clafren1 commented on issue #348:
URL: 
https://github.com/apache/maven-antrun-plugin/issues/348#issuecomment-4758139858

   This message can expose sensitive information, as properties defined in the 
user settings.xml file also become ANT properties and trigger the warning, with 
the property value being interpolated.
   
   To be fair, it could also occur with the previous log level if you ran Maven 
in debug mode. But a warning is much more visible.
   
   At the very least, the property value should not be logged.
   
   I'm still not convinced a message is even necessary, regardless of the log 
level.
   
   To expand on [my previous 
comment](https://github.com/apache/maven-antrun-plugin/issues/348#issuecomment-3712316830),
 consider this new sample POM:
   ```
   <?xml version="1.0" encoding="UTF-8"?>
   <project xmlns="http://maven.apache.org/POM/4.0.0"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
     <modelVersion>4.0.0</modelVersion>
     <groupId>my.groupId</groupId>
     <artifactId>my-artifactId</artifactId>
     <version>1.0</version>
     <packaging>pom</packaging>
     <profiles>
       <profile>
         <id>nashorn</id>
         <activation>
           <jdk>[11,(</jdk>
         </activation>
         <build>
           <plugins>
             <plugin>
               <artifactId>maven-antrun-plugin</artifactId>
               <dependencies>
                 <dependency>
                   <groupId>org.openjdk.nashorn</groupId>
                   <artifactId>nashorn-core</artifactId>
                   <version>15.7</version>
                 </dependency>
               </dependencies>
             </plugin>
           </plugins>
         </build>
       </profile>
       <profile>
         <id>maven</id>
         <properties>
           <my.property>maven</my.property>
         </properties>
       </profile>
     </profiles>
     <build>
       <plugins>
         <plugin>
           <artifactId>maven-antrun-plugin</artifactId>
           <version>3.2.0</version>
           <executions>
             <execution>
               <id>print-property</id>
               <phase>verify</phase>
               <goals>
                 <goal>run</goal>
               </goals>
               <configuration>
                 <target>
                   <condition property="my.property" value="ant">
                     <not>
                       <isset property="my.property"/>
                     </not>
                   </condition>
                   <echo level="info">my.property (init): ${my.property}</echo>
                   <available file="${basedir}/pom.xml" property="my.property" 
value="available"/>
                   <echo level="info">my.property (available task): 
${my.property}</echo>
                   <script 
language="javascript">project.setProperty("my.property", "script");</script>
                   <echo level="info">my.property (script task): 
${my.property}</echo>
                   <taskdef name="groovy" 
classname="org.codehaus.groovy.ant.Groovy"/>
                   <groovy>properties['my.property'] = 'groovy'</groovy>
                   <echo level="info">my.property (groovy task): 
${my.property}</echo>
                   <local name="my.property"/>
                   <property name="my.property" value="local"/>
                   <echo level="info">my.property (local task): 
${my.property}</echo>
                 </target>
               </configuration>
             </execution>
           </executions>
           <dependencies>
             <dependency>
               <groupId>org.apache.groovy</groupId>
               <artifactId>groovy-ant</artifactId>
               <version>4.0.32</version>
             </dependency>
           </dependencies>
         </plugin>
       </plugins>
     </build>
   </project>
   ```
   
   The [available](https://ant.apache.org/manual/Tasks/available.html) task is 
1 of the very few [built-in ANT 
tasks](https://ant.apache.org/manual/tasksoverview.html) that can override an 
existing property.
   
   It uses `org.apache.tools.ant.Project#setProperty` instead of 
`org.apache.tools.ant.Project#setNewProperty`.
   
   I assume the 
[groovy](https://docs.groovy-lang.org/latest/html/documentation/groovy-ant-task.html)
 task also uses it internally with `properties['name'] = 'value'` statements.
   
   When you run `mvn clean verify`, which initializes the `my.property` 
property in the antrun plugin with the condition task, you get:
   ```
   [INFO]      [echo] my.property (init): ant
   [WARNING] [available] DEPRECATED - <available> used to override an existing 
property.
   [available]   Build file should not reuse the same property name for 
different values.
   [INFO]      [echo] my.property (available task): available
   [INFO]      [echo] my.property (script task): script
   [INFO]      [echo] my.property (groovy task): groovy
   [INFO]      [echo] my.property (local task): local
   ```
   
   However, when you run `mvn clean verify -Pmaven`, which initializes the 
`my.property` property in the maven profile, you get:
   ```
   [INFO]      [echo] my.property (init): maven
   [WARNING] [available] DEPRECATED - <available> used to override an existing 
property.
   [available]   Build file should not reuse the same property name for 
different values.
   [INFO]      [echo] my.property (available task): maven
   [INFO]      [echo] my.property (script task): maven
   [INFO]      [echo] my.property (groovy task): maven
   [INFO]      [echo] my.property (local task): maven
   ```
   
   You get a similar output if you run `mvn clean verify -Dmy.property=maven`.
   
   Or if `my.property` is defined in your settings.xml file and you run `mvn 
clean verify`.
   
   I can't think of other ways to override a property in ANT.
   
   If the maven-antrun-plugin maintainers can confirm/explain this immutable 
behavior, would it be okay to simply remove the message?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to