3.0 ansicolor:1.0.2 ant:487.vd79d090d4ea_e antisamy-markup-formatter:159.v25b_c67cd35fb_ apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5 artifactory:3.18.4 authentication-tokens:1.53.v1c90fd9191a_b_ authorize-project:1.7.0 azure-ad:306.va_7083923fd50 azure-sdk:132.v62b_48eb_6f32f basic-branch-build-strategies:71.vc1421f89888e bitbucket:223.vd12f2bca5430 blueocean:1.27.4 blueocean-bitbucket-pipeline:1.27.4 blueocean-commons:1.27.4 blueocean-config:1.27.4 blueocean-core-js:1.27.4 blueocean-dashboard:1.27.4 blueocean-display-url:2.4.2 blueocean-events:1.27.4 blueocean-git-pipeline:1.27.4 blueocean-github-pipeline:1.27.4 blueocean-i18n:1.27.4 blueocean-jwt:1.27.4 blueocean-personalization:1.27.4 blueocean-pipeline-api-impl:1.27.4 blueocean-pipeline-editor:1.27.4 blueocean-pipeline-scm-api:1.27.4 blueocean-rest:1.27.4 blueocean-rest-impl:1.27.4 blueocean-web:1.27.4 bootstrap5-api:5.3.0-1 bouncycastle-api:2.28 branch-api:2.1109.vdf225489a_16d build-timestamp:1.0.3 caffeine-api:3.1.6-115.vb_8b_b_328e59d8 checks-api:2.0.0 cloudbees-bitbucket-branch-source:809.vc1d904b_30426 cloudbees-disk-usage-simple:182.v62ca_0c992a_f3 cloudbees-folder:6.815.v0dd5a_cb_40e0e command-launcher:100.v2f6722292ee8 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-36.vc008c8fcda_7b_ config-file-provider:938.ve2b_8a_591c596 configuration-as-code:1647.ve39ca_b_829b_42 credentials:1254.vb_96f366e7b_a_d credentials-binding:604.vb_64480b_c56ca_ data-tables-api:1.13.4-2 delivery-pipeline-plugin:1.4.2 deployit-plugin:23.1.0 display-url-api:2.3.7 docker-commons:419.v8e3cd84ef49c docker-workflow:563.vd5d2e5c4007f dtkit-api:3.0.2 durable-task:507.v050055d0cb_dd echarts-api:5.4.0-5 email-ext:2.99 favorite:2.4.2 font-awesome-api:6.4.0-1 forensics-api:2.3.0 git:5.1.0 git-client:4.4.0 github:1.37.1 github-api:1.314-431.v78d72a_3fe4c3 github-branch-source:1728.v859147241f49 gradle:2.8 greenballs:1.15.1 groovy:453.vcdb_a_c5c99890 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 hashicorp-vault-plugin:360.v0a_1c04cf807d htmlpublisher:1.31 http_request:1.16 instance-identity:173.va_37c494ec4e5 ionicons-api:56.v1b_1c8c49374e jackson2-api:2.15.2-350.v0c2f3f8fc595 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:233.vdc1a_ec702cff javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-8 jaxb:2.3.8-1 jdk-tool:66.vd8fa_64ee91b_d jenkins-design-language:1.27.4 jjwt-api:0.11.5-77.v646c772fddb_0 job-dsl:1.84 jquery:1.12.4-1 jquery3-api:3.7.0-1 jsch:0.2.8-65.v052c39de79b_2 junit:1207.va_09d5100410f kubernetes:3950.v581298fa_e4e7 kubernetes-client-api:6.4.1-215.v2ed17097a_8e9 kubernetes-credentials:0.10.0 mailer:457.v3f72cb_e015e5 matrix-auth:3.1.8 matrix-project:789.v57a_725b_63c79 maven-plugin:3.22 mercurial:1260.vdfb_723cdcc81 metrics:4.2.18-439.v86a_20b_a_8318b_ mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_ mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_ oidc-provider:47.v182a_02f5b_771 okhttp-api:4.11.0-145.vcb_8de402ef81 opentelemetry:1.2.1 parameterized-trigger:2.45 pipeline-build-step:496.v2449a_9a_221f2 pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7 pipeline-input-step:468.va_5db_051498a_4 pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2141.v5402e818a_779 pipeline-model-definition:2.2141.v5402e818a_779 pipeline-model-extensions:2.2141.v5402e818a_779 pipeline-rest-api:2.33 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2141.v5402e818a_779 