Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SVN passwords leaked into maven log #96

Closed
llech opened this issue Oct 28, 2019 · 5 comments
Closed

SVN passwords leaked into maven log #96

llech opened this issue Oct 28, 2019 · 5 comments
Milestone

Comments

@llech
Copy link

llech commented Oct 28, 2019

The SVN passwords are leaked into the log in version 1.4.

My plugin configuration:

org.codehaus.mojo buildnumber-maven-plugin validate create false true

The log content:

[INFO] --- buildnumber-maven-plugin:1.4:create (default) @ project ---
[INFO] Executing: /bin/sh -c cd '/home/build/tmp/project' && 'svn' '--username' 'svn-user' '--password''*****' '' '--no-auth-cache' '--non-interactive' 'update' '/home/build/tmp/project'

Runtime environment: JRE 1.8, Ubuntu 18.04, script run inside docker image. Maven flags: -B (batch-mode).

The bug was introduced in 1.4, downgrading to 1.3 has solved the issue.

@gerevesi
Copy link

gerevesi commented Feb 3, 2021

This also happens to me when using version 1.4, although it only happens to some of our team members.
While analyzing the differences, we noticed that this only happens when the password has been set in maven's settings.xml file.
In my case, the password is NOT in plaintext (I'm using password encryption as described here)

@llech
Copy link
Author

llech commented Feb 3, 2021

I've changed to even better solution, not using that plugin at all.

Apparently the developers doesn't care about security. How many other bugs you introduce to your build pipeline by using such a plugin that provides actually no important functionality?

@bmarwell
Copy link
Contributor

bmarwell commented Feb 7, 2021

Hi @llech,
thanks for bringing this to our attention.
They main communication is the mailing list, but you're also welcome to create a PR yourself.

In contrast to Apache software, the mojohaus software is not being maintained under the oversight of a foundation, but most developers are also Apache committers.

I'll see what can be done here, though.

Best regards,
Ben

@bmarwell
Copy link
Contributor

bmarwell commented Feb 7, 2021

@llech @gerevesi I found this commit:
apache/maven-scm@60d9884

Maybe this plugin just needs an update.

@dantran dantran closed this as completed in 8f8e5b2 Feb 7, 2021
@dantran dantran added this to the 3.0.0 milestone Feb 8, 2021
@bmarwell
Copy link
Contributor

bmarwell commented Feb 8, 2021

@llech please try the current 3.0.0-SNAPSHOT revision which @dantran has released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants