Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-28790

Sonar database credentials in build console output not masked since LTS version 1.596.3

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: core
    • Environment:
      Jenkins LTS 1.596.3 / 1.609.1 / 1.609.2 / 1.609.3
      SonarQube plugin version 2.2.1
      Windows 2012 R2
      Java 8
      Browser FireFox
    • Similar Issues:

      Description

      When using Jenkins LTS version 1.596.3 / 1.609.1 / 1.609.2 / 1.609.3 we've noticed that the passwords from Sonar builds in the buildlog weren't masked anymore but showed as plain text.
      After we downgraded Jenkins to version 1.596.2 the passwords were masked again.
      I've tested several versions of the SonarQube plugin but that didn't had any effect, therefor it seems to be a Jenkins related issue.

        Attachments

          Issue Links

            Activity

            janjaap Jan-Jaap Spijkerman created issue -
            Hide
            danielbeck Daniel Beck added a comment -

            Are all plugins also the same version between 1.596.2/1.596.3?

            Show
            danielbeck Daniel Beck added a comment - Are all plugins also the same version between 1.596.2/1.596.3?
            Hide
            danielbeck Daniel Beck added a comment -

            Are these 'Maven top-level target' build steps in Maven or Freestyle projects? Or what kind of project/build step is affected?

            Show
            danielbeck Daniel Beck added a comment - Are these 'Maven top-level target' build steps in Maven or Freestyle projects? Or what kind of project/build step is affected?
            Hide
            olivergondza Oliver Gondža added a comment -

            Can you post surrounding build log lines (with your password erased of course) so we can investigate?

            Show
            olivergondza Oliver Gondža added a comment - Can you post surrounding build log lines (with your password erased of course) so we can investigate?
            Hide
            janjaap Jan-Jaap Spijkerman added a comment -

            All plugin versions used remained the same.
            Here is a part of the logging:

            [xxx_xxxxx-xxxxx-xxxxx_sonar] $ D:\Buildtools\Apache_Maven\Apache-Maven-3.2.5\bin\mvn.bat -f D:\Jenkins_Slave1\workspace\xxx_xxxxx-xxxxx-xxxxx_sonar\pom.xml -e -B xxxxx:xxxxx -Dsonar.jdbc.url=jdbc:jtds:sqlserver://xxxxx;databaseName=xxxxx;SelectMethod=Cursor xxxxx xxxxx -Dsonar.host.url=http://xxxxx.xxxxx.xx:9000 xxxxx xxxxx
            [INFO] Error stacktraces are turned on.
            [INFO] Scanning for projects...

            Show
            janjaap Jan-Jaap Spijkerman added a comment - All plugin versions used remained the same. Here is a part of the logging: [xxx_xxxxx-xxxxx-xxxxx_sonar] $ D:\Buildtools\Apache_Maven\Apache-Maven-3.2.5\bin\mvn.bat -f D:\Jenkins_Slave1\workspace\xxx_xxxxx-xxxxx-xxxxx_sonar\pom.xml -e -B xxxxx:xxxxx -Dsonar.jdbc.url=jdbc:jtds:sqlserver://xxxxx;databaseName=xxxxx;SelectMethod=Cursor xxxxx xxxxx -Dsonar.host.url= http://xxxxx.xxxxx.xx:9000 xxxxx xxxxx [INFO] Error stacktraces are turned on. [INFO] Scanning for projects...
            janjaap Jan-Jaap Spijkerman made changes -
            Field Original Value New Value
            Description When using version 1.596.3 and 1.609.1 of Jenkins we noticed that the passwords by Sonar builds weren't masked anymore but showed as plain text.
            After we downgraded Jenkins to version 1.596.2 again the passwords were masked again.
            I've tested several version of the SonarQube plugin but that didn't had any effect, therefor it seems to be a Jenkins related issue.
            When using version 1.596.3 or 1.609.1 of Jenkins we noticed that the passwords by Sonar builds in the buildlog weren't masked anymore but showed as plain text.
            After we downgraded Jenkins to version 1.596.2 the passwords were masked again.
            I've tested several versions of the SonarQube plugin but that didn't had any effect, therefor it seems to be a Jenkins related issue.
            janjaap Jan-Jaap Spijkerman made changes -
            Labels jenkins sonar sonar-plugin
            janjaap Jan-Jaap Spijkerman made changes -
            Environment Jenkins 1.596.3 and 1.609.1
            SonarQube plugin version 2.2.1
            Windows 2012 R2
            Java 8
            Browser FireFox
            Jenkins LTS 1.596.3 / 1.609.1 / 1.609.2 / 1.609.3
            SonarQube plugin version 2.2.1
            Windows 2012 R2
            Java 8
            Browser FireFox
            janjaap Jan-Jaap Spijkerman made changes -
            Description When using version 1.596.3 or 1.609.1 of Jenkins we noticed that the passwords by Sonar builds in the buildlog weren't masked anymore but showed as plain text.
            After we downgraded Jenkins to version 1.596.2 the passwords were masked again.
            I've tested several versions of the SonarQube plugin but that didn't had any effect, therefor it seems to be a Jenkins related issue.
            When using Jenkins LTS version 1.596.3 / 1.609.1 / 1.609.2 / 1.609.3 we've noticed that the passwords from Sonar builds in the buildlog weren't masked anymore but showed as plain text.
            After we downgraded Jenkins to version 1.596.2 the passwords were masked again.
            I've tested several versions of the SonarQube plugin but that didn't had any effect, therefor it seems to be a Jenkins related issue.
            janjaap Jan-Jaap Spijkerman made changes -
            Summary Passwords in build console output not masked since LTS version 1.596.3 Sonar database credentials in build console output not masked since LTS version 1.596.3
            Hide
            janjaap Jan-Jaap Spijkerman added a comment -

