Uploaded image for project: 'Maven Release Plugin'
  1. Maven Release Plugin
  2. MRELEASE-846

m2 release plugin exposes SCM password in release.properties file

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.4.2
    • Component/s: None
    • Labels:
      None

      Description

      When executing a maven release build using the m2 release plugin in Jenkins a release.properties file is created in the workspace that has the SCM user/password credentials in plain text. In our jenkins instance this is a problem since we have multiple users with access to release the same job. The release.properties is removed after the release build is successful. If the release build fails the release.properties stays in the workspace until it's manually deleted. This allows other users to see SCM passwords in our organization if they view the workspace during a release build or after one fails.
      4
      If anyone has viable workarounds/solutions we can use in the meantime that would also be appreciated.

      Note I have a ticket open with Jenkins dev but they deferred me here:

      https://issues.jenkins-ci.org/browse/JENKINS-19416

        Activity

        Hide
        rfscholte Robert Scholte added a comment -

        Fixed in r1529677

        Show
        rfscholte Robert Scholte added a comment - Fixed in r1529677
        Hide
        rfscholte Robert Scholte added a comment -

        I would expect that this is possible if the Jenkins instance has a master-password. This plugin still needs to implement the encryption/decryption methods, but that's not too hard.
        I even think this should always be done if there's a master-password.

        Show
        rfscholte Robert Scholte added a comment - I would expect that this is possible if the Jenkins instance has a master-password . This plugin still needs to implement the encryption/decryption methods, but that's not too hard. I even think this should always be done if there's a master-password.

          People

          • Assignee:
            rfscholte Robert Scholte
            Reporter:
            mark.maun Mark Maun
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development