I was eager that with this plugin I could avoid using gradle and maven global gradle.properties, and pom.xml respectively on each of my agents. My hopes were this plugin would provide a single point of configuration, as well as the potential to clear up potential security risks with using a build tool.
Unfortunately, there is no password security built into this plugin.
The passwords are not hidden/obfuscated from users allowing any user with the edit project permissions to view my credentials for sonar. Not only are my sonar credentials available in plain text, but database credentials are as well.
Additionally, any user who has access to view the build logs can view in plain text username and password for again, both sonar and database. These credentials are passed plain text as java parameters.
This is a Critical security flaw, and problematic for all users who use this plugin in any environment other than personal.
Linfar
commented
9 years ago
I was eager that with this plugin I could avoid using gradle and maven global gradle.properties, and pom.xml respectively on each of my agents. My hopes were this plugin would provide a single point of configuration, as well as the potential to clear up potential security risks with using a build tool.
Unfortunately, there is no password security built into this plugin.
The passwords are not hidden/obfuscated from users allowing any user with the edit project permissions to view my credentials for sonar. Not only are my sonar credentials available in plain text, but database credentials are as well.
Additionally, any user who has access to view the build logs can view in plain text username and password for again, both sonar and database. These credentials are passed plain text as java parameters.
This is a Critical security flaw, and problematic for all users who use this plugin in any environment other than personal.