You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've received reports that the zip dependency in contrib/zip (which itself is a clone of https://github.com/kuba--/zip/) ships with a link to codecov in some .yml file.
These links trigger automatic code scanning tools, as codecov's bash has been recently compromised; you can read more about it here https://about.codecov.io/security-update/ . Although that shouldn't affect any assimp user (as users won't use the yml files in question), this compromises the ability of shipping assimp.
So, I'd kindly like to ask to pull from upstream in order to get rid of that link from assimp's own sources, and make sure that all references to codecov are dropped in the next assimp's .zip release. Thank you!
The text was updated successfully, but these errors were encountered:
Sadly I can’t provide an according patch because zip is used for export only and my own Assimp builds don’t use exports, so I would have trouble testing it.
kimkulling
added
API
Bugs related to the public API
Bug
Global flag to mark a deviation from expected behaviour
labels
Apr 30, 2021
Hello,
We've received reports that the zip dependency in contrib/zip (which itself is a clone of https://github.com/kuba--/zip/) ships with a link to codecov in some .yml file.
This is in the latest assimp master:
https://github.com/assimp/assimp/blob/74577ae3c79132b2d643ae667a1bd71e0a99f48f/contrib/zip/.travis.yml
These links trigger automatic code scanning tools, as codecov's bash has been recently compromised; you can read more about it here https://about.codecov.io/security-update/ . Although that shouldn't affect any assimp user (as users won't use the yml files in question), this compromises the ability of shipping assimp.
Upstream zip has already removed the links to codecov, for instance here: https://github.com/kuba--/zip/pull/118
So, I'd kindly like to ask to pull from upstream in order to get rid of that link from assimp's own sources, and make sure that all references to codecov are dropped in the next assimp's .zip release. Thank you!
The text was updated successfully, but these errors were encountered: