Open qbolec opened 1 year ago
on linux, you can remove network access using unshare(1)
: unshare -r -n java -jar ...
you can also do some bind mount trickery to only expose a readonly view of the filesystem then scan that, but I don't know off the top of my head the incantations for that.
Unfortunately trust is always necessary at some point in the process. If you feel comfortable in doing so, you can always build the program yourself. Or, if you don't feel comfortable with that, you have as much assurance as I can reasonably offer that the jar on the releases page isn't compromised. The file was automatically built and uploaded by our release pipeline, which unless a nasty commit makes its way in, minimizes the chances that any jar distributed here is malicious.
So, you ask me to download your app and run it on my computer, and trust you everything will be fine? Isn't that what got me in trouble in the first place? :)
Yes, in theory I could review the source code here, but I am not a Java expert, and it looks like there's already hundreds of lines of "code" and "configs" in this repo, and I have no time to learn how to do that.
What's the safe way to run this scan?
- Can I for example run it in "read-only" + "no access to internet" way? If so, how can I use OS help to achieve the two goals?
- Is there perhaps some simple set of strings we are simply grepping for, and I could pass to grep/ack or some other existing tool?
Chat GPT is your friend. You can put a code in there and ask it to detect if something shouldn't be there.
Edit: To clarify I mean the code in this repo.
Please do not use chat gpt to check if code is infected, it cannot accurately read code this high of a degree. Also, iirc, the malware just injects bytecode, which chatgpt certainly cannot read. So again, please don't use chat gpt, use the scanner.
Please do not use chat gpt to check if code is infected, it cannot accurately read code this high of a degree. Also, iirc, the malware just injects bytecode, which chatgpt certainly cannot read. So again, please don't use chat gpt, use the scanner.
To clarify I mean the code in this repo.
ChatGPT will confidently give you outrageously wrong answers. It's a joke among my coworkers just how inaccurate it is about anything the asker has subject matter knowledge for.
I've probed the entirity of the codebase and there seems to be nothing that raises red flags.
The most secure way would be to run it as docker and mount the fs root as readonly volume.
Something like docker run --rm -v /:/myfs:r eclipse/temurin -jar /myfs/path/to/the/scanner.jar
I have quite a lot of experience in Java and I can tell you that this project is safe. The information on their computers is not shared or modified in any way and only scan .jar
files and some possible malicious files. So use it without any fear or concern.
So, you ask me to download your app and run it on my computer, and trust you everything will be fine? Isn't that what got me in trouble in the first place? :)
Yes, in theory I could review the source code here, but I am not a Java expert, and it looks like there's already hundreds of lines of "code" and "configs" in this repo, and I have no time to learn how to do that.
What's the safe way to run this scan?