ODS 2.x - Nexus password in plain text at the $JenkinsLog on a quickstarter build

[borja44]

ODS 2.x - Security bug. A password in plain text during the execution of a Jenkins quickstarter build. (all quickstarters builds the password).

Log output here...

[Pipeline] stage
[Pipeline] { (odsPipeline start)
[Pipeline] sh (getting ODS shared lib version)
[workspace] Running shell script
+ env
+ grep library.ods-jenkins-shared-library.version
+ cut -d= -f2
[Pipeline] sh (getting GIT url)
[workspace] Running shell script
+ git config --get remote.origin.url
[Pipeline] sh (getting GIT branch to build)
[workspace] Running shell script
+ oc get bc/april-spring-master -n whatever-cd -o 'jsonpath={.spec.source.git.ref}'
[Pipeline] sh (getting GIT commit)
[workspace] Running shell script
+ git rev-parse HEAD
[Pipeline] sh (getting GIT commit author)
[workspace] Running shell script
+ git --no-pager show -s '--format=%an (%ae)' HEAD
[Pipeline] sh (getting GIT commit message)
[workspace] Running shell script
+ git log -1 --pretty=%B HEAD
[Pipeline] sh (getting GIT commit date/time)
[workspace] Running shell script
+ git show -s --format=%ci HEAD
[Pipeline] echo
Assembled configuration: [image:docker-registry.cd/jenkins-slave-maven:2.x, 
projectId:whatever, componentId:april-spring, 
branchToEnvironmentMapping:[master:dev], 
localCheckoutEnabled:true, jobName:whatever-cd/whatever-cd-april-spring-master, 
buildNumber:1, buildUrl:https://jenkins-whatever-cd.mydomain.com.randomcompany.com/job/whatever-cd/job/whatever-cd-april-spring-master/1/, 
buildTime:Fri Apr 24 19:41:15 UTC 2020, 
nexusHost:https://nexus-repository-infra.mydomain.com.randomcompany.com, 
**nexusUsername:whoever, **nexusPassword:xxxxxxxxxxxxxxxxxxxxxxx**,** 

openshiftHost:https://openshift.default.svc.cluster.local, bitbucketHost:bitbucket.company.com, odsSharedLibVersion:2.x,

[michaelsauter]

This is fixed in master via #211. Ok to close? Or should we back port to 2.x?

[clemensutschig]

this only happens ins debug mode -or?

[michaelsauter]

@clemensutschig In master yes, in 2.x also in info mode.

[segator]

This need to be ported to 2.x, is a huge security issue

[clemensutschig]

not fixed on master (if in debug mode) - context.toString

[stitakis]

@michaelsauter I assume because the title is ODS 2.x, that yes, it needs to be ported to 2.x.
So, we need to get this fixed asap:

• what is the status of this?
• to whom is this assigned?

[michaelsauter]

OK. Let's backport this for 2.x. @renedupont Can you help there? I guess applying/testing what you did on master back then should work.

I can make sure this is fixed on master as I'm doing testing there anyway.

[stitakis]

@michaelsauter as @clemensutschig commented this is not fixed if logging level is set to debug. ('logger.debug "Assembled configuration: ${config}") We need a different solution... brainstorming now... maybe a method override of config.toString()that mask sensible variables with*****` could work. Thou maybe there is a more simpler solution for this. btw... who is looking at this? (asking because there is currently no developer assigned to this ticket)

[clemensutschig]

@stitakis / @borja44 - not sure why we are discussing endlessly about a 2 line fix .. I'll do it now! - grrrrr!

[stitakis]

@martsec fyi!