Jenkins Plugin

usability
server
known
(Ofer) #1

Dear Team

Please can provide answers to the below:

Issue No 1:
Octopus Deploy Plugin stores credentials in plain text 
SECURITY-957 / CVE-2019-1003071

Octopus Deploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Issue No 2:

Is the plugin work with Jenkins PipeLine, all our groovy pipeline stored in code, we not working with basic UI tasks.

Any other documentation working with the plugin ?

Thanks

(Paul Calvert) #3

Hi @oferba,

Thanks for getting in touch!

The credential issue can be resolved by making use of the Mask Passwords Jenkins plugin.
EDIT This only hides the password within the UI and build logs, we’ve made a change to the plugin itself that resolves the storing of plain text passwords in the global config file.

Currently, the plugin does not work with PipeLine, however, you can use it with the CLI e.g.

pipeline {
  agent any
  stages {
    stage('Build') {
      steps {
        sh 'dotnet publish RandomQuotes.sln --output published-app --configuration Release'
      }
    }
    stage('Run Tests') {
      steps {
        sh 'dotnet test RandomQuotes.sln --logger "trx;LogFileName=TestResults.trx"'
      }
    }
    stage('Package') {
        steps {
            sh "/opt/Octo/Octo pack --id RandomQuotes --version 1.6.${env.BUILD_NUMBER} --format=Zip --basePath RandomQuotes/published-app"
        }
    }
     stage ('Push to Octopus') {
        steps {
            sh "/opt/Octo/Octo push --package=RandomQuotes.1.6.${env.BUILD_NUMBER}.zip  --replace-existing --server=https://myinstance.octopus.app/ --space=RobP --apiKey=API-MYKEY"  
        }
     }
     stage ('Create release') {
        steps {
            sh "/opt/Octo/Octo create-release --project='Random Quotes' --releaseNumber 1.6.${env.BUILD_NUMBER} --server=https://myinstance.octopus.app/ --space=RobP --apiKey=API-MYKEY"  
        }
     }
  }
}

I hope this helps, please let me know if you have any further questions.

Best regards,
Paul