[JENKINS-8524] maven release build exposes users' username and password

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: m2release-plugin
Labels:
None
Environment:

Hide
Aplies for all versions so for and other OS's.

System info:
Tomcat 5.5
file.encoding UTF-8
file.encoding.pkg sun.io
file.separator /
java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
java.awt.headless true
java.awt.printerjob sun.print.PSPrinterJob
java.class.version 50.0
java.naming.factory.initial org.apache.naming.java.javaURLContextFactory
java.naming.factory.url.pkgs org.apache.naming
java.runtime.name Java(TM) SE Runtime Environment
java.runtime.version 1.6.0_16-b01
java.specification.name Java Platform API Specification
java.specification.vendor Sun Microsystems Inc.
java.specification.version 1.6
java.util.logging.manager org.apache.juli.ClassLoaderLogManager
java.vendor Sun Microsystems Inc.
java.vendor.url http://java.sun.com/
java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi
java.version 1.6.0_16
java.vm.info mixed mode
java.vm.name Java HotSpot(TM) 64-Bit Server VM
java.vm.specification.name Java Virtual Machine Specification
java.vm.specification.vendor Sun Microsystems Inc.
java.vm.specification.version 1.0
java.vm.vendor Sun Microsystems Inc.
java.vm.version 14.2-b01
line.separator
os.arch amd64
os.name Linux
os.version 2.6.28-11-server
sun.arch.data.model 64
sun.cpu.endian little
sun.cpu.isalist
sun.io.unicode.encoding UnicodeLittle
sun.jnu.encoding UTF-8
sun.management.compiler HotSpot 64-Bit Server Compiler
sun.os.patch.level unknown
svnkit.ssh2.persistent false
tomcat.util.buf.StringCache.byte.enabled true
user.country US
user.language en
user.name hudson
user.timezone Europe/Amsterdam

Show
Aplies for all versions so for and other OS's. System info: Tomcat 5.5 file.encoding UTF-8 file.encoding.pkg sun.io file.separator / java.awt.graphicsenv sun.awt.X11GraphicsEnvironment java.awt.headless true java.awt.printerjob sun.print.PSPrinterJob java.class.version 50.0 java.naming.factory.initial org.apache.naming.java.javaURLContextFactory java.naming.factory.url.pkgs org.apache.naming java.runtime.name Java(TM) SE Runtime Environment java.runtime.version 1.6.0_16-b01 java.specification.name Java Platform API Specification java.specification.vendor Sun Microsystems Inc. java.specification.version 1.6 java.util.logging.manager org.apache.juli.ClassLoaderLogManager java.vendor Sun Microsystems Inc. java.vendor.url http://java.sun.com/ java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi java.version 1.6.0_16 java.vm.info mixed mode java.vm.name Java HotSpot(TM) 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Sun Microsystems Inc. java.vm.specification.version 1.0 java.vm.vendor Sun Microsystems Inc. java.vm.version 14.2-b01 line.separator os.arch amd64 os.name Linux os.version 2.6.28-11-server sun.arch.data.model 64 sun.cpu.endian little sun.cpu.isalist sun.io.unicode.encoding UnicodeLittle sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Server Compiler sun.os.patch.level unknown svnkit.ssh2.persistent false tomcat.util.buf.StringCache.byte.enabled true user.country US user.language en user.name hudson user.timezone Europe/Amsterdam

Similar Issues:
Powered by SuggestiMate

Show

When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build.

So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform

It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build.

A workaround could be to mask these credentials in the 'Goals and options' fields.

duplicates

JENKINS-8572 Credentials visable in UI and configuration gets corrupted

Closed

whermeling created issue - 2011-01-17 01:55

James Nord made changes - 2011-03-10 22:58

Link

New: This issue duplicates ~~JENKINS-8572~~ [ ~~JENKINS-8572~~ ]

Dominik Bartholdi made changes - 2012-02-18 09:53

Assignee	Original: James Nord [ teilo ]	New: Dominik Bartholdi [ domi ]
Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

James Nord made changes - 2013-06-04 19:00

Status

Original: Resolved [ 5 ]

New: Closed [ 6 ]

R. Tyler Croy made changes - 2016-07-25 23:59

Workflow

Original: JNJira [ 138634 ]

New: JNJira + In-Review [ 204837 ]

Assignee:: Dominik Bartholdi

Reporter:: whermeling

Votes:: 4 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2011-01-17 01:55

Updated:: 2013-06-04 19:00

Resolved:: 2012-02-18 09:53

Jenkins

Details

Description

Attachments

Issue Links

Activity

People

Dates