user password should not be logged in the imperative.log when the command fails

[patricktiu]

Describe the bug The user password is logged in the imperative.log if the command fails. For example, if the server is down and you are trying to run a command with the --user and --password option. The imperative.log logs the command with both the user id and password.

Expected and actual results In the imperative log, the user id and the password should be masked out.

Steps to reproduce the problem

1. stop your zosmf server or disconnect your computer from the network
2. run this command: zowe ssh iss cmd ls --user myUserId --password myPassword
3. check the imperative.log and you will see the failed command is being logged. The password and the user id are logged in clear text.

   [2024/06/11 11:49:26.633] [ERROR] [CommandProcessor.js:932] Handler for command "command" failed.
   [2024/06/11 11:49:26.634] [ERROR] [CommandProcessor.js:935] Diagnostic information:
   Platform: 'darwin', Architecture: 'arm64', Process.argv: '/opt/homebrew/Cellar/node/21.2.0/bin/node /opt/homebrew/bin/zowe ssh iss cmd ls --user myUserId --password myPassword'
   Node versions: '{
   "node": "21.2.0",
   "acorn": "8.11.2",
   "ada": "2.7.2",
   "ares": "1.21.0",
   "base64": "0.5.1",
   "brotli": "1.1.0",
   "cjs_module_lexer": "1.2.2",

[github-actions[bot]]

Thank you for creating a bug report. We will investigate the bug and evaluate its impact on the product. If you haven't already, please ensure you have provided steps to reproduce the bug and as much context as possible.

[t1m0thyj]

Hello @patricktiu! If the user and password are passed directly on the command line, then there is inherent insecurity because anyone who sees your terminal session can see the credentials in plain text.

There are some alternative ways to provide credentials to Zowe CLI that are more secure:

• If you have Zowe client configuration set up and your environment has the OS keyring unlocked, you can run zowe config secure to store user and password properties securely.
• If you prefer to provide user and password the command line, you can specify --user prompt* --password prompt* and Zowe CLI will securely prompt you to enter the values.
• If you have a pipeline where user interaction is not possible, you can define user and password as environment variables ZOWE_OPT_USER and ZOWE_OPT_PASSWORD which Zowe CLI will use.

[patricktiu]

@t1m0thyj, Your suggestion to hide the password is acceptable. Thank You!