Closed NiklasVoigt closed 1 year ago
Not sure yet if this comes from the bundled JRE or from JavaFX runtime componente. Did you encounter the same issue with version 19 or even early access 20?
Well, I was playing round with JDK18 and JavaFX 18. For build, the Oracle JDK builds are used which are distributed at https://jdk.java.net/18/. The JDK-18 build is clean and virus free according to VirusTotal.com.
However, the OpenJFX 18 binaries (openjfx-18_windows-x64_bin-jmods.zip
and openjfx-18_windows-x64_bin-sdk.zip
) are flagged. But, the individual components in both ZIP files are okay, no alert by Virus Total. Given the individual components are okay, I consider the JavaFX binaries as safe and okay.
Source of OpenJFX 18: https://download2.gluonhq.com/openjfx/18/openjfx-18_windows-x64_bin-sdk.zip https://download2.gluonhq.com/openjfx/18/openjfx-18_windows-x64_bin-jmods.zip
Source of OpenJDK18 https://download.java.net/java/GA/jdk18.0.2.1/db379da656dc47308e138f21b33976fa/1/GPL/openjdk-18.0.2.1_windows-x64_bin.zip
Analysis results for OpenJFX18: https://www.virustotal.com/gui/file/8a978413b2fdd42dcb7ccdc6c3a8d4ac16495e63407beb9f47ef62f9ea88d266 https://www.virustotal.com/gui/file/cf41a110934b1c3b87e43222e5adfeec810c557ad92f7491e52347f9e4886e53
Well, its hashing and hashes may collide. Ideally one would re-run an OpenJFX 18 build and retest. Never ran an OpenJFX build yet.
@abhinayagarwal Whats your opinion here, how to proceed? Are we able to re-run OpenJFX build and consequently the SceneBuilder 18 build? May be not for redistribution but for analysis.
SDK component | analysis result | link |
---|---|---|
bin folder as zip | ok | https://www.virustotal.com/gui/file/950d6b9d33cf4a6e1dd02e7adb2e703ed18fa28223abf5ac13e1504a89254529?nocache=1 |
legal folder as zip | ok | https://www.virustotal.com/gui/file/8bfe895ebe5fcba0b9fab73243f753b15c42d3a2ae14139a39a43ed5bab687d7?nocache=1 |
lib folder as zip | ok | https://www.virustotal.com/gui/file/3225ddf7bab1e7890f0dfd1c9e4e29bddfebfa8b8be34bfbfac1a2a4b6d714ea?nocache=1 |
src zip | ok | https://www.virustotal.com/gui/file/30d6569d504ad3176f126180f73b605c5896741776e33d2cb21f0c4ee9544e5d |
SceneBuilder 18 component | analysis result | link |
---|---|---|
SceneBuilder.exe | MaxSecure, Trojan.Malware.300983.susgen and SecureAge | https://www.virustotal.com/gui/file/012fc4f03bfeca40061fecdbc9eee8ef549a975bdd15f2c6359bb1afd763e47f |
runtime bin folder as zip | McAfee Artemis!702B93A5382E | https://www.virustotal.com/gui/file-analysis/NmIyZjQ1YjllNWEzMDg2NWZmMzNhN2UxZjA4YTlmMTM6MTY2NzQwODQ0MA== |
runtime lib folder as zip | ok | https://www.virustotal.com/gui/file/e10dee4de5e0d694c021e24d541e163658d9d6e305ee541aea9d91e0ef456dde?nocache=1 |
OpenJFX 19 windows binaries are not suspicious at all.
@NiklasVoigt For the Choco package, I'd propose for now to continue first with Scene Builder 19. Not sure If I can provide a new MSI quickly. I'll attempt an Scene Builder 18 MSI build based on OpenJFX 18 and JDK18. May be this one behaves differently.
There is now a new build of SceneBuilder 18 for Windows x64 based on commit 4581c44949729bf18407423d581abc0f61242e1f (tag: 18.0.0).
This installer package is 'clean' according to VirusTotal. https://www.virustotal.com/gui/file-analysis/ZGM0OWJhYzRmNjFiNTBkMGQ3Y2QwMWYxNmZiZmEzMGY6MTY2NzQxMjY4MA==
The new binary is located at: http://raumzeitfalle.de/other/SceneBuilder-18.0.0.msi
With checksums at: http://raumzeitfalle.de/other/SceneBuilder-18.0.0.msi.md5 http://raumzeitfalle.de/other/SceneBuilder-18.0.0.msi.sha256 http://raumzeitfalle.de/other/SceneBuilder-18.0.0.msi.sha512
Algorithm | Checksum |
---|---|
MD5 | DC49BAC4F61B50D0D7CD01F16FBFA30F |
SHA-256 | AA1CCB9D4959215325299961C955428A23810756CECB94492F9A46C877624AFB |
SHA-512 | 140A08B46DEDD5F0C027BC75BCB8D051644696ED2BDF30D115770E773C3E134771AFABB30037EF259BA6C2FB74E1B53649D2309569F49C0C80BF2EE1C43DF40C |
The used ingredients were: https://download2.gluonhq.com/openjfx/18/openjfx-18_windows-x64_bin-sdk.zip https://download2.gluonhq.com/openjfx/18/openjfx-18_windows-x64_bin-jmods.zip https://download.java.net/java/GA/jdk18.0.2.1/db379da656dc47308e138f21b33976fa/1/GPL/openjdk-18.0.2.1_windows-x64_bin.zip https://wixtoolset.org/releases/v3.11.2/stable
git clone https://github.com/gluonhq/scenebuilder.git
cd scenebuilder
git checkout 18.0.0
pacwin.cmd
The pacwin.cmd
is not part of SceneBuilder repository and looks as follows, it requires adjustment to your local setup:
setlocal
set JAVA_HOME="H:\Downloads\JavaFX_runtimes\jdk-18.0.2.1"
set PATH=%JAVA_HOME%\bin;C:\Programs\java\apache-maven-3.8.5\bin;C:\Programs\java\wix-3.11.2;"C:\Program Files\Git\cmd"
set JAVAFX_HOME=H:\Downloads\JavaFX_runtimes\javafx-jmods-18
set APP_VERSION=18.0.0
set MAIN_CLASS=com.oracle.javafx.scenebuilder.app.SceneBuilderApp
set JPACKAGE_HOME=%JAVA_HOME%
set INSTALL_DIR=app\target\install
for /F %%i in ('%JAVA_HOME%\bin\jdeps --module-path %JAVAFX_HOME% --print-module-deps --ignore-missing-deps app\target\lib\scenebuilder-%APP_VERSION%-all.jar') do SET JDEPS_MODULES=%%i
echo %JDEPS_MODULES%
set JAVAFX_MODULES=javafx.fxml,javafx.media,javafx.swing,javafx.web
%JAVA_HOME%\bin\jlink ^
--module-path %JAVAFX_HOME% ^
--add-modules %JDEPS_MODULES%,%JAVAFX_MODULES% ^
--output app/target/runtime ^
--strip-debug ^
--compress 2 ^
--no-header-files ^
--no-man-pages
%JPACKAGE_HOME%\bin\jpackage ^
--app-version %APP_VERSION% ^
--input app/target/lib ^
--license-file LICENSE.txt ^
--main-jar scenebuilder-%APP_VERSION%-all.jar ^
--main-class %MAIN_CLASS% ^
--name SceneBuilder ^
--description "Scene Builder" ^
--vendor Gluon ^
--verbose ^
--runtime-image app/target/runtime ^
--dest %INSTALL_DIR% ^
--type msi ^
--java-options "--add-opens=javafx.fxml/javafx.fxml=ALL-UNNAMED" ^
--java-options "-Djava.library.path=runtime\bin;runtime\lib" ^
--icon app/assets/windows/icon-windows.ico ^
--win-dir-chooser ^
--win-menu ^
--win-menu-group "Scene Builder" ^
--win-per-user-install ^
--win-shortcut
@abhinayagarwal My recommendation here is a rebuild of the MSI file. This feels odd and should not be the case.
@NiklasVoigt Can you please use the inofficial MSI file to build the choco package? This should work.
@Oliver-Loeffler Are you suggesting that a re-run of the release process should be enough without making any change to the build or release process?
As far as I understand the build process, all components such as JDK, OpenJFX etc. are installed in the build environment on demand, it could help. I ran this yesterday at my local machine and produced an MSI which is not suspicious. See the description.
All our builds run on Github Actions and we use OpenJDK/JFX builds to create the installer. Not sure what can we do differently :)
Never tried to re-run a past item. But technically it should work, shouldnt it?
I am still trying to understand why the earlier build was flagged as a virus.
