Wrong insecure secret interpolation warning?

ArtemkaKun · January 30, 2025, 8:11am

Hello, I have a hard time understanding why Jenkins warns me about the interpolation of a secret while there is not.

I have the following code in my pipeline:

//...

def P4_PROJECT_GLOBAL_OPTIONS_STRING = "-p \"%P4_PORT%\" -u \"%P4_USER%\" -c \"${P4_WORKSPACE_NAME}\" -d \"${P4_WORKSPACE_ROOT}\""

withEnv(["P4_PROJECT_GLOBAL_OPTIONS_STRING=${P4_PROJECT_GLOBAL_OPTIONS_STRING}"]) {

//...

then in withEnv block I’m calling a function from vars library that looks like the following:

def getCurrentStreamName() {
    withCredentials([usernamePassword(credentialsId: P4_CREDENTIALS, usernameVariable: 'P4_USER', passwordVariable: 'P4PASSWD')]) {
        def streamName = bat(script: "@p4 ${P4_PROJECT_GLOBAL_OPTIONS_STRING} switch", returnStdout: true, label: "Checking current stream")
        return streamName.trim()
    }
}

As you can see, I’m interpolating env variable P4_PROJECT_GLOBAL_OPTIONS_STRING into bat command which itself contains reference to %P4_USER% env var (which is not interpolated in Groovy).

For some reason, Jenkins throws the following warning when I’m calling getCurrentStreamName() function:

Warning: A secret was passed to "bat" using Groovy String interpolation, which is insecure.
            Affected argument(s) used the following variable(s): [P4_USER]
            See https://jenkins.io/redirect/groovy-string-interpolation for details.

I don’t understand why this is a problem if P4_USER env var is not interpolated in Groovy.

Thank you for your help in advance.

Jenkins setup:

Jenkins: 2.462.1
OS: Windows 10 - 10.0
Java: 17.0.12 - OpenLogic (OpenJDK 64-Bit Server VM)
---
PrioritySorter:5.1.0
active-directory:2.36
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
asm-api:9.7-33.v4d23ef79fcc8
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1178.v969d9eb_c728e
build-blocker-plugin:166.vc82fc20b_a_ed6
build-name-setter:2.4.3
build-timeout:1.33
build-user-vars-plugin:166.v52976843b_435
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.0
cloudbees-folder:6.942.vb_43318a_156b_2
command-launcher:115.vd8b_301cc15d0
commons-lang3-api:3.16.0-82.ve2b_07d659d95
commons-text-api:1.12.0-129.v99a_50df237f7
conditional-buildstep:1.4.3
credentials:1371.vfee6b_095f0a_3
credentials-binding:681.vf91669a_32e45
display-url-api:2.204.vf6fddd8a_8b_e9
durable-task:568.v8fb_5c57e8417
echarts-api:5.5.1-1
eddsa-api:0.3.0-4.v84c6f0f4969e
email-ext:1814.v404722f34263
font-awesome-api:6.6.0-1
gson-api:2.11.0-41.v019fcf6125dc
instance-identity:185.v303dc7c645f9
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:80.v8a_dee33ed6f0
joda-time-api:2.12.7-29.v5a_b_e3a_82269a_
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-58.v62e3e85b_a_655
junit:1284.vf75d778f98c5
locale:519.v4e20f313cfa_f
mailer:472.vf7c289a_4b_420
matrix-auth:3.2.2
matrix-project:832.va_66e270d2946
metrics:4.2.21-451.vd51df8df52ec
mina-sshd-api-common:2.13.2-125.v200281b_61d59
mina-sshd-api-core:2.13.2-125.v200281b_61d59
nodelabelparameter:1.12.0
p4:1.16.0
parameter-separator:166.vd0120849b_386
parameterized-trigger:806.vf6fff3e28c3e
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-graph-view:313.v1322ce83d680
pipeline-groovy-lib:730.ve57b_34648c63
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2205.vc9522a_9d5711
pipeline-model-definition:2.2205.vc9522a_9d5711
pipeline-model-extensions:2.2205.vc9522a_9d5711
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2205.vc9522a_9d5711
pipeline-stage-view:2.34
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:4.1.0
rebuild:332.va_1ee476d8f6d
run-condition:1.7
scm-api:696.v778d637b_a_762
script-security:1354.va_70a_fe478c7f
slack:734.v7f9ec8b_66975
snakeyaml-api:2.2-121.v5a_68b_9300b_d4
ssh-credentials:343.v884f71d78167
sshd:3.330.vc866a_8389b_58
structs:338.v848422169819
timestamper:1.27
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
variant:60.v7290fc0eb_b_cd
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3943.v3519a_3260660
workflow-durable-task-step:1364.v2fd76fb_6fd41
workflow-job:1436.vfa_244484591f
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:920.v59f71ce16f04

Topic		Replies	Views
Masking local strings in Groovy Using Jenkins	4	1794	May 4, 2024
Using safely Credentials in shell commands? Ask a question	3	3567	December 27, 2023
Jenkins Credential Interpolation issue within shell script Ask a question question	1	1100	July 15, 2023
Using Multiple shell commands with interpolation Ask a question	3	1905	January 10, 2024
httpRequest with two credentials - how to avoid insecure interpolation of sensitive variables? Ask a question	9	8662	April 19, 2023

Wrong insecure secret interpolation warning?

Related topics