[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17069745#comment-17069745 ] Hudson commented on MNG-5992: - Build failed in Jenkins: Maven TLP » maven-studies » maven-metrics #4 See https://builds.apache.org/job/maven-box/job/maven-studies/job/maven-metrics/4/ > Git passwords are exposed as the Super POM still uses Maven Release Plugin > 2.3.2 > > > Key: MNG-5992 > URL: https://issues.apache.org/jira/browse/MNG-5992 > Project: Maven > Issue Type: Improvement > Components: Bootstrap Build, Plugins and Lifecycle, POM >Affects Versions: 3.3.3, 3.3.9 > Environment: All >Reporter: Ryan J. McDonough >Assignee: Herve Boutemy >Priority: Critical > Labels: security > Fix For: 3.5.3 > > > The super POM defines version 2.3.2 of the Maven Release plugin. When using > HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, > any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed > in the logs and in the console output. In the case of TravisCI, this will be > publicly visible. > The [Maven Release Plugin fixed this issue in > MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven > core is still pointing at an exposed version of the Maven Release plugin. I > have a test case that demonstrates the issue here: > https://github.com/damnhandy/maven-publish-issue > If you run the same build and explicitly define 2.5.3, the password is no > longer displayed. This should be the default. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359406#comment-16359406 ] Hudson commented on MNG-5992: - Build succeeded in Jenkins: Maven TLP (wip) » maven » MNG-6352-print-version #3 See https://builds.apache.org/job/maven-wip/job/maven/job/MNG-6352-print-version/3/ > Git passwords are exposed as the Super POM still uses Maven Release Plugin > 2.3.2 > > > Key: MNG-5992 > URL: https://issues.apache.org/jira/browse/MNG-5992 > Project: Maven > Issue Type: Improvement > Components: Bootstrap Build, Plugins and Lifecycle, POM >Affects Versions: 3.3.3, 3.3.9 > Environment: All >Reporter: Ryan J. McDonough >Assignee: Hervé Boutemy >Priority: Critical > Labels: security > Fix For: 3.5.3 > > > The super POM defines version 2.3.2 of the Maven Release plugin. When using > HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, > any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed > in the logs and in the console output. In the case of TravisCI, this will be > publicly visible. > The [Maven Release Plugin fixed this issue in > MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven > core is still pointing at an exposed version of the Maven Release plugin. I > have a test case that demonstrates the issue here: > https://github.com/damnhandy/maven-publish-issue > If you run the same build and explicitly define 2.5.3, the password is no > longer displayed. This should be the default. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16356596#comment-16356596 ] Hudson commented on MNG-5992: - Build succeeded in Jenkins: maven-3.x-jenkinsfile » master #162 See https://builds.apache.org/job/maven-3.x-jenkinsfile/job/master/162/ > Git passwords are exposed as the Super POM still uses Maven Release Plugin > 2.3.2 > > > Key: MNG-5992 > URL: https://issues.apache.org/jira/browse/MNG-5992 > Project: Maven > Issue Type: Improvement > Components: Bootstrap Build, Plugins and Lifecycle, POM >Affects Versions: 3.3.3, 3.3.9 > Environment: All >Reporter: Ryan J. McDonough >Priority: Critical > Labels: security > Fix For: needing-scrub-3.4.0-fallout > > > The super POM defines version 2.3.2 of the Maven Release plugin. When using > HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, > any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed > in the logs and in the console output. In the case of TravisCI, this will be > publicly visible. > The [Maven Release Plugin fixed this issue in > MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven > core is still pointing at an exposed version of the Maven Release plugin. I > have a test case that demonstrates the issue here: > https://github.com/damnhandy/maven-publish-issue > If you run the same build and explicitly define 2.5.3, the password is no > longer displayed. This should be the default. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16356595#comment-16356595 ] Hudson commented on MNG-5992: - Build succeeded in Jenkins: Maven TLP (wip) » maven » master #33 See https://builds.apache.org/job/maven-wip/job/maven/job/master/33/ > Git passwords are exposed as the Super POM still uses Maven Release Plugin > 2.3.2 > > > Key: MNG-5992 > URL: https://issues.apache.org/jira/browse/MNG-5992 > Project: Maven > Issue Type: Improvement > Components: Bootstrap Build, Plugins and Lifecycle, POM >Affects Versions: 3.3.3, 3.3.9 > Environment: All >Reporter: Ryan J. McDonough >Priority: Critical > Labels: security > Fix For: needing-scrub-3.4.0-fallout > > > The super POM defines version 2.3.2 of the Maven Release plugin. When using > HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, > any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed > in the logs and in the console output. In the case of TravisCI, this will be > publicly visible. > The [Maven Release Plugin fixed this issue in > MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven > core is still pointing at an exposed version of the Maven Release plugin. I > have a test case that demonstrates the issue here: > https://github.com/damnhandy/maven-publish-issue > If you run the same build and explicitly define 2.5.3, the password is no > longer displayed. This should be the default. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16356576#comment-16356576 ] ASF GitHub Bot commented on MNG-5992: - Github user asfgit closed the pull request at: https://github.com/apache/maven/pull/152 > Git passwords are exposed as the Super POM still uses Maven Release Plugin > 2.3.2 > > > Key: MNG-5992 > URL: https://issues.apache.org/jira/browse/MNG-5992 > Project: Maven > Issue Type: Improvement > Components: Bootstrap Build, Plugins and Lifecycle, POM >Affects Versions: 3.3.3, 3.3.9 > Environment: All >Reporter: Ryan J. McDonough >Priority: Critical > Labels: security > Fix For: needing-scrub-3.4.0-fallout > > > The super POM defines version 2.3.2 of the Maven Release plugin. When using > HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, > any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed > in the logs and in the console output. In the case of TravisCI, this will be > publicly visible. > The [Maven Release Plugin fixed this issue in > MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven > core is still pointing at an exposed version of the Maven Release plugin. I > have a test case that demonstrates the issue here: > https://github.com/damnhandy/maven-publish-issue > If you run the same build and explicitly define 2.5.3, the password is no > longer displayed. This should be the default. