[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

Sun, 07 Jan 2018 03:24:48 -0800 

    [ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16315204#comment-16315204
 ] 

ASF GitHub Bot commented on MNG-5992:
-------------------------------------

GitHub user slachiewicz opened a pull request:

    https://github.com/apache/maven/pull/152

    [MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3

    Fix password printout to logs
    
    Credit to: Ryan J. McDonough

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/slachiewicz/maven 
fix/MNG-5992-maven-release-plugin

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/maven/pull/152.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #152
    
----
commit 285158e1f76667eea2b92c17fe770b226c15e259
Author: Sylwester Lachiewicz <slachiewicz@...>
Date:   2018-01-07T11:22:11Z

    [MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3
    
    Fix password printout to logs
    
    Credit to: Ryan J. McDonough

----


> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> --------------------------------------------------------------------------------
>
>                 Key: MNG-5992
>                 URL: https://issues.apache.org/jira/browse/MNG-5992
>             Project: Maven
>          Issue Type: Improvement
>          Components: Bootstrap & Build, Plugins and Lifecycle, POM
>    Affects Versions: 3.3.3, 3.3.9
>         Environment: All
>            Reporter: Ryan J. McDonough
>            Priority: Critical
>              Labels: security
>             Fix For: needing-scrub-3.4.0-fallout
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to