Re: Codecov Bash Uploader Security Notice
I received the same email too. I think it is related to Beam given that we all received it. I cannot find any references to the bash uploader anymore but I found some references from 2016 [1]. It looks like we used it at some point in the past and maybe that is why we received the notifications. If I understand correctly, we are not using the bash uploader any more and we do not need to take any action. [1] https://github.com/apache/beam/commit/aed5e276726440cb3cfa04fe6d16985aa7d2fb4f On Thu, Apr 15, 2021 at 12:59 PM Brian Hulette wrote: > I also got this email, it stated "Unfortunately, we can confirm that you > were impacted by this security event," but it didn't specify _how_ I > was impacted. I assumed it was through Beam, but perhaps it was through > Arrow. It looks like they use the Bash uploader [1]. > > The codecov notice states: > > The Bash Uploader is also used in these related uploaders: > Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the > Codecov Bitrise Step (together, the “Bash Uploaders”). Therefore, these > related uploaders were also impacted by this event. > > Which would seem to confirm the Python codecov tool is not impacted. > > [1] > https://github.com/apache/arrow/blob/13c334e976f09d4d896c26d4b5f470e36a46572b/.github/workflows/rust.yml#L337 > > > > > > On Thu, Apr 15, 2021 at 12:50 PM Pablo Estrada wrote: > >> I believe that the utility that we use is the Python codecov tool[1], not >> the bash uploader[2]. >> Specifically, the upload seems to happen in Python here[3]. >> >> Why do I think we use the Python tool? Because it seems to be installed >> by tox around the link Udi shared[4] >> >> So it seems we're okay? >> >> >> [1] https://github.com/codecov/codecov-python >> [2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader >> [3] >> https://github.com/codecov/codecov-python/blob/158a38eed7fd6f0d2f9c9f4c5258ab1f244b6e13/codecov/__init__.py#L1129-L1157 >> [4] >> https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 >> >> >> On Thu, Apr 15, 2021 at 11:38 AM Udi Meiri wrote: >> >>> From the notice: "We strongly recommend affected users immediately >>> re-roll all of their credentials, tokens, or keys located in the >>> environment variables in their CI processes that used one of Codecov’s Bash >>> Uploaders." >>> >>> >>> On Thu, Apr 15, 2021 at 11:35 AM Udi Meiri wrote: >>> I got this email: https://about.codecov.io/security-update/ This is where we use codecov: https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 I'm not sure if this runs the "bash uploader", but we do set a CODECOV_TOKEN environment variable. >>>
Re: Codecov Bash Uploader Security Notice
I also got this email, it stated "Unfortunately, we can confirm that you were impacted by this security event," but it didn't specify _how_ I was impacted. I assumed it was through Beam, but perhaps it was through Arrow. It looks like they use the Bash uploader [1]. The codecov notice states: > The Bash Uploader is also used in these related uploaders: Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step (together, the “Bash Uploaders”). Therefore, these related uploaders were also impacted by this event. Which would seem to confirm the Python codecov tool is not impacted. [1] https://github.com/apache/arrow/blob/13c334e976f09d4d896c26d4b5f470e36a46572b/.github/workflows/rust.yml#L337 On Thu, Apr 15, 2021 at 12:50 PM Pablo Estrada wrote: > I believe that the utility that we use is the Python codecov tool[1], not > the bash uploader[2]. > Specifically, the upload seems to happen in Python here[3]. > > Why do I think we use the Python tool? Because it seems to be installed by > tox around the link Udi shared[4] > > So it seems we're okay? > > > [1] https://github.com/codecov/codecov-python > [2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader > [3] > https://github.com/codecov/codecov-python/blob/158a38eed7fd6f0d2f9c9f4c5258ab1f244b6e13/codecov/__init__.py#L1129-L1157 > [4] > https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 > > > On Thu, Apr 15, 2021 at 11:38 AM Udi Meiri wrote: > >> From the notice: "We strongly recommend affected users immediately >> re-roll all of their credentials, tokens, or keys located in the >> environment variables in their CI processes that used one of Codecov’s Bash >> Uploaders." >> >> >> On Thu, Apr 15, 2021 at 11:35 AM Udi Meiri wrote: >> >>> I got this email: https://about.codecov.io/security-update/ >>> >>> This is where we use codecov: >>> >>> https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 >>> >>> I'm not sure if this runs the "bash uploader", but we do set >>> a CODECOV_TOKEN environment variable. >>> >>
Re: Codecov Bash Uploader Security Notice
I believe that the utility that we use is the Python codecov tool[1], not the bash uploader[2]. Specifically, the upload seems to happen in Python here[3]. Why do I think we use the Python tool? Because it seems to be installed by tox around the link Udi shared[4] So it seems we're okay? [1] https://github.com/codecov/codecov-python [2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader [3] https://github.com/codecov/codecov-python/blob/158a38eed7fd6f0d2f9c9f4c5258ab1f244b6e13/codecov/__init__.py#L1129-L1157 [4] https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 On Thu, Apr 15, 2021 at 11:38 AM Udi Meiri wrote: > From the notice: "We strongly recommend affected users immediately re-roll > all of their credentials, tokens, or keys located in the environment > variables in their CI processes that used one of Codecov’s Bash Uploaders." > > > On Thu, Apr 15, 2021 at 11:35 AM Udi Meiri wrote: > >> I got this email: https://about.codecov.io/security-update/ >> >> This is where we use codecov: >> >> https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 >> >> I'm not sure if this runs the "bash uploader", but we do set >> a CODECOV_TOKEN environment variable. >> >
Re: Codecov Bash Uploader Security Notice
>From the notice: "We strongly recommend affected users immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders." On Thu, Apr 15, 2021 at 11:35 AM Udi Meiri wrote: > I got this email: https://about.codecov.io/security-update/ > > This is where we use codecov: > > https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 > > I'm not sure if this runs the "bash uploader", but we do set > a CODECOV_TOKEN environment variable. > smime.p7s Description: S/MIME Cryptographic Signature
Codecov Bash Uploader Security Notice
I got this email: https://about.codecov.io/security-update/ This is where we use codecov: https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 I'm not sure if this runs the "bash uploader", but we do set a CODECOV_TOKEN environment variable. smime.p7s Description: S/MIME Cryptographic Signature
