search

chainguard-dev / bincapz

detect malicious program behaviors
Apache License 2.0
404 stars 26 forks source link

critical false positive: combo/backdoor/py_setuptools with az and checkov #129

Closed tstromberg closed 4 months ago

tstromberg commented 4 months ago

There are two wolfi packages that trigger this rule:

## packages/x86_64/az-2.59/usr/share/az/.venv/lib/python3.11/site-packages/pip/_internal/utils/setuptools_build.py
## packages/x86_64/az-2.59/usr/share/az/.venv/lib/python3.11/site-packages/setuptools/_distutils/core.py
## packages/x86_64/az-2.59/usr/share/az/.venv/lib/python3.11/site-packages/setuptools/build_meta.py
## packages/x86_64/checkov-3.0/usr/share/app/checkov/.venv/lib/python3.11/site-packages/numpy/distutils/misc_util.py
## packages/x86_64/checkov-3.0/usr/share/app/checkov/.venv/lib/python3.11/site-packages/numpy/distutils/tests/test_build_ext.py
## packages/x86_64/checkov-3.0/usr/share/app/checkov/.venv/lib/python3.11/site-packages/pip/_internal/utils/setuptools_build.py
## packages/x86_64/checkov-3.0/usr/share/app/checkov/.venv/lib/python3.11/site-packages/setuptools/_distutils/core.py
## packages/x86_64/checkov-3.0/usr/share/app/checkov/.venv/lib/python3.11/site-packages/setuptools/build_meta.py