I also got this email, it stated "Unfortunately, we can confirm that you were impacted by this security event," but it didn't specify _how_ I was impacted. I assumed it was through Beam, but perhaps it was through Arrow. It looks like they use the Bash uploader [1].
The codecov notice states: > The Bash Uploader is also used in these related uploaders: Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step (together, the “Bash Uploaders”). Therefore, these related uploaders were also impacted by this event. Which would seem to confirm the Python codecov tool is not impacted. [1] https://github.com/apache/arrow/blob/13c334e976f09d4d896c26d4b5f470e36a46572b/.github/workflows/rust.yml#L337 On Thu, Apr 15, 2021 at 12:50 PM Pablo Estrada <[email protected]> wrote: > I believe that the utility that we use is the Python codecov tool[1], not > the bash uploader[2]. > Specifically, the upload seems to happen in Python here[3]. > > Why do I think we use the Python tool? Because it seems to be installed by > tox around the link Udi shared[4] > > So it seems we're okay? > > > [1] https://github.com/codecov/codecov-python > [2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader > [3] > https://github.com/codecov/codecov-python/blob/158a38eed7fd6f0d2f9c9f4c5258ab1f244b6e13/codecov/__init__.py#L1129-L1157 > [4] > https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 > > > On Thu, Apr 15, 2021 at 11:38 AM Udi Meiri <[email protected]> wrote: > >> From the notice: "We strongly recommend affected users immediately >> re-roll all of their credentials, tokens, or keys located in the >> environment variables in their CI processes that used one of Codecov’s Bash >> Uploaders." >> >> >> On Thu, Apr 15, 2021 at 11:35 AM Udi Meiri <[email protected]> wrote: >> >>> I got this email: https://about.codecov.io/security-update/ >>> >>> This is where we use codecov: >>> >>> https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 >>> >>> I'm not sure if this runs the "bash uploader", but we do set >>> a CODECOV_TOKEN environment variable. >>> >>
