search

chocolatey / home

The place to start for issues with areas of Chocolatey that are infrastructure related, or really any issues could be started here. There is also choco for the CLI client, Chocolatey GUI for the GUI.
Apache License 2.0
29 stars 10 forks source link

[Package scanner] package flagged as investigate #61

Open TheCakeIsNaOH opened 3 years ago

TheCakeIsNaOH commented 3 years ago

This package was flagged as investigate in the package scanner: https://community.chocolatey.org/packages/axtraxng/27.7.1.18

I don't understand why. It includes one embedded archive, and no downloaded files (and no urls in the install script). So, it is under the 200mb limit, and I don't understand how one embedded file could mean an incorrect number of files was scanned.

AdmiringWorm commented 3 years ago

This is just an assumption on my part,

but the failure could be because of the multiple calls to the Install- helpers.

Most likely, it ended up with a number of found binary files that did not match the expected number of files specified in the install script.

Since there are six calls to one of the Install- helpers, it expected to have 6 binary files to verify, but it did not (because 2 of those calls are hidden behind a package parameter).

However, these are all just my assumption and I can not say anything with a 100% certainty.

pauby commented 3 years ago

Given my understanding of the Investigate status of Package Scanner, what @AdmiringWorm said is the most likely reason.

TheCakeIsNaOH commented 3 years ago

Looks like there is another one here: https://community.chocolatey.org/packages/chocolatey-visualstudio.extension/1.10.0