Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19416

m2 release plugin exposes SCM password in release.properties file

    Details

    • Similar Issues:

      Description

      When executing a maven release build using the m2 release plugin a release.properties file is created in the workspace that has the SCM user/password credentials in plain text. In our jenkins instance this is a problem since we have multiple users with access to release the same job. The release.properties is removed after the release build is successful. If the release build fails the release.properties stays in the workspace until it's manually deleted. This allows other users to see SCM passwords in our organization if they view the workspace during a release build or after one fails.

      This issue is similar to another bug that was resolved in a previous version 0.9.0: https://issues.jenkins-ci.org/browse/JENKINS-8524

      If anyone has viable workarounds/solutions we can use in the meantime that would also be appreciated.

        Attachments

          Activity

          Hide
          teilo James Nord added a comment -

          This is an issue with the apache maven maven-release-plugin that is exposed by the jenkins m2release plugin. please file an issue against this component (it should at least obfuscate the password, or use settings encryption if available)

          Show
          teilo James Nord added a comment - This is an issue with the apache maven maven-release-plugin that is exposed by the jenkins m2release plugin. please file an issue against this component (it should at least obfuscate the password, or use settings encryption if available)
          Hide
          mmaun Mark Maun added a comment -
          Show
          mmaun Mark Maun added a comment - ticket created here http://jira.codehaus.org/browse/MRELEASE-846
          Hide
          teilo James Nord added a comment -

          this is supposedly now fixed upstream in 2.4.2.

          Show
          teilo James Nord added a comment - this is supposedly now fixed upstream in 2.4.2.
          Hide
          teilo James Nord added a comment -

          Closing as upstream maven-release-plugin have implemented obfusication of passwords and passPhrases if maven encryption has been enabled.

          Show
          teilo James Nord added a comment - Closing as upstream maven-release-plugin have implemented obfusication of passwords and passPhrases if maven encryption has been enabled.
          Hide
          neophyte neo phyte added a comment -

          Have anyone succeeded using maven encryption for svn credentials to use with maven-release-plugin??

          Show
          neophyte neo phyte added a comment - Have anyone succeeded using maven encryption for svn credentials to use with maven-release-plugin??

            People

            • Assignee:
              teilo James Nord
              Reporter:
              mmaun Mark Maun
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: