From f841b257c7b1dfcd07e9c4a97386585022e4582a Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Mon, 19 Apr 2021 15:25:29 -0400 Subject: [PATCH 1/3] Added checksum validation for codecov scripts --- securedrop/bin/dev-shell | 10 +++++++++- securedrop/bin/run-test | 8 +++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/securedrop/bin/dev-shell b/securedrop/bin/dev-shell index 7d86d991b5..9810a508f6 100755 --- a/securedrop/bin/dev-shell +++ b/securedrop/bin/dev-shell @@ -61,7 +61,15 @@ function docker_run() { # If this is a CI run, pass CodeCov settings into the container. if [ -n "${CIRCLE_BRANCH:-}" ] ; then - ci_env=$(bash <(curl -s https://codecov.io/env)) + tmpdir=$(mktemp -d -t codecov-XXXX) + curl -s https://codecov.io/bash > "$tmpdir"/codecov; # env isn't in SHA256SUM yet!! + curl -s https://codecov.io/env > "$tmpdir"/env; + VERSION=$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/') + curl -s https://raw.githubusercontent.com/codecov/codecov-bash/"${VERSION}"/SHA256SUM > "$tmpdir"/codecov-hashes + pushd "$tmpdir" && shasum -a 256 -c --ignore-missing codecov-hashes && popd + chmod +x "$tmpdir"/env + + ci_env=$(/bin/bash "$tmpdir"/env) else ci_env="" fi diff --git a/securedrop/bin/run-test b/securedrop/bin/run-test index eec4134111..421cf6c24a 100755 --- a/securedrop/bin/run-test +++ b/securedrop/bin/run-test @@ -26,7 +26,13 @@ if [ -n "${CIRCLE_BRANCH:-}" ] ; then touch tests/log/firefox.log function finish { cp tests/log/firefox.log ../test-results - bash <(curl -s https://codecov.io/bash -cF "$BASE_OS") + tmpdir=$(mktemp -d -t codecov-XXXX) + curl -s https://codecov.io/bash > "$tmpdir"/codecov; + VERSION=$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/') + curl -s https://raw.githubusercontent.com/codecov/codecov-bash/"${VERSION}"/SHA256SUM > "$tmpdir"/codecov-hashes + pushd "$tmpdir" && shasum -a 256 -c --ignore-missing codecov-hashes && popd + chmod +x "$tmpdir"/codecov + /bin/bash "$tmpdir"/codecov } trap finish EXIT fi From 49df6e897a6bca05f5462047c342fba2770e65fd Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Mon, 19 Apr 2021 16:22:33 -0400 Subject: [PATCH 2/3] Updated CircleCI to use 20.04 machine executor --- .circleci/config.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 61d2ebb312..5f350d7d66 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -97,6 +97,7 @@ version: 2 jobs: lint: machine: + image: ubuntu-2004:202010-01 enabled: true environment: DOCKER_API_VERSION: 1.23 @@ -124,6 +125,7 @@ jobs: focal-app-tests: machine: + image: ubuntu-2004:202010-01 enabled: true environment: DOCKER_API_VERSION: 1.23 @@ -157,6 +159,7 @@ jobs: app-tests: machine: + image: ubuntu-2004:202010-01 enabled: true environment: DOCKER_API_VERSION: 1.23 @@ -190,7 +193,7 @@ jobs: translation-tests: machine: - image: ubuntu-1604:202007-01 + image: ubuntu-2004:202010-01 enabled: true environment: DOCKER_API_VERSION: 1.23 @@ -277,6 +280,7 @@ jobs: static-analysis-and-no-known-cves: machine: + image: ubuntu-2004:202010-01 enabled: true environment: DOCKER_API_VERSION: 1.23 @@ -306,6 +310,7 @@ jobs: staging-test-with-rebase: machine: + image: ubuntu-2004:202010-01 enabled: true working_directory: ~/sd @@ -337,6 +342,7 @@ jobs: staging-test-with-rebase-focal: machine: + image: ubuntu-2004:202010-01 enabled: true working_directory: ~/sd From 31b05b0730f87c26b18378085ec3a8cac9f64733 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Wed, 21 Apr 2021 14:50:42 -0700 Subject: [PATCH 3/3] Verify codecov env --- securedrop/bin/dev-shell | 8 +++----- securedrop/bin/run-test | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/securedrop/bin/dev-shell b/securedrop/bin/dev-shell index 9810a508f6..fba5e96dbf 100755 --- a/securedrop/bin/dev-shell +++ b/securedrop/bin/dev-shell @@ -62,13 +62,11 @@ function docker_run() { # If this is a CI run, pass CodeCov settings into the container. if [ -n "${CIRCLE_BRANCH:-}" ] ; then tmpdir=$(mktemp -d -t codecov-XXXX) - curl -s https://codecov.io/bash > "$tmpdir"/codecov; # env isn't in SHA256SUM yet!! + curl -s https://codecov.io/bash > "$tmpdir"/codecov; curl -s https://codecov.io/env > "$tmpdir"/env; - VERSION=$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/') + VERSION="$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/')" curl -s https://raw.githubusercontent.com/codecov/codecov-bash/"${VERSION}"/SHA256SUM > "$tmpdir"/codecov-hashes - pushd "$tmpdir" && shasum -a 256 -c --ignore-missing codecov-hashes && popd - chmod +x "$tmpdir"/env - + pushd "$tmpdir" && shasum -a 256 -c codecov-hashes && popd ci_env=$(/bin/bash "$tmpdir"/env) else ci_env="" diff --git a/securedrop/bin/run-test b/securedrop/bin/run-test index 421cf6c24a..f4300c75bd 100755 --- a/securedrop/bin/run-test +++ b/securedrop/bin/run-test @@ -28,7 +28,7 @@ if [ -n "${CIRCLE_BRANCH:-}" ] ; then cp tests/log/firefox.log ../test-results tmpdir=$(mktemp -d -t codecov-XXXX) curl -s https://codecov.io/bash > "$tmpdir"/codecov; - VERSION=$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/') + VERSION="$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/')" curl -s https://raw.githubusercontent.com/codecov/codecov-bash/"${VERSION}"/SHA256SUM > "$tmpdir"/codecov-hashes pushd "$tmpdir" && shasum -a 256 -c --ignore-missing codecov-hashes && popd chmod +x "$tmpdir"/codecov