Interestingly the downloaded OpenJFX zip files, both the SDK and jmods, were flagged. But, the included files, the payload was clean. Either the zip file was dirty or this false positive by Virus Total. If exact the same zip files have been used for original build, then the last variable item is the JDK used. Not sure which JDK was used at SB18 build time. For testing I've used jdk18.0.2.1. If at build time another version (e.g. jdk18.0.0.0) was used, that might already explain the issue. The JDK18 version I have used is:
JAVA_VERSION="18.0.2.1"
JAVA_VERSION_DATE="2022-08-18"
...
OS_ARCH="x86_64"
OS_NAME="Windows"
SOURCE=".:git:ca4c3dac3bc5
Scene Builder 18 was released before August-2022, hence there is a chance to get a clean build with the newer JDK version. SB18 was released on March-31'2022 where (according to jdk.java.net-uri.properties most likely Java 18.0.0.0 was used.
The version used for the Mat'31 build of SB18 was most likely:
JAVA_VERSION="18"
JAVA_VERSION_DATE="2022-03-22"
...
OS_ARCH="x86_64"
OS_NAME="Windows"
SOURCE=".:git:0f2113cee79b"
With that, I'll test a build now.
Interestingly my new MSI file runs in a timeout for McAffee and McAfee-GW-Edition, both scanner raised an alarm. One thing aside, not sure why this is the case, my MSI files are approx. 8 MiB smaller than the distributed one (70 MiB vs 78 Mib).
I still think, that a rebuild with GH actions will solve the problem, as long as GH pulls all dependencies new (e.g. Java 18 with the state from August, not with the version from March).
So, just ran some tests. Well, it turns out that SceneBuilder.exe
will always trigger some detections when built with the forementioned JDK18 versions. Building SceneBuilder18 with Java19, no detections at all.
For the passing SB18 build, there were actually timeouts for some virus scanners.
Results for SceneBuilder.exe
compiled with different versions of JDK.
JDK | Detection(s) | Link |
---|---|---|
jdk-18 | unsafe, malicious | https://www.virustotal.com/gui/file/fd12e9f0a2c3751d6ed289dca39a0385fca30447f7ee244dceb719da1b6a2a9b |
jdk-18.0.2.1 | malicious | https://www.virustotal.com/gui/file/c40d34c33a431be1bb3f1dea719a1a4dd9ddc79dcd613fb0f952e1f1b9a56008 |
jdk-19.0.1 | https://www.virustotal.com/gui/file/de90b62d15c22f2d7549276875e4b4c34adabaf3f066411a1833e884ea14175e |
One could then also run the SB18 build with Java19 JDK - would be fine as well.
A SceneBuilder 18 build based on JDK19 is now also available.
http://raumzeitfalle.de/other/jdk19/SceneBuilder-18.0.0.msi
Algorithm | Checksum |
---|---|
MD5 | 0F67164CE4B1F440C1C464C590713C24 |
SHA-256 | 7B78262A419831EB2A17FE2EF052139456D4253F79063E15C76A0964513C0C74 |
SHA-512 | 5FC37720DB88F3348CB24BE5826EFA6B3C116997EE61F513D2EE8596DECAB07E1341F7751B50F09374769237B122A6F229D6070548FA2ED1663E8F4574B249C5 |
@NiklasVoigt Hi, I just learned about this 'relations' function to see if there are any flagged files. Hence I've attempted a new build and up to now no files are flagged at all.
Here is the link: https://www.virustotal.com/gui/file/7b78262a419831eb2a17fe2ef052139456d4253f79063e15c76a0964513c0c74/details
I have seen, that the SB18 package is in moderation - you might try using the updated MSI. http://raumzeitfalle.de/other/jdk19/SceneBuilder-18.0.0.msi
Cheers!
Good find. Although, I am not sure if really want to rebuild SB 18.0.0 with JDK 19.
I want to update the chocolatey package from 17.0.0 to 18.0.0 and then to 19.0.0. The automatic checker runs a viruscheck and detected in 18.0.0.msi a virus.
Choco package: https://github.com/pafei/chocolatey-scenebuilder https://community.chocolatey.org/packages/scenebuilder/18.0.0#virus
Virustotal vheck: https://www.virustotal.com/gui/file/7330cb29e09f0194722d782dd39d860499a7add90f67fe83cbd188845f2cdbd3
Discord conversation about this problem: https://discord.com/channels/778552361454141460/897088817293574154/1037327810034925629
Expected Behavior
Current Behavior
Steps to Reproduce
Your Environment
Screenshots