mhagger
commented
3 years ago Sorry for the delay getting back to you. I have reproduced the build artifacts, byte-for-byte, in a clean environment, with a freshly downloaded and verified Go toolchain. So there was no contamination of the build environment.
git-sizer has only two external runtime (as opposed to test-time) dependencies:
github.com/cli/safeexec— a trivial package, also maintained by GitHub. I just audited it and it doesn't do anything untoward. On Windows it does search the directories inPATHmanually to try to find thegitexecutable, which could conceivably be considered suspicious behavior by an automated tool (?). (Ironically, it does this to prevent a possible social-engineering attack.)github.com/spf13/pflag— a very commonly used package. I don't know of any reports of security problems with it.
So I'm confident that these are false positives.
I don't expect to have time to work to correct these apparently mistaken reports, so I will close this issue. If somebody else wants to take up that task, feel free to reopen it.
coldacid
git-sizer.exe in both git-sizer-1.4.0-windows-386.zip and git-sizer-1.4.0-windows-amd64.zip, along with the zip files themselves, are flagged as malicious by multiple vendors, per VirusTotal.