[cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack

Liz Rice

🙏 Thanks to SIG Security for this advice on Codecov  

@chris @amye you’re probably already on top of this, but please could we make sure the relevant project maintainers are aware and acting on this? Per their note, SIG Security are available on Slack if anyone has any questions

---------- Forwarded message ---------
From: Lorenzo Fontana <fontanalorenz@...>
Date: Sat, 17 Apr 2021 at 23:49
Subject: [cncf-sig-security] Action Needed - Codecov bash uploader supply chain attack
To: <cncf-sig-security@...>

Hello everyone,
On April 15th 2021, the Codecov team published a note [0] acknowledging a supply chain attack affecting their bash uploader.

**Background of the attack**

The Codecov bash uploader is the component responsible for reporting back coverage results to the CI systems of the projects using the service.

This component is usually executed in a CI step by just downloading and executing the script via bash  + cURL directly as described in their documentation [1].

This attack was possible because of an error in the image creation process that allowed the actor to extract the credential required to modify the script.

From their announcement:

The altered version of the bash uploader script could potentially affect:

- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the bash uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the bash uploader to upload coverage to Codecov in CI.

**Action Items**

CNCF projects using Codecov are recommended to do the following:

- Rotate all the private credentials available in the context where the script was executed
- Validate the bash script with a trusted copy of the SHA256 sum as described in the Codecov docs [2]
- Watch out for any suspect usage of the tokens


The SIG does not have visibility on whether or not projects are using Codecov right now. However, we did a research and this is a list of the repositories that we found using Codecov:


If you don’t know how to check or have any other questions regarding this. Please feel free to reach out to the #sig-security channel on the CNCF Slack.

The CNCF SIG-Security Team

P.S: Thanks to Magno Logan, Emily Fox and Dan (POP) Papandrea for helping in getting this ready for the mailing list.

[0] https://about.codecov.io/security-update/
[1] https://docs.codecov.io/docs/about-the-codecov-bash-uploader
[2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script

Richard Hartmann

Just to confirm: Chris A already sent this to all maintainers.