After upgrading the controller to 2.452.2.4 or later scm.userRemoteConfigs[].credentialsId returns null in my Bitbucket pipeline

Issue

Until 2.452.2.4, I could use scm.userRemoteConfigs[0].credentialsId in my Bitbucket pipeline to get the ID of the credential configured at job level for the checkout of the pipeline. Now, after the upgrade, the build of the pipeline fails with a NullPointerException:

Also:   org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: ...
java.lang.NullPointerException
	at java.base/java.util.Objects.requireNonNull(Objects.java:209)
	at com.cloudbees.plugins.credentials.CredentialsProvider.findCredentialById(CredentialsProvider.java:897)
	at com.cloudbees.plugins.credentials.CredentialsProvider.findCredentialById(CredentialsProvider.java:866)
	at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:195)
	at jenkins.plugins.git.GitUsernamePasswordBinding.bind(GitUsernamePasswordBinding.java:68)
	at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:132)
	at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)▼

Environment

CloudBees CI on modern cloud platforms - operations center - 2.452.2.4 and later
CloudBees CI on modern cloud platforms - managed controller - 2.452.2.4 and later
CloudBees CI on traditional platforms - operations center - 2.452.2.4 and later
CloudBees CI on traditional platforms - client controller - 2.452.2.4 and later

Context

JENKINS-73471 was introduced in 2.453.2.4 when fixing a security issue Bitbucket OAuth access token exposed in the build log by Bitbucket Branch Source Plugin: SECURITY-3363/CVE-2024-39460.

Resolution

A final fix for this issue has not been released yet (as of version 888.v8e6d479a_1730 of Bitbucket Branch Source plugin).

Workaround

Retrieve the credential using:

def workaroundJenkins73471(scm) {
 return scm.extensions.find { ext -> ext instanceof
com.cloudbees.jenkins.plugins.bitbucket.GitClientAuthenticatorExtension}?.credentials?.id
}▼

Use version 886.v44cf5e4ecec5, which is not recommended in general because 887.va_d359b_3d2d8d actually fixes a security issue that can expose the Bitbucket OAuth token in build logs in some scenario and implies having a plugin installed in a version lower than recommended by CAP. It is safe if you are not using Bitbucket OAuth token credentials.

Tested product/plugin versions

CloudBees CI on modern cloud platforms - operations center - 2.452.4.1
CloudBees CI on modern cloud platforms - managed controller - 2.452.4.1
CloudBees CI on traditional platforms - operations center - 2.452.4.1
CloudBees CI on traditional platforms - client controller - 2.452.4.1