I made an attempt at his, i am not sure if it correct as I have not noticed any difference https://github.com/kirk-fitz/sonar-quality-gates-plugin/commit/72201ae973f6299e35f530154617dff6e4db52da
On Thursday, August 8, 2024 at 2:15:04 PM UTC+1 Kirk Fitzsimons wrote: > Thanks for your reply. > > When i inspect the html this is what I see, maybe I misunderstood, but I > thought if the password was transmitted in plain text I would see the > actual password e.g 'kirkpassword', not an encrypted password. > If i have misunderstood and the update the the getters and settings is > still needed, what should i expect to see in the html? > > Kirk > > > > On Thursday, August 8, 2024 at 11:57:10 AM UTC+1 [email protected] > wrote: > >> On Thu, Aug 8, 2024 at 12:34 PM Kirk Fitzsimons <[email protected]> >> wrote: >> >>> The plugin has a security issue opened up against it: >>> >>> Credentials transmitted in plain text by Sonar Quality Gates Plugin >>> <https://www.jenkins.io/security/advisory/2020-03-09/#SECURITY-1523> >>> >>> I would like to see if I can resolve it, is there more information >>> available from the security team as to where the issue was found? or how to >>> replicate it locally. Is it in the code? >>> >> >> >> https://github.com/jenkinsci/sonar-quality-gates-plugin/blob/b87a0987c2b91ef63f5c6dd0f7a6839e341b3584/src/main/java/org/quality/gates/jenkins/plugin/GlobalConfigDataForSonarInstance.java#L81-L83 >> >> returns the plain text password/decrypted Secret. That value is then shown >> (masked because password field) on the UI, but the password will show up in >> the HTML source code. Jenkins forms generally show the existing encrypted >> value on the UI. >> >> Fix the getter and setter types, adapting any programmatic callers, and >> it should work as expected. >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b4d343c6-6897-4d01-affd-b8a797b4add1n%40googlegroups.com.