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16315204#comment-16315204 ] ASF GitHub Bot commented on MNG-5992: - GitHub user slachiewicz opened a pull request: https://github.com/apache/maven/pull/152 [MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3 Fix password printout to logs Credit to: Ryan J. McDonough You can merge this pull request into a Git repository by running: $ git pull https://github.com/slachiewicz/maven fix/MNG-5992-maven-release-plugin Alternatively you can review and apply these changes as the patch at: https://github.com/apache/maven/pull/152.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #152 commit 285158e1f76667eea2b92c17fe770b226c15e259 Author: Sylwester LachiewiczDate: 2018-01-07T11:22:11Z [MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3 Fix password printout to logs Credit to: Ryan J. McDonough > Git passwords are exposed as the Super POM still uses Maven Release Plugin > 2.3.2 > > > Key: MNG-5992 > URL: https://issues.apache.org/jira/browse/MNG-5992 > Project: Maven > Issue Type: Improvement > Components: Bootstrap & Build, Plugins and Lifecycle, POM >Affects Versions: 3.3.3, 3.3.9 > Environment: All >Reporter: Ryan J. McDonough >Priority: Critical > Labels: security > Fix For: needing-scrub-3.4.0-fallout > > > The super POM defines version 2.3.2 of the Maven Release plugin. When using > HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, > any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed > in the logs and in the console output. In the case of TravisCI, this will be > publicly visible. > The [Maven Release Plugin fixed this issue in > MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven > core is still pointing at an exposed version of the Maven Release plugin. I > have a test case that demonstrates the issue here: > https://github.com/damnhandy/maven-publish-issue > If you run the same build and explicitly define 2.5.3, the password is no > longer displayed. This should be the default. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15285755#comment-15285755 ] Ryan J. McDonough commented on MNG-5992: Of course. In my projects we're doing exactly that, but only after we started seeing this issue. But as you should be well aware, not every project inherits from a parent pom.xml, and not every project will assert explicit versions. While yes, best practices should remedy this, but the defaults will put users at risk. More importantly, this issue *not* exclusive to the {{maven-git-commit-id-plugin}}. If you look closer at the linked project on GitHub, you'd see exactly this. The Maven Release Plugin alone will happily print out your credentials in Maven's output when you use HTTPS Git URLs. Given how Jenkins, Cloudbees, TravisCI, etc. all display Maven't output as part of the build results, your credentials will be displayed right there. If you're talking about public projects that use public CI tools, you're at risk. It's easy to point blame at the user for not following best practices, but most users will obliviously use the defaults. It'd be great if the defaults could use the safest options available. > Git passwords are exposed as the Super POM still uses Maven Release Plugin > 2.3.2 > > > Key: MNG-5992 > URL: https://issues.apache.org/jira/browse/MNG-5992 > Project: Maven > Issue Type: Improvement > Components: Bootstrap & Build, Plugins and Lifecycle, POM >Affects Versions: 3.3.3, 3.3.9 > Environment: All >Reporter: Ryan J. McDonough >Priority: Critical > Labels: security > Fix For: waiting-for-feedback > > > The super POM defines version 2.3.2 of the Maven Release plugin. When using > HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, > any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed > in the logs and in the console output. In the case of TravisCI, this will be > publicly visible. > The [Maven Release Plugin fixed this issue in > MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven > core is still pointing at an exposed version of the Maven Release plugin. I > have a test case that demonstrates the issue here: > https://github.com/damnhandy/maven-publish-issue > If you run the same build and explicitly define 2.5.3, the password is no > longer displayed. This should be the default. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15213982#comment-15213982 ] Karl Heinz Marbaise commented on MNG-5992: -- Why haven't you defined the maven-release-plugin version in your pom via pluginManagement? Or better in your corporate/organization pom. Furthermore if the maven-git-commit-id-plugin saves all the information including the password where i think only the git hash is necessary which can simply be achieved by using the buildnumber-maven-plugin ... > Git passwords are exposed as the Super POM still uses Maven Release Plugin > 2.3.2 > > > Key: MNG-5992 > URL: https://issues.apache.org/jira/browse/MNG-5992 > Project: Maven > Issue Type: Improvement > Components: Bootstrap & Build, Plugins and Lifecycle, POM >Affects Versions: 3.3.3, 3.3.9 > Environment: All >Reporter: Ryan J. McDonough >Priority: Critical > Labels: security > > The super POM defines version 2.3.2 of the Maven Release plugin. When using > HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, > any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed > in the logs and in the console output. In the case of TravisCI, this will be > publicly visible. > The [Maven Release Plugin fixed this issue in > MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven > core is still pointing at an exposed version of the Maven Release plugin. I > have a test case that demonstrates the issue here: > https://github.com/damnhandy/maven-publish-issue > If you run the same build and explicitly define 2.5.3, the password is no > longer displayed. This should be the default. -- This message was sent by Atlassian JIRA (v6.3.4#6332)