Skip to content

[JENKINS-57319] Pipeline fails with incorrect type #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mezpahlan merged 3 commits into from
May 7, 2019
Merged

[JENKINS-57319] Pipeline fails with incorrect type #61

mezpahlan merged 3 commits into from
May 7, 2019

Conversation

@mezpahlan
Copy link

@mezpahlan mezpahlan commented May 3, 2019

This is a second attempt to fix the token stored in plain text issue from #60. Hopefully this works with existing pipelines too.

An example of a secure pipeline would be:

stage ('Upload HockeyApp') {
	    environment { 
                HOCKETAPP_TOKEN = credentials('hockeyapp-secret') 
            }
		steps {
			hockeyApp applications: [
				[
				 	apiToken: env.HOCKETAPP_TOKEN, 
					downloadAllowed: true, 
					filePath: 'sample.apk', 
					mandatory: false, 
					notifyTeam: true, 
					releaseNotesMethod: changelog(), 
					uploadMethod: appCreation(false)
				]
			], debugMode: false, failGracefully: false
		}		
	}

You will need to create a secure credential in Jenkins of type Secret text and refer to it by its id in a pipeline.

@mezpahlan mezpahlan force-pushed the bugfix/JENKINS-57319 branch from 6433e82 to f46d91b Compare May 3, 2019 22:42
@mezpahlan
Copy link
Author

mezpahlan commented May 3, 2019

Hi @njtman would you mind testing out 1.5.1 of the plugin. I have made a fix that I think might work for both freestyle and pipeline projects. You can find the build artefacts on the CI server https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fhockeyapp-plugin/detail/PR-61/2/artifacts

Many thanks.

@imod
Copy link
Member

imod commented May 6, 2019
edited
Loading

@mezpahlan I just tested your 1.5.1-SNAPSHOT and it worked - actually, it does not need to use the credentials, your fix allows the user to do what he wants: hard coding or using credentials store as shown above...

@mezpahlan
Copy link
Author

mezpahlan commented May 6, 2019

Thanks @imod can I also double check if you use the pipeline or a freestyle project?

@imod
Copy link
Member

imod commented May 6, 2019

I use a pipeline (declarative)

@mezpahlan
Copy link
Author

mezpahlan commented May 6, 2019

Ok fab. I'm waiting on one other tester to respond but will release this fix at the end of tomorrow or earlier if they do.

Sorry again for the trouble.

@njtman
Copy link

njtman commented May 7, 2019

Hi @mezpahlan, yes I can confirm that your plugin version 1.5.1-SNAPSHOT is working as expected.

@mezpahlan mezpahlan merged commit cdf63cd into jenkinsci:master May 7, 2019
@mezpahlan mezpahlan deleted the bugfix/JENKINS-57319 branch May 7, 2019 20:01
@njtman
Copy link

njtman commented May 9, 2019

@mezpahlan Now that this is released (and I'm assuming the plain text vulnerability has been resolved), is it possible to have the warning removed from the Jenkins vulnerability feed?

Jenkins_plugin_warning

@mezpahlan
Copy link
Author

mezpahlan commented May 9, 2019
edited
Loading

@njtman To be honest I don't know how to remove that message, it's not set by me. If you haven't changed your credentials then I suppose the vulnerability still remains. Not the storing of the token in plain text, that's been fixed, but the fact that at some point in the past it was in plain text. I suppose anyone could have seen it in the past.

I'll ping the Jenkins Dev mailing list to see what they recommend. For now what I will say is if you can change your token do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mezpahlan @imod @njtman