Thanks for your reply. When i inspect the html this is what I see, maybe I misunderstood, but I thought if the password was transmitted in plain text I would see the actual password e.g 'kirkpassword', not an encrypted password. If i have misunderstood and the update the the getters and settings is still needed, what should i expect to see in the html?
Kirk On Thursday, August 8, 2024 at 11:57:10 AM UTC+1 db...@cloudbees.com wrote: > On Thu, Aug 8, 2024 at 12:34 PM Kirk Fitzsimons <fitzsim...@gmail.com> > wrote: > >> The plugin has a security issue opened up against it: >> >> Credentials transmitted in plain text by Sonar Quality Gates Plugin >> <https://www.jenkins.io/security/advisory/2020-03-09/#SECURITY-1523> >> >> I would like to see if I can resolve it, is there more information >> available from the security team as to where the issue was found? or how to >> replicate it locally. Is it in the code? >> > > > https://github.com/jenkinsci/sonar-quality-gates-plugin/blob/b87a0987c2b91ef63f5c6dd0f7a6839e341b3584/src/main/java/org/quality/gates/jenkins/plugin/GlobalConfigDataForSonarInstance.java#L81-L83 > > returns the plain text password/decrypted Secret. That value is then shown > (masked because password field) on the UI, but the password will show up in > the HTML source code. Jenkins forms generally show the existing encrypted > value on the UI. > > Fix the getter and setter types, adapting any programmatic callers, and it > should work as expected. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/192ab129-ee79-4993-8852-ccb295053237n%40googlegroups.com.
