Closed rudolphjacksonm closed 1 year ago
From looking around I'm fairly confident