Codecov Changes the Bash Uploader for a NodeJS executable
Codecov Has Recently Introduced a Cross-Platform Uploader Meant to Replace Its Former Bash Uploader, Available as a Static Binary Executable.
The change comes just after the recent Codecov supply-chain incident that lasted two months. The attackers altered the Codecov Bash Uploader so it can collect sensitive credentials from customer CI/CD environments. The new platform recently introduced is currently supporting Windows, Linux, and macOS operating systems.
NodeJS uploader Will Replace the Bash Uploader
Codecov has launched a beta release of its all-new uploader able to function on Windows, Linux, Alpine Linux, and macOS operating systems.
The new uploader is written in NodeJS and meant to replace the Bash Uploader that Codecov previously had in place.
For the last 8 months, Codecov has been developing a new uploader that does not rely on the bash script that we currently provide to our customers.
We initiated this project because, as usage of Codecov has grown and our development velocity has increased, the Bash Uploader has become increasingly complex to properly maintain.
The CEO said they had multiple reasons for taking this step, including the fact that Bash scripts were very difficult to maintain, extend, distribute, and test, as their complexity was increasing.
The “curl | bash” style commands that were previously used by the customers to upload data to Bash Uploader started to create concerns after the recent supply-chain attack in which the Bash Uploader had been compromised.
To combat this incident from a product perspective we initially provided better documentation on how to verify the Codecov Bash Uploader until our new Uploader was complete, but our ultimate long-term goal has always been to replace the Bash Uploader altogether.
The uploader is offered as a natively compiled binary produced from the open-source NodeJS code that the community, customers, and anyone can audit and contribute to that comes with new features, added benefits, and improved security.
In a blog post, the company explained that a compiled binary “makes it more difficult for code to be modified by a middle man,” and offers enhanced security compared to the former Bash Uploader.
Benefits of the New Uploader
There are a number of benefits to the new Uploader that address some of the security weaknesses of the former bash uploader. Some of these benefits include:
- A compiled binary makes it more difficult for code to be modified by a middle man.
- A more secure, verifiable distribution when compared to the Bash Uploader
- Single codebase in a modern language for all platforms (Windows, Linux, OSX)
- A more robust multi-platform CI/CD pipeline that can properly conduct automated testing of the Uploader in all three major operating environments (i.e., Windows, Linux, OSX). This provides a better tested and validated end product for our users.
- The adoption of NodeJS along with a more modular code architecture allows for a wider body of contributors than was previously possible with Bash.
- Support for multiple environments in other ecosystems – the CircleCI orb, GitHub Action, and Bitrise step will be updated to use the appropriate Uploader binary.
Codecov has made available a few simple steps for its customers to be able to verify the integrity of the new uploader, by providing along with the uploader binary achecksum (shashum) file signed by their public GPG key.
Customers can run a few commands, in order to ensure the hash or checksum of the downloaded uploader matches the hash provided in the checksum file, and that the checksum file is authentic (signed by Codecov’s GPG key).
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
The newly introduced NodeJS uploader is expected to address some of the concerns with Codecov’s former set of uploaders, as the company is to start performing “random unscheduled brownouts” of its Bash Uploader and completely phase it out by February 2022.