Comments (2)
I'm unclear on what the issue is.
The files that are in your package are uploaded directly to VirusTotal. Install-ChocolateyZipPackage
hasn't done anything to the Zip files that are in the package (or their hashes would have changed) so I'm unsure how this comes in to play to ensure that your files are receiving AV detections.
And I also understand Choco doesn't handle how anti-virus scanners work.
I'm unclear what you mean here. Can you elaborate?
from choco.
Hi @pauby,
I'm new to the process of uploading packages into Chocolatey, so I apologize if I wasn't clear enough. This issue is mostly a question about what things a maintainer can do to avoid false positives.
As I mentioned, I've submitted a package, a zip file that contains a .exe file, and VirusTotal is reporting a warning for a potential vulnerability (trojan.Malware.300983.susgen).
In order to analyze and mitigate the warning, I went ahead and uploaded the zip files and NuGet package to VirusTotal, and no vulnerabilities were detected, as you can see here:
As no vulns were detected, I dug deeper into the VirusTotal report provided in the Chocolatey package dashboard, and I noticed this particular one:
Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
Considering all files don't throw any vulns independently, is it possible that this MEDIUM vuln is caused by Install-ChocolateyZipPackage
and the way 7Zip utilities are being used underline? Is there any recommendation to mitigate false positives that can be done on the Choco scripts side?
from choco.
Related Issues (20)
- During upgrade of a package not all files in the lib folder are present HOT 1
- Unexpected behevior from search --exact HOT 3
- Add command to allow viewing any rules implemented by Chocolatey CLI or an extension
- Provide docker containers based on Server Core LTSC 2019 and 2022 HOT 3
- Chocolatey fails to downgrade using local source when not using the `--version` option HOT 7
- One app failed to update break all other app updates. HOT 1
- Choco Push results in 504 (Gateway Time-out) (home network)
- Searching for specific version on v3 only feed returns no results
- chromium package lost when I did CTRL C HOT 3
- Install-ChocolateyZipPackage needs -SpecificFolder64
- The choco always prompts for credentials HOT 7
- Choco deleted my `oh-my-posh` installation whilst uninstalling `neovim 0.9.5` HOT 4
- Clarify 'Proxy BypassList' value must be a regular expression, in the help output
- Unable to install a package that requires PowerShell 6.2.0 min version as Choco uses an older PowerShell Version (5.x) HOT 5
- Upgrade shouldn't run if package constraints resolve to the installed version HOT 4
- choco should be more resilient to MSI timeouts and detect abnormalies HOT 14
- Changes to Queries for the Chocolatey Community Repository
- Log cannot rotate when Chocolatey CLI is run by non-admin HOT 1
- A package was lost during upgrade HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from choco.