Jenkins Plugin

oferba · 8 January 2020 06:27

Dear Team

Please can provide answers to the below:

Issue No 1:
Octopus Deploy Plugin stores credentials in plain text 
SECURITY-957 / CVE-2019-1003071

Octopus Deploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Issue No 2:

Is the plugin work with Jenkins PipeLine, all our groovy pipeline stored in code, we not working with basic UI tasks.

Any other documentation working with the plugin ?

Thanks

paul.calvert · 8 January 2020 09:13

Hi @oferba,

Thanks for getting in touch!

The credential issue can be resolved by making use of the Mask Passwords Jenkins plugin.
EDIT This only hides the password within the UI and build logs, we’ve made a change to the plugin itself that resolves the storing of plain text passwords in the global config file.

Currently, the plugin does not work with PipeLine, however, you can use it with the CLI e.g.

pipeline {
  agent any
  stages {
    stage('Build') {
      steps {
        sh 'dotnet publish RandomQuotes.sln --output published-app --configuration Release'
      }
    }
    stage('Run Tests') {
      steps {
        sh 'dotnet test RandomQuotes.sln --logger "trx;LogFileName=TestResults.trx"'
      }
    }
    stage('Package') {
        steps {
            sh "/opt/Octo/Octo pack --id RandomQuotes --version 1.6.${env.BUILD_NUMBER} --format=Zip --basePath RandomQuotes/published-app"
        }
    }
     stage ('Push to Octopus') {
        steps {
            sh "/opt/Octo/Octo push --package=RandomQuotes.1.6.${env.BUILD_NUMBER}.zip  --replace-existing --server=https://myinstance.octopus.app/ --space=RobP --apiKey=API-MYKEY"  
        }
     }
     stage ('Create release') {
        steps {
            sh "/opt/Octo/Octo create-release --project='Random Quotes' --releaseNumber 1.6.${env.BUILD_NUMBER} --server=https://myinstance.octopus.app/ --space=RobP --apiKey=API-MYKEY"  
        }
     }
  }
}

I hope this helps, please let me know if you have any further questions.

Best regards,
Paul

system · 7 February 2020 09:13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.