All codecov versions

[email protected] rejected Risk: 100 MIT

codecov @2.3.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
MIT
License
No
Install Scripts
3
Dependencies
4
Dev Dependencies
14.0 KB
Package Size
Published

Uploading report to Codecov: https://codecov.io

Maintainers

eddiemooreniftylettucestevepeak

Keywords

coveragecode-coveragecodecov.iocodecov

Dependencies (3)

PackageConstraintRegistry Status
argv 0.0.2 auto_approved
request 2.81.0 No greenflagged match
urlgrey 0.4.4 auto_approved

Dev Dependencies (4)

PackageConstraintRegistry Status
mocha ^3.0.2 auto_approved
jshint ^2.9.3 auto_approved
istanbul ^0.4.5 No greenflagged match
expect.js ^0.3.1 auto_approved

Transitive Dependency Tree

3 transitive deps max depth 1
  ├─ argv 0.0.2 → 0.0.2
  ├─ request 2.81.0
  ├─ urlgrey 0.4.4 → 0.4.4

Changes from v1.0.1

Dependency Changes

ChangePackageVersion
removed execSync 1.0.2
changed argv >=0.0.2 → 0.0.2
changed request >=2.42.0 → 2.81.0
changed urlgrey >=0.4.0 → 0.4.4

File Changes

7 added 0 removed 20 modified size delta: +12.7 KB

SAST Findings (5)

CRITICAL GHSA-xp63-6vf5-xf3v: Command injection in codecov (npm package) osv

CVSS 9.3 (CRITICAL) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N ### Impact The `upload` method has a command injection vulnerability. Clients of the `codecov-node` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE was issued: [CVE-2020-7597](https://github.com/advisories/GHSA-5q88-cjfq-g2mh), but the fix was incomplete. It only blocked `&`, and command injection is still possible using backticks instead to bypass the sanitizer. We have written a [CodeQL](https://codeql.com) query, which automatically detects this vulnerability. You can see the results of the query on the `codecov-node` project [here](https://lgtm.com/query/7714424068617023832/). ### Patches This has been patched in version 3.7.1 ### Workarounds None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection. ### References * [CVE-2020-7597](https://github.com/advisories/GHSA-5q88-cjfq-g2mh) ### For more information If you have any questions or comments about this advisory: * Contact us via our [Security Email](mailto:[email protected])

HIGH Publisher changed: stevepeak → eddiemoore (on 2017-08-03) provenance

This version was published by a different npm account than previous versions on 2017-08-03. This could indicate a legitimate maintainer transition or an account compromise.

HIGH GHSA-5q88-cjfq-g2mh: codecov NPM module allows remote attackers to execute arbitrary commands osv

CVSS 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

HIGH GHSA-mh2h-6j8q-x246: Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov osv

CVSS 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 138). Findings: 1 critical (+40), 3 high (+75), 2 medium (+20), 1 low (+3), 3 info (+0).

Commit: 7e39f19b4143 Browse source

Published to npm: