Build info includes username and password

[dg424]

How can we help?

Hi,

I'm running the sample from here - https://github.com/jfrog/project-examples/tree/master/artifactory-maven-plugin-example. The big problem is that the username/password in the pom and settings.xml files are being stored in the buildinfo within Artifactory. Is there a way to exclude username and password from all fields in Artifactory's build info json ?

To be clear, exported username and password variables in the environment. Run the sample, which read the values and published to Artifactory correctly. But as mentioned, the problem is that the credentials from the environment are included in the buildinfo json. So, this should be easy to reproduce:

$ export username=x $ export password=y $ /art-build-deploy.sh 1

Check buildinfo json in Artifactory and you will see both x and y from above in the data! pom.xml exclude section contains these as well:

<artifactory>
    <includeEnvVars>true</includeEnvVars>
    <envVarsExcludePatterns>*username*,*password*,*secret*,*key*,*token*,*passphrase*</envVarsExcludePatterns>
    <timeoutSec>60</timeoutSec>
</artifactory>

BuildInfo JSON with username and password:

    "modules": [{
        "properties": {
            "maven.compiler.target": "1.8",
            "password": "x",
            "maven.compiler.source": "1.8",
            "project.build.sourceEncoding": "UTF-8",
            "username": "y"
        },

Looks like the problem is fixed the Jenkins plugin ? -- https://github.com/jfrog/jenkins-artifactory-plugin/commit/901b549459f5c97e45da5f47e42cd2ea978a9947

[Or-Geva]

Hey @dg424, artifactory-maven-plugin v3.5.2 is released and includes a fix for this issue. Feel free to share your feedback here.

[dg424]

Hey @dg424, artifactory-maven-plugin v3.5.2 is released and includes a fix for this issue. Feel free to share your feedback here.

Thank you so much! Will try it out.

[dg424]

Tested - it works. Thanks

[Or-Geva]

Thank you so much @dg424 for the fast response 🚀. If you would like to close the issue, please do so.

[marcandre-larochelle]

@Or-Geva What about filtering passwords from pom.xml and settings.xml? Thanks

[Or-Geva]

@marcandre-larochelle-bell, filtering properties from pom.xml and settings.xml is also supported.

[marcandre-larochelle]

@Or-Geva It should be done through which configuration? I tried the 3 configuration properties with "excluded" in their name and none was filtering a pattern with *password* (I tried variations of the format as well), the password was always published along the buildinfo. (with plugin v3.5.2)

[Or-Geva]

@marcandre-larochelle-bell, using 'envVarsExcludePatterns' configuration should exclude environment variables and other properties such as setting.xml properties. Could you share a small example that reproduce your issue?

[marcandre-larochelle]

@Or-Geva In my settings.xml I have a property named artifactory.username and artifactory.password (within the modules' properties)

<plugin>
        <groupId>org.jfrog.buildinfo</groupId>
        <artifactId>artifactory-maven-plugin</artifactId>
        <version>3.5.2</version>
        <inherited>true</inherited>
        <executions>
          <execution>
            <id>build-info</id>
            <goals>
              <goal>publish</goal>
            </goals>
            <configuration>
              <artifactory>
                <envVarsExcludePatterns>*password*</envVarsExcludePatterns>
              </artifactory>
              <publisher>
                <contextUrl>${repository.basePath}</contextUrl>
                <username>${artifactory.username}</username>
                <password>${artifactory.password}</password>
                <repoKey>${repository.releasesRepoName}</repoKey>
                <snapshotRepoKey>${repository.snapshotsRepoName}</snapshotRepoKey>
                <publishBuildInfo>true</publishBuildInfo>
                <recordAllDependencies>true</recordAllDependencies>
              </publisher>
              <buildInfo>
                <project>${repository.project}</project>
              </buildInfo>
            </configuration>
          </execution>
        </executions>
      </plugin>

Then just a mvn deploy -> In Artifactory Build Info JSON ends up with the password

[Or-Geva]

Thanks for the feedback @marcandre-larochelle-bell , i have opened a fix PR. I will post an update here as soon as it is released.

[Or-Geva]

@marcandre-larochelle-bell, artifactory-maven-plugin v3.5.3 is released and includes the fix.

[marcandre-larochelle]

@Or-Geva Can confirm, now works properly, thanks a lot for the quick work!

[marcandre-larochelle]

Somewhat related, does the include patterns have precedence over the exclude patterns?

Say I want to exclude everything with *token*, but I would like to include a verify specific one client-token, would using both the include and exclude patterns with those values allow me to perform this?

Thanks