Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-5992

Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

    XMLWordPrintableJSON

Details

    Description

      The super POM defines version 2.3.2 of the Maven Release plugin. When using HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed in the logs and in the console output. In the case of TravisCI, this will be publicly visible.

      The Maven Release Plugin fixed this issue in MRELEASE-846, but Maven core is still pointing at an exposed version of the Maven Release plugin. I have a test case that demonstrates the issue here:

      https://github.com/damnhandy/maven-publish-issue

      If you run the same build and explicitly define 2.5.3, the password is no longer displayed. This should be the default.

      Attachments

        Issue Links

          is superceded by

          Task - A task that needs to be done. MNG-6054 Remove super POM plugin management section

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          links to

          Web Link GitHub Pull Request #152

          Activity

            People

              hboutemy Herve Boutemy
              damnhandy Ryan J. McDonough
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: