You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Karl Heinz Marbaise (JIRA)" <ji...@apache.org> on 2016/05/16 18:40:13 UTC
[jira] [Updated] (MNG-5992) Git passwords are exposed as the Super
POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Heinz Marbaise updated MNG-5992:
-------------------------------------
Fix Version/s: waiting-for-feedback
> Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
> --------------------------------------------------------------------------------
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
> Issue Type: Improvement
> Components: Bootstrap & Build, Plugins and Lifecycle, POM
> Affects Versions: 3.3.3, 3.3.9
> Environment: All
> Reporter: Ryan J. McDonough
> Priority: Critical
> Labels: security
> Fix For: waiting-for-feedback
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed in the logs and in the console output. In the case of TravisCI, this will be publicly visible.
> The [Maven Release Plugin fixed this issue in MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven core is still pointing at an exposed version of the Maven Release plugin. I have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no longer displayed. This should be the default.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)