I received the same email too. I think it is related to Beam given that we all received it. I cannot find any references to the bash uploader anymore but I found some references from 2016 [1]. It looks like we used it at some point in the past and maybe that is why we received the notifications. If I understand correctly, we are not using the bash uploader any more and we do not need to take any action.
[1] https://github.com/apache/beam/commit/aed5e276726440cb3cfa04fe6d16985aa7d2fb4f On Thu, Apr 15, 2021 at 12:59 PM Brian Hulette <[email protected]> wrote: > I also got this email, it stated "Unfortunately, we can confirm that you > were impacted by this security event," but it didn't specify _how_ I > was impacted. I assumed it was through Beam, but perhaps it was through > Arrow. It looks like they use the Bash uploader [1]. > > The codecov notice states: > > The Bash Uploader is also used in these related uploaders: > Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the > Codecov Bitrise Step (together, the “Bash Uploaders”). Therefore, these > related uploaders were also impacted by this event. > > Which would seem to confirm the Python codecov tool is not impacted. > > [1] > https://github.com/apache/arrow/blob/13c334e976f09d4d896c26d4b5f470e36a46572b/.github/workflows/rust.yml#L337 > > > > > > On Thu, Apr 15, 2021 at 12:50 PM Pablo Estrada <[email protected]> wrote: > >> I believe that the utility that we use is the Python codecov tool[1], not >> the bash uploader[2]. >> Specifically, the upload seems to happen in Python here[3]. >> >> Why do I think we use the Python tool? Because it seems to be installed >> by tox around the link Udi shared[4] >> >> So it seems we're okay? >> >> >> [1] https://github.com/codecov/codecov-python >> [2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader >> [3] >> https://github.com/codecov/codecov-python/blob/158a38eed7fd6f0d2f9c9f4c5258ab1f244b6e13/codecov/__init__.py#L1129-L1157 >> [4] >> https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 >> >> >> On Thu, Apr 15, 2021 at 11:38 AM Udi Meiri <[email protected]> wrote: >> >>> From the notice: "We strongly recommend affected users immediately >>> re-roll all of their credentials, tokens, or keys located in the >>> environment variables in their CI processes that used one of Codecov’s Bash >>> Uploaders." >>> >>> >>> On Thu, Apr 15, 2021 at 11:35 AM Udi Meiri <[email protected]> wrote: >>> >>>> I got this email: https://about.codecov.io/security-update/ >>>> >>>> This is where we use codecov: >>>> >>>> https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 >>>> >>>> I'm not sure if this runs the "bash uploader", but we do set >>>> a CODECOV_TOKEN environment variable. >>>> >>>