            Any update on this? And why is this assinged to "Sonar Team" since this seems to be a problem introduced by Jenkins.
            I've tested newer Jenkins releases and they still have this issue, this prevents us from updating to a newer version.

            Show
            janjaap Jan-Jaap Spijkerman added a comment - Any update on this? And why is this assinged to "Sonar Team" since this seems to be a problem introduced by Jenkins. I've tested newer Jenkins releases and they still have this issue, this prevents us from updating to a newer version.
            Hide
            drtaddei Dave Taddei added a comment -

            Also in Jenkins 1.634, SonarQube plugin 2.2.1. This is a MAJOR issue for us. Any idea when this will be repaired?

            Show
            drtaddei Dave Taddei added a comment - Also in Jenkins 1.634, SonarQube plugin 2.2.1. This is a MAJOR issue for us. Any idea when this will be repaired?
            Hide
            janjaap Jan-Jaap Spijkerman added a comment - - edited

            I've found the cause of this issue finally.

            The problem is caused by this change: https://github.com/jenkinsci/jenkins/commit/9e30f50065b8bb213c6571f325e5e1d5008281ce
            The solution for this is to revert the Maven.class file inside the jenkins-core-1.625.3.jar file.

            1. Extract jenkins-core-1.625.3.jar (Tomcat 8.0\webapps\ROOT\WEB-INF\lib)
            2. Go to the folder /hudson/tasks
            3. Replace the Maven.class file with the version out of Jenkins LTS 1.596.2
            4. Zip all folders again to get your .jar file again.
            5. Override your modded jenkins-core-1.625.3.jar file
            6. Start Jenkins

            The only thing that you have changed with this, is removing the following srouce code from the Maven.class file:

            if (!launcher.isUnix())

            { args = args.toWindowsCommand(); }

            I'm not certain yet what the impact of this is though.

            Show
            janjaap Jan-Jaap Spijkerman added a comment - - edited I've found the cause of this issue finally. The problem is caused by this change: https://github.com/jenkinsci/jenkins/commit/9e30f50065b8bb213c6571f325e5e1d5008281ce The solution for this is to revert the Maven.class file inside the jenkins-core-1.625.3.jar file. Extract jenkins-core-1.625.3.jar (Tomcat 8.0\webapps\ROOT\WEB-INF\lib) Go to the folder /hudson/tasks Replace the Maven.class file with the version out of Jenkins LTS 1.596.2 Zip all folders again to get your .jar file again. Override your modded jenkins-core-1.625.3.jar file Start Jenkins The only thing that you have changed with this, is removing the following srouce code from the Maven.class file: if (!launcher.isUnix()) { args = args.toWindowsCommand(); } I'm not certain yet what the impact of this is though.
            danielbeck Daniel Beck made changes -
            Link This issue is related to JENKINS-26684 [ JENKINS-26684 ]
            Hide
            danielbeck Daniel Beck added a comment -

            Seems the fix for JENKINS-26684 caused this.

