while doing a maven-release using Jenkins-m2-release plugin the build job is creating a release.properties file which displays SCM connection information like URL to connect to, location of the tags in svn, user name to connect and the password to connect etc.,. this file gets generated under Jenkins WORKSPACE directory as soon as the user schedules a maven release build. One of the biggest security concerns with this file is that it displays value of SCM.password in clear text. Incase of a passed build this file is cleaned up from workspace after release is complete. if the build fails then the file remains in Jenkins workspace and can be accessed by any admin user in the server. According to Jenkins community this issue is supposed to be fixed in the latest M2 release plugin https://wiki.jenkins-ci.org/display/JENKINS/M2+Release+Plugin , however we still see the issue in our Jenkins servers. (please find our server configuration below)
- Jenkins version: 1.532.1
- Maven : 2.2.1 / 3.0.5
- SCM : subversion
- M2-release plugin :0.14.0
I tried the following workarounds and none of them seem to be working
- Used masked password plugin to mask my scm password and passed it as a parameter for the mvn release goal (it failed to authenticate. it reads the variable as password instead of reading the value)
- Tried changing permissions of Jenkins WORKSPACE directory using Chmod 700 -R ${WORKSPACE} (that didnt work wither because the admin user and user running the build are different)
one of the posts mentioned about using maven-encryption for encrypting the password and adding it to settings.xml file to access the servers. This will not work for us because multiple(independent) teams share the same svn server.
I am looking for other ideas to overcome this security risk.
