Closed coldacid closed 3 years ago
Sorry for the delay getting back to you. I have reproduced the build artifacts, byte-for-byte, in a clean environment, with a freshly downloaded and verified Go toolchain. So there was no contamination of the build environment.
git-sizer
has only two external runtime (as opposed to test-time) dependencies:
github.com/cli/safeexec
— a trivial package, also maintained by GitHub. I just audited it and it doesn't do anything untoward. On Windows it does search the directories in PATH
manually to try to find the git
executable, which could conceivably be considered suspicious behavior by an automated tool (?). (Ironically, it does this to prevent a possible social-engineering attack.)github.com/spf13/pflag
— a very commonly used package. I don't know of any reports of security problems with it.So I'm confident that these are false positives.
I don't expect to have time to work to correct these apparently mistaken reports, so I will close this issue. If somebody else wants to take up that task, feel free to reopen it.
Based on your analysis I'm reporting git-sizer.exe detections as a false positive.
Thanks, @coldacid! :sparkles:
git-sizer.exe in both git-sizer-1.4.0-windows-386.zip and git-sizer-1.4.0-windows-amd64.zip, along with the zip files themselves, are flagged as malicious by multiple vendors, per VirusTotal.