Menu
Jenkins SECURITY-248 states that I should "Disable the visualization of Injected Environment variables in the global configuration." I cannot find this setting in the Configuration. Any help will be appreciated.
381
EnvInject Plugin aka (Environment Injector Plugin) gives you several options to set environment variables from Jenkins configuration. By selecting Inject environment variables to the build process you will get: Properties File Path. Properties Content. Script File Path.
Goto to the /job/<project>/configure screen. In "Build Environment" section check "Inject environment variables to the build process"
We can install and use the EnvInject plugin to inject environment variables during the build startup. In the build configuration window, we select the “Inject environment variables” option in the “Add build step” combo box. We can then add the required environment variables in the properties content text box.
You can do the following to make sure to address this security issue correctly:
sudo find . -name "injectedEnvVars.txt"
sudo find . -name "injectedEnvVars.txt" -delete
Configure Global Security under Environment Injector Plugin check Do not show injected variables.
Configure Global Security under Hidden security warnings, click on Security Warnings and then uncheck Environment Injector Plugin: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier. This will make sure to hide that error message so it doesn’t appear again.
Reference: https://jenkins.io/security/advisory/2018-02-26/#SECURITY-248
200
Configure Global Security {buildhost}/configureSecurity/
at the bottom is "Do not show injected variables"
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