pipeline-stage-view:2.33 pipeline-utility-steps:2.15.4 plain-credentials:143.v1b_df8b_d3b_e48 plugin-util-api:3.3.0 prism-api:1.29.0-7 pubsub-light:1.17 resource-disposer:0.22 scm-api:676.v886669a_199a_a_ script-security:1251.vfe552ed55f8d skip-notifications-trait:198.vc48f25a_18f41 snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4 sse-gateway:1.26 ssh-credentials:305.v8f4381501156 ssh-slaves:2.877.v365f5eb_a_b_eec sshd:3.249.v2dc2ea_416e33 startup-trigger-plugin:2.9.3 statistics-gatherer:2.0.3 structs:324.va_f5d6774f3a_d timestamper:1.25 token-macro:359.vb_cde11682e0c trilead-api:2.84.v72119de229b_7 variant:59.vf075fe829ccb violation-comments-to-stash:1.130 warnings-ng:10.2.0 workflow-aggregator:596.v8c21c963d92d workflow-api:1215.v2b_ee3e1b_dd39 workflow-basic-steps:1017.vb_45b_302f0cea_ workflow-cps:3691.v28b_14c465a_b_b_ workflow-durable-task-step:1247.v7f9dfea_b_4fd0 workflow-job:1308.v58d48a_763b_31 workflow-multibranch:756.v891d88f2cd46 workflow-scm-step:415.v434365564324 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:839.v35e2736cfd5c ws-cleanup:0.45 xunit:3.1.2
After updating the gradle-plugin to version 2.8, we encountered an issue where credentials were leaked to the build log when using sshCommand from ssh-steps.
Example Jenkinsfile to reproduce:
def vaultSecrets = [ [path: 'gradle-cred-leak', secretValues: [ [envVar: 'TEST_ID', vaultKey: 'TEST_ID'], [envVar: 'TEST_KEY', vaultKey: 'TEST_KEY']]], def remote = [:]pipeline { agent { kubernetes { yamlFile '.ci/build-pod.yaml' } } options { buildDiscarder(logRotator(numToKeepStr: '7')) disableConcurrentBuilds() timeout(time: 10, unit: 'MINUTES') ansiColor('xterm') } stages { stage('Init') { steps { withVault(vaultSecrets: vaultSecrets) { script { sh "useradd -p $(openssl passwd -1 testpw) test" // preparation for ssh connection remote.name = 'test' remote.host = 'localhost' remote.user = 'test' remote.password = 'testpw' remote.allowAnyHosts = true // script to give env vars over ssh connection testVars = """ export TEST_ID=${TEST_ID} export TEST_KEY=${TEST_KEY} """ } } } } stage('Create backup') { steps { withVault(vaultSecrets: vaultSecrets) { echo 'configuring Restic...' sshCommand remote: remote, command: testVars+'echo \\"initialised\\"' } } } } }
When run, this should simply export some environment variables on a remote machine. Before the command is executed, sshCommand will log the command to the build log:
with gradle 2.8:
... [Pipeline] echo configuring Restic ... [Pipeline] sshCommand Warning: A secret was passed to "sshCommand" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [TEST_ID, TEST_KEY] See https://jenkins.io/redirect/groovy-string-interpolation for details. Executing command on test[localhost]: export TEST_ID=123 export TEST_KEY=abc echo \"initialised\" sudo: false ...
with gradle 2.7:
... [Pipeline] echo configuring Restic ... [Pipeline] sshCommand Warning: A secret was passed to "sshCommand" using Groovy String interpolation, which is insecure. Affected argument(s) used the following variable(s): [TEST_ID, TEST_KEY] See https://jenkins.io/redirect/groovy-string-interpolation for details. Executing command on test[localhost]: export TEST_ID=**** export TEST_KEY=**** echo \"initialised\" sudo: false ...
- is blocking
-
JENKINS-52165 Use push rather than pull for durable task logging
-
- Reopened
-
