maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan J. McDonough (JIRA)" <j...@apache.org>
Subject [jira] [Created] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
Date Sun, 27 Mar 2016 23:24:25 GMT
Ryan J. McDonough created MNG-5992:
--------------------------------------

             Summary: Git passwords are exposed as the Super POM still uses Maven Release
Plugin 2.3.2
                 Key: MNG-5992
                 URL: https://issues.apache.org/jira/browse/MNG-5992
             Project: Maven
          Issue Type: Improvement
          Components: Bootstrap & Build, Plugins and Lifecycle, POM
    Affects Versions: 3.3.9, 3.3.3
         Environment: All
            Reporter: Ryan J. McDonough
            Priority: Critical


The super POM defines version 2.3.2 of the Maven Release plugin. When using HTTP/HTTPS Git
SCM URIs, Maven will printout the password in the logs. Thus, any CI system such as Jenkins,
TravisCI, etc. will have the passwords exposed in the logs and in the console output. In the
case of TravisCI, this will be publicly visible. 

The [Maven Release Plugin fixed this issue in MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846],
but Maven core is still pointing at an exposed version of the Maven Release plugin. I have
a test case that demonstrates the issue here:

https://github.com/damnhandy/maven-publish-issue

If you run the same build and explicitly define 2.5.3, the password is no longer displayed.
This should be the default. 




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message