1. VersionEye Avatar VersionEye
  2. VersionEye
  3. versioneye
  4. Issues

check without upload (Gemfile containing github tokens, security issue)

Issue #96 resolved
Christian Westgaard created an issue

Hi

Our Gemfiles contain some github personal access tokens.

So I discovered veye check actually uploads the Gemfile, and public is the default, so we had to reset our tokens.

I would be nice if it was possible to do a check command without uploading the Gemfile.

As far as I can see there is no way for anyone to download the actual Gemfile (thus getting access to the tokens). Do you know if that is true?

I'm guessing only the versioneye developers has access to the uploaded files.

Comments (9)

  1. Christian Westgaard reporter

    Basically unless we strip the tokens from our Gemfiles before uploading, this prevents us from using versioneye.

  4. Robert Reiz

    Hi @ComLock. VersionEye is not storing the original project files (Gemfile, Gemfile.lock). It doesn't matter which way you choose to create a project (API, URL, Upload, GitHub Integration, Bitbucket Integration), in all cases VersionEye will only parse the content of the file and then delete the file. We don't keep a copy of the original file.

  7. Robert Reiz

    @ComLock It re parses the original version strings. The projectdependency model has this 3 variables

    • version_label
    • version_requested
    • version_current

    In the version_label we always store the origin version string from the file. For example 1.2.*. At the moment of the parsing it gets resolved to the currently newest patch version, for example 1.2.1, and that value is stored in version_requested. If you hit the "re parse" button that value get evaluated again and now the newest patch version might be 1.2.2.

  8. Robert Reiz

    @ComLock If your project is created from "URL" or via the GitHub/Bitbucket API, then the "re parse" button is first fetching the file from the original source and then re parsing everything. In case of a file upload the first step is skipped.

  10. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
resolved
Component
VersionEye-API
Milestone
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!