Expected: Package submissions are not in some malware flagged browser site list
Actual: If you open that in anything but IE, you will get some scary warning pages by the browser claiming that it has been flagged as a malicious site (see attached screenshots). Note, I don't know if in this case this package/domain is actually malicious, ie: could be a false positive, but a warning like this makes me: a. question choco's [Approved] "stamp", b. not want to use/install that package, or c. choco for that matter.
OSX Chrome v77
OSX Safari v11.0.1
Possible Solution: In addition to the VirusTotal checks that you already do (during the package submission process?), I would suggest adding automated security checks that check all package metadata fields that list URLs against the "safe browsing list" (or browser equivalent) on all major browsers, ie: Chrome, Safari, IE (now basically Chrome but not sure if they use Chrome safebrowsing list or are continuing to use their SmartFilters list, even for older versions).
Issue: choco submission security process currently doesn't check URLs against all major browsers' Safe Browsing lists (or equivalent)
Repro:
choco info tartool
Software Site
|License
|Source
fields fortartool 1.0.0 [Approved]
, which list various URLs under https://tartool.codeplex.com/ .Expected: Package submissions are not in some malware flagged browser site list
Actual: If you open that in anything but IE, you will get some scary warning pages by the browser claiming that it has been flagged as a malicious site (see attached screenshots). Note, I don't know if in this case this package/domain is actually malicious, ie: could be a false positive, but a warning like this makes me: a. question choco's
[Approved]
"stamp", b. not want to use/install that package, or c. choco for that matter.OSX Chrome v77
OSX Safari v11.0.1
Possible Solution: In addition to the VirusTotal checks that you already do (during the package submission process?), I would suggest adding automated security checks that check all package metadata fields that list URLs against the "safe browsing list" (or browser equivalent) on all major browsers, ie: Chrome, Safari, IE (now basically Chrome but not sure if they use Chrome safebrowsing list or are continuing to use their SmartFilters list, even for older versions).