maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
Date Sun, 07 Jan 2018 11:24:00 GMT

    [ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16315204#comment-16315204
] 

ASF GitHub Bot commented on MNG-5992:
-------------------------------------

GitHub user slachiewicz opened a pull request:

    https://github.com/apache/maven/pull/152

    [MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3

    Fix password printout to logs
    
    Credit to: Ryan J. McDonough

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/slachiewicz/maven fix/MNG-5992-maven-release-plugin

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/maven/pull/152.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #152
    
----
commit 285158e1f76667eea2b92c17fe770b226c15e259
Author: Sylwester Lachiewicz <slachiewicz@...>
Date:   2018-01-07T11:22:11Z

    [MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3
    
    Fix password printout to logs
    
    Credit to: Ryan J. McDonough

----


> Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
> --------------------------------------------------------------------------------
>
>                 Key: MNG-5992
>                 URL: https://issues.apache.org/jira/browse/MNG-5992
>             Project: Maven
>          Issue Type: Improvement
>          Components: Bootstrap & Build, Plugins and Lifecycle, POM
>    Affects Versions: 3.3.3, 3.3.9
>         Environment: All
>            Reporter: Ryan J. McDonough
>            Priority: Critical
>              Labels: security
>             Fix For: needing-scrub-3.4.0-fallout
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using HTTP/HTTPS
Git SCM URIs, Maven will printout the password in the logs. Thus, any CI system such as Jenkins,
TravisCI, etc. will have the passwords exposed in the logs and in the console output. In the
case of TravisCI, this will be publicly visible. 
> The [Maven Release Plugin fixed this issue in MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846],
but Maven core is still pointing at an exposed version of the Maven Release plugin. I have
a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no longer displayed.
This should be the default. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message