When a script with a Maven goal is executed, the password appears in visible clear text in the Bamboo build logs.
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When a Maven goal with a script task is used inside a Bamboo plan, password as plain text is shown in the build logs when the git push command fails.
When "maven release: prepare" goal is executed in the script task, the password credentials appear in the Bamboo build logs when the git push command fails.
Environment
Maven version below 1.9.5 with maven-release-plugin:2.5.3 and any supported version of Bamboo.
Diagnosis
- Execute a script task in a Bamboo plan with inline body something like mvn release:prepare -Dusername=myuser -Dpassword=mypassword.
The password appears as plain text in the build logs as shown below if the git push command fails:
build 20-FEB-2023 15:56:45 error: failed to push some refs to 'https://myuser:mypassword@bitbucket.XYZ.com/scm/BAM/Test.git'This issue was reported in the Maven SCM improvement request: SCM-811 m2 release plugin shows SCM git password if fatal occurred during git push.
Cause
This issue is caused by a bug on Maven side, for more details please refer m2 release plugin shows SCM git password if fatal occurred during git push.
Solution
As per the request m2 release plugin shows SCM git password if fatal occurred during git push, this issue was fixed in Maven 1.9.5 version.
Upgrading the Maven version to 1.9.5 or above on Bamboo server and the agent will fix the issue.