Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58394

Passwords are not masked in Maven multi-module downstream jobs

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Labels:
    • Environment:
      Ubuntu (16)
      Jenkins (2.164.3) runs as a Docker container
      Maven – installed automatically (3.5.4)
      Maven Integration Plugin (3.3)
      Mask Password Plugin (2.12.0)
    • Similar Issues:

      Description

      Hi all, currently we are facing a problem within a Maven build project. It contains several modules, where each build will be triggered as a separate downstream job. Our credentials are configured as secret text and username/password combinations in the binding section of the parent build project. They are passed as additional properties within “goals and options” to the Maven build (e.g. clean install –Pprofile1 -Dpassword=${SECRET_PASSWORD}). In the first downstream job, Maven is logging all passed parameters UNMASKED, regardless if they are credentials or not.

      We already tried a couple of things, like configuring which parameters should be automatically masked, passing credentials by “Inject passwords to the build as environment variables” and “Mask passwords and regexes (and enable global passwords). Nevertheless, nothing seems to work.

      If we trigger the Maven build directly by using a Shell and no downstream build jobs are triggered, no credentials are exposed. Somehow Maven is logging our credentials in plain text only in downstream jobs.

       

      Example

      Console log of parent project_X__feature_X:

      15:14:46 Executing Maven: -B -f /home/jenkins-slave/workspace/feature_X/project_X/pom.xml -Dmaven.repo.local=/home/jenkins-slave/workspace/feature_X/.repository -s /tmp/settings.xml clean install sonar:sonar -Pprofile1 -Dparam1=**** -Dparam2=**** 
      15:14:49 [INFO] Scanning for projects...
      

      Console log of module 1 of project_X__feature_X:

      Executing Maven: -B -f /home/jenkins-slave/workspace/feature_X/project_X/pom.xml -Dmaven.repo.local=/home/jenkins-slave/workspace/feature_X/.repository -s /tmp/settings.xml clean install sonar:sonar -Pprofile1 -Dparam1=unmasked-password -Dparam2=unmasked-password 
      [INFO] Scanning for projects...
      

        Attachments

          Activity

          Hide
          lavermanjeroen Jeroen Laverman added a comment -

          Is there any progress on this?

           

          Show
          lavermanjeroen Jeroen Laverman added a comment - Is there any progress on this?  

            People

            • Assignee:
              Unassigned
              Reporter:
              floruschbaschan Florian Ruschbaschan
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: