Codecov security issue
damithc opened this issue · 3 comments
It seems some students in the current batch have received the following warning from CodeCov.
https://about.codecov.io/security-update/
Are AB3 forks affected? If yes, what remedial actions should be taken?
@se-edu/tech-team-level1 any inputs?
This is a bit late for input but...
What types of information was accessed during this event?
The altered version of the bash uploader script could potentially affect:
Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the bash uploader script was executed.
Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
The git remote information (URL of the origin repository) of repositories using the bash uploader to upload coverage to Codecov in CI.
I don't think most of the forks will be affected by this since AB3/IP in itself is a public repo and most of the students will set up their repos as public based on the instructions where they do not need to include in their codecov secret key in their Github actions.
Affected students would be those tp projects that involve using credentials, tokens, or keys like tps involving some kind of public API services that requires them. Even if that is the case, it is unlikely that these keys are leaked unless they accessed such services in their unit tests. As most of the repo is public and the repo should not contain secrets.
Thanks for the investigation, @Eclipse-Dominator
Let's close this for now.