[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

2020-03-28 Thread Hudson (Jira) 


[ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17069745#comment-17069745
 ] 

Hudson commented on MNG-5992:
-

Build failed in Jenkins: Maven TLP » maven-studies » maven-metrics #4

See 
https://builds.apache.org/job/maven-box/job/maven-studies/job/maven-metrics/4/

> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> 
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
>  Issue Type: Improvement
>  Components: Bootstrap  Build, Plugins and Lifecycle, POM
>Affects Versions: 3.3.3, 3.3.9
> Environment: All
>Reporter: Ryan J. McDonough
>Assignee: Herve Boutemy
>Priority: Critical
>  Labels: security
> Fix For: 3.5.3
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

2018-02-10 Thread Hudson (JIRA) 

[ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16359406#comment-16359406
 ] 

Hudson commented on MNG-5992:
-

Build succeeded in Jenkins: Maven TLP (wip) » maven » MNG-6352-print-version #3

See 
https://builds.apache.org/job/maven-wip/job/maven/job/MNG-6352-print-version/3/

> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> 
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
>  Issue Type: Improvement
>  Components: Bootstrap  Build, Plugins and Lifecycle, POM
>Affects Versions: 3.3.3, 3.3.9
> Environment: All
>Reporter: Ryan J. McDonough
>Assignee: Hervé Boutemy
>Priority: Critical
>  Labels: security
> Fix For: 3.5.3
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

2018-02-07 Thread Hudson (JIRA) 

[ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16356596#comment-16356596
 ] 

Hudson commented on MNG-5992:
-

Build succeeded in Jenkins: maven-3.x-jenkinsfile » master #162

See https://builds.apache.org/job/maven-3.x-jenkinsfile/job/master/162/

> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> 
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
>  Issue Type: Improvement
>  Components: Bootstrap  Build, Plugins and Lifecycle, POM
>Affects Versions: 3.3.3, 3.3.9
> Environment: All
>Reporter: Ryan J. McDonough
>Priority: Critical
>  Labels: security
> Fix For: needing-scrub-3.4.0-fallout
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

2018-02-07 Thread Hudson (JIRA) 

[ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16356595#comment-16356595
 ] 

Hudson commented on MNG-5992:
-

Build succeeded in Jenkins: Maven TLP (wip) » maven » master #33

See https://builds.apache.org/job/maven-wip/job/maven/job/master/33/

> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> 
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
>  Issue Type: Improvement
>  Components: Bootstrap  Build, Plugins and Lifecycle, POM
>Affects Versions: 3.3.3, 3.3.9
> Environment: All
>Reporter: Ryan J. McDonough
>Priority: Critical
>  Labels: security
> Fix For: needing-scrub-3.4.0-fallout
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

2018-02-07 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16356576#comment-16356576
 ] 

ASF GitHub Bot commented on MNG-5992:
-

Github user asfgit closed the pull request at:

https://github.com/apache/maven/pull/152


> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> 
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
>  Issue Type: Improvement
>  Components: Bootstrap  Build, Plugins and Lifecycle, POM
>Affects Versions: 3.3.3, 3.3.9
> Environment: All
>Reporter: Ryan J. McDonough
>Priority: Critical
>  Labels: security
> Fix For: needing-scrub-3.4.0-fallout
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

2018-01-07 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16315204#comment-16315204
 ] 

ASF GitHub Bot commented on MNG-5992:
-

GitHub user slachiewicz opened a pull request:

https://github.com/apache/maven/pull/152

[MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3

Fix password printout to logs

Credit to: Ryan J. McDonough

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/slachiewicz/maven 
fix/MNG-5992-maven-release-plugin

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/maven/pull/152.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #152


commit 285158e1f76667eea2b92c17fe770b226c15e259
Author: Sylwester Lachiewicz 
Date:   2018-01-07T11:22:11Z

[MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3

Fix password printout to logs

Credit to: Ryan J. McDonough




> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> 
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
>  Issue Type: Improvement
>  Components: Bootstrap & Build, Plugins and Lifecycle, POM
>Affects Versions: 3.3.3, 3.3.9
> Environment: All
>Reporter: Ryan J. McDonough
>Priority: Critical
>  Labels: security
> Fix For: needing-scrub-3.4.0-fallout
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

2016-05-16 Thread Ryan J. McDonough (JIRA) 

[ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15285755#comment-15285755
 ] 

Ryan J. McDonough commented on MNG-5992:


Of course. In my projects we're doing exactly that, but only after we started 
seeing this issue. But as you should be well aware, not every project inherits 
from a parent pom.xml, and not every project will assert explicit versions. 
While yes, best practices should remedy this, but the defaults will put users 
at risk. 

More importantly, this issue *not* exclusive to the 
{{maven-git-commit-id-plugin}}. If you look closer at the linked project on 
GitHub, you'd see exactly this. 
The Maven Release Plugin alone will happily print out your credentials in 
Maven's output when you use HTTPS Git URLs. Given how Jenkins, Cloudbees, 
TravisCI, etc. all display Maven't output as part of the build results, your 
credentials will be displayed right there. If you're talking about public 
projects that use public CI tools, you're at risk. 

It's easy to point blame at the user for not following best practices, but most 
users will obliviously use the defaults. It'd be great if the defaults could 
use the safest options available. 

> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> 
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
>  Issue Type: Improvement
>  Components: Bootstrap & Build, Plugins and Lifecycle, POM
>Affects Versions: 3.3.3, 3.3.9
> Environment: All
>Reporter: Ryan J. McDonough
>Priority: Critical
>  Labels: security
> Fix For: waiting-for-feedback
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

2016-03-28 Thread Karl Heinz Marbaise (JIRA) 

[ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15213982#comment-15213982
 ] 

Karl Heinz Marbaise commented on MNG-5992:
--

Why haven't you defined the maven-release-plugin version in your pom via 
pluginManagement?  Or better in your corporate/organization pom. Furthermore if 
the maven-git-commit-id-plugin saves all the information including the password 
where i think only the git hash is necessary which can simply be achieved by 
using the buildnumber-maven-plugin ...

> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> 
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
>  Issue Type: Improvement
>  Components: Bootstrap & Build, Plugins and Lifecycle, POM
>Affects Versions: 3.3.3, 3.3.9
> Environment: All
>Reporter: Ryan J. McDonough
>Priority: Critical
>  Labels: security
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)