            Show
            danielbeck Daniel Beck added a comment - Seems the fix for JENKINS-26684 caused this.
            janjaap Jan-Jaap Spijkerman made changes -
            Component/s core [ 15593 ]
            Component/s sonar [ 15523 ]
            Hide
            escoem Emilio Escobar added a comment -

            Hi Daniel Beck before that https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/tasks/Maven.java#L327 the ArgumentListBuilder has the masked arguments properly set, but by the execution of args = args.toWindowsCommand(); we are instantiating a new one with three args and none of them masked as you can see https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/util/ArgumentListBuilder.java#L352

            Show
            escoem Emilio Escobar added a comment - Hi Daniel Beck before that https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/tasks/Maven.java#L327 the ArgumentListBuilder has the masked arguments properly set, but by the execution of args = args.toWindowsCommand(); we are instantiating a new one with three args and none of them masked as you can see https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/util/ArgumentListBuilder.java#L352
            escoem Emilio Escobar made changes -
            Assignee Sonar Team [ sonarteam ] Emilio Escobar [ escoem ]
            escoem Emilio Escobar made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            escoem Emilio Escobar made changes -
            Remote Link This issue links to "PR (Web Link)" [ 13800 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Emilio Escobar
            Path:
            core/src/main/java/hudson/util/ArgumentListBuilder.java
            core/src/test/java/hudson/util/ArgumentListBuilderTest.java
            http://jenkins-ci.org/commit/jenkins/b9a72bcd967fd8b0d422ccf81daf1de576702fd1
            Log:
            JENKINS-28790 solved the issue masked parameters not masked in windows system. toWindowsCommand joins all args in one, missing masked.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/b9a72bcd967fd8b0d422ccf81daf1de576702fd1 Log: JENKINS-28790 solved the issue masked parameters not masked in windows system. toWindowsCommand joins all args in one, missing masked.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Emilio Escobar
            Path:
            core/src/test/java/hudson/util/ArgumentListBuilderTest.java
            http://jenkins-ci.org/commit/jenkins/7fb1ac9d9f1bc006ca9d90ccaef402eaba4404a2
            Log:
            JENKINS-28790 Baptiste comments fixed

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/7fb1ac9d9f1bc006ca9d90ccaef402eaba4404a2 Log: JENKINS-28790 Baptiste comments fixed
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Emilio Escobar
            Path:
            core/src/main/java/hudson/util/ArgumentListBuilder.java
            http://jenkins-ci.org/commit/jenkins/5423f695ab83ec7d49daae538d25177872b0aada
            Log:
            JENKINS-28790 NIT: tabulation issue

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java http://jenkins-ci.org/commit/jenkins/5423f695ab83ec7d49daae538d25177872b0aada Log: JENKINS-28790 NIT: tabulation issue
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Emilio Escobar
            Path:
            core/src/main/java/hudson/util/ArgumentListBuilder.java
            http://jenkins-ci.org/commit/jenkins/344e917cc4a1096bb1805b14f0f2e45978b62757
            Log:
            JENKINS-28790 added valentina condition when the first argument is quoted.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java http://jenkins-ci.org/commit/jenkins/344e917cc4a1096bb1805b14f0f2e45978b62757 Log: JENKINS-28790 added valentina condition when the first argument is quoted.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/util/ArgumentListBuilder.java
            core/src/test/java/hudson/util/ArgumentListBuilderTest.java
            http://jenkins-ci.org/commit/jenkins/074890c09379b9b3254c71ab90b9db4b134c3628
            Log:
            Merge pull request #2015 from escoem/JENKINS-28790

            [FIX JENKINS-28790] Masked parameters are now hidden on Windows

            Compare: https://github.com/jenkinsci/jenkins/compare/2d9d7bbe214f...074890c09379

