Using withCredentials with usernameColonPassword only masks credentials with the USERNAME:PASSWORD format, but when they're used, applications can print them in different format (only the password or only the username).

Reproduction Steps

In this example I'm leaking the username, as I'm not aware of applications which could leak password.

Create a Username with password credentialsId with basic-cred as ID
Check "Treat username as secret"

Create a pipeline with the following script:

pipeline {
    agent any
    
    stages {
        stage('HTTP Request') {
            steps {
                withCredentials([usernameColonPassword(credentialsId: 'basic-cred', variable: 'BASIC_AUTH')]) {
                    sh '''
                       curl -v https://$BASIC_AUTH@google.com
                    '''
                }
            }
        }
    }
}

Built it and go to the build log