junit-platform-reporting can leak Git credentials through its OpenTestReportGeneratingListener
This vulnerability affects JUnit's support for writing Open Test Reporting XML files which is an opt-in feature of junit-platform-reporting. If a repository is cloned using a GitHub token or other credentials in its URL, for example: git clone https://${GH_APP}:${GH_TOKEN}@github.com/example/example.git The credentials are captured by OpenTestReportGeneratingListener which produces (trimmed for brevity): <infrastructure> <git:repository originUrl="https://username:token@github.com/example/example.git" /> </infrastructure>