Skip to content

Instantly share code, notes, and snippets.

View vladopajic's full-sized avatar
🖖

vladopajic

🖖
View GitHub Profile

Risks of Information Leakage through Remote Code Coverage Services

In the realm of Go programming, code coverage reporting tools such as codecov and coveralls have gained significant popularity for assessing code coverage. These services operate remotely and necessitate the submission of coverage profiles (in the form of cover.out files) to their servers. While this is generally unproblematic for open source projects, a word of caution is warranted for closed source projects. The act of sharing your coverage profile can inadvertently disclose critical information about your proprietary source code. The coverage profile files contain an enumeration of all source code files accompanied by their directory structures. This seemingly innocuous information has the potential to be exploited in two ways:

  • Reverse Engineering: Adversaries could leverage the available directory structure and file list to reverse engineer your project. This could readily e