You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Ryan J. McDonough (JIRA)" <ji...@apache.org> on 2016/05/17 00:51:12 UTC
[jira] [Comment Edited] (MNG-5992) Git passwords are exposed as the
Super POM still uses Maven Release Plugin 2.3.2
[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15285755#comment-15285755 ]
Ryan J. McDonough edited comment on MNG-5992 at 5/17/16 12:50 AM:
------------------------------------------------------------------
Of course. In my projects we're doing exactly that, but only after we started seeing this issue. But as you should be well aware, not every project inherits from a parent pom.xml, and not every project will assert explicit versions. While yes, best practices should remedy this, but the defaults will put users at risk.
More importantly, this issue *not* exclusive to the {{maven-git-commit-id-plugin}}. If you look closer at the linked project on GitHub, you'd see exactly this. The Maven Release Plugin alone will happily print out your credentials in Maven's output when you use HTTPS Git URLs. Given how Jenkins, Cloudbees, TravisCI, etc. all display Maven't output as part of the build results, your credentials will be displayed right there. If you're talking about public projects that use public CI tools, you're at risk.
It's easy to point blame at the user for not following best practices, but most users will obliviously use the defaults. It'd be great if the defaults could use the safest options available.
was (Author: damnhandy):
Of course. In my projects we're doing exactly that, but only after we started seeing this issue. But as you should be well aware, not every project inherits from a parent pom.xml, and not every project will assert explicit versions. While yes, best practices should remedy this, but the defaults will put users at risk.
More importantly, this issue *not* exclusive to the {{maven-git-commit-id-plugin}}. If you look closer at the linked project on GitHub, you'd see exactly this.
The Maven Release Plugin alone will happily print out your credentials in Maven's output when you use HTTPS Git URLs. Given how Jenkins, Cloudbees, TravisCI, etc. all display Maven't output as part of the build results, your credentials will be displayed right there. If you're talking about public projects that use public CI tools, you're at risk.
It's easy to point blame at the user for not following best practices, but most users will obliviously use the defaults. It'd be great if the defaults could use the safest options available.
> Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
> --------------------------------------------------------------------------------
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
> Issue Type: Improvement
> Components: Bootstrap & Build, Plugins and Lifecycle, POM
> Affects Versions: 3.3.3, 3.3.9
> Environment: All
> Reporter: Ryan J. McDonough
> Priority: Critical
> Labels: security
> Fix For: waiting-for-feedback
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed in the logs and in the console output. In the case of TravisCI, this will be publicly visible.
> The [Maven Release Plugin fixed this issue in MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven core is still pointing at an exposed version of the Maven Release plugin. I have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no longer displayed. This should be the default.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)