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/util/ArgumentListBuilder.java core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/074890c09379b9b3254c71ab90b9db4b134c3628 Log: Merge pull request #2015 from escoem/ JENKINS-28790 [FIX JENKINS-28790] Masked parameters are now hidden on Windows Compare: https://github.com/jenkinsci/jenkins/compare/2d9d7bbe214f...074890c09379
            scm_issue_link SCM/JIRA link daemon made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            aheritier Arnaud Héritier made changes -
            Labels jenkins sonar sonar-plugin jenkins lts-candidate sonar sonar-plugin
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #4491

            Result = SUCCESS

            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #4491 Result = SUCCESS
            olivergondza Oliver Gondža made changes -
            Labels jenkins lts-candidate sonar sonar-plugin 1.651 jenkins sonar sonar-plugin
            olivergondza Oliver Gondža made changes -
            Labels 1.651 jenkins sonar sonar-plugin jenkins sonar sonar-plugin
            olivergondza Oliver Gondža made changes -
            Labels jenkins sonar sonar-plugin 1.651.1-fixed jenkins sonar sonar-plugin
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Emilio Escobar
            Path:
            core/src/main/java/hudson/util/ArgumentListBuilder.java
            core/src/test/java/hudson/util/ArgumentListBuilderTest.java
            http://jenkins-ci.org/commit/jenkins/0782aa567b4d2cf52aec5f5f5e0e8440c01edae4
            Log:
            JENKINS-28790 solved the issue masked parameters not masked in windows system. toWindowsCommand joins all args in one, missing masked.

            (cherry picked from commit b9a72bcd967fd8b0d422ccf81daf1de576702fd1)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/0782aa567b4d2cf52aec5f5f5e0e8440c01edae4 Log: JENKINS-28790 solved the issue masked parameters not masked in windows system. toWindowsCommand joins all args in one, missing masked. (cherry picked from commit b9a72bcd967fd8b0d422ccf81daf1de576702fd1)
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Emilio Escobar
            Path:
            core/src/test/java/hudson/util/ArgumentListBuilderTest.java
            http://jenkins-ci.org/commit/jenkins/f6db6670a8f9107f189fedc4fed07b1bbc6a7dc3
            Log:
            JENKINS-28790 Baptiste comments fixed

            (cherry picked from commit 7fb1ac9d9f1bc006ca9d90ccaef402eaba4404a2)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/test/java/hudson/util/ArgumentListBuilderTest.java http://jenkins-ci.org/commit/jenkins/f6db6670a8f9107f189fedc4fed07b1bbc6a7dc3 Log: JENKINS-28790 Baptiste comments fixed (cherry picked from commit 7fb1ac9d9f1bc006ca9d90ccaef402eaba4404a2)
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Emilio Escobar
            Path:
            core/src/main/java/hudson/util/ArgumentListBuilder.java
            http://jenkins-ci.org/commit/jenkins/717c5f56bcaa8fcfae109dd87a7c6e4069a3baed
            Log:
            JENKINS-28790 NIT: tabulation issue

            (cherry picked from commit 5423f695ab83ec7d49daae538d25177872b0aada)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java http://jenkins-ci.org/commit/jenkins/717c5f56bcaa8fcfae109dd87a7c6e4069a3baed Log: JENKINS-28790 NIT: tabulation issue (cherry picked from commit 5423f695ab83ec7d49daae538d25177872b0aada)
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Emilio Escobar
            Path:
            core/src/main/java/hudson/util/ArgumentListBuilder.java
            http://jenkins-ci.org/commit/jenkins/f24c536676fe9df50fd499b51c4b4ff2e6edc40c
            Log:
            JENKINS-28790 added valentina condition when the first argument is quoted.

            (cherry picked from commit 344e917cc4a1096bb1805b14f0f2e45978b62757)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Emilio Escobar Path: core/src/main/java/hudson/util/ArgumentListBuilder.java http://jenkins-ci.org/commit/jenkins/f24c536676fe9df50fd499b51c4b4ff2e6edc40c Log: JENKINS-28790 added valentina condition when the first argument is quoted. (cherry picked from commit 344e917cc4a1096bb1805b14f0f2e45978b62757)
            benapgar Ben Apgar made changes -
            Link This issue is related to JENKINS-33727 [ JENKINS-33727 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 163648 ] JNJira + In-Review [ 197266 ]

              People

              • Assignee:
                escoem Emilio Escobar
                Reporter:
                janjaap Jan-Jaap Spijkerman
              • Votes:
                7 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: