Open Satoriq opened 4 months ago
Upon further investigation, the reason for the false flag is not "achievement_show_bank" but the usage of highlight.js library methods here https://github.com/debanjandhar12/logseq-anki-sync/blob/a3adb1865bde57e9b67480a4b8843ca20ea67cb0/src/converter/Converter.ts#L222. There is reported issue https://security.snyk.io/vuln/SNYK-JS-HIGHLIGHTJS-1045326 which is dangerous only when the user is allowed to insert his malicious markdown/code for further highlighting. But because we are using the library's .highlight method on our code in our own cards, it should be completely safe.
Describe the bug Every release from first one is false flagged as script malware by one engine https://www.virustotal.com/gui/file/d57f2bbbba431ab4a1ee9a4b166061386b550032f5ef06bdd122b499fa954d2e
The reason is "achievement_show_bank" string in final build JS file. You have it from highlight.js library https://github.com/highlightjs/highlight.js/blob/5bcb6c66133706ea84cfd3cfd7492b3e5321ca85/src/languages/gml.js#L1927. Its hard to say why this string triggers AV, because of 'bank' part in it or this string/lib was used in real malware. If someone will complain about VT results, now you know how to fix it =)
Steps to Reproduce: Steps to reproduce the behavior:
Expected behavior Clear VirusTotal
Device Information (please complete the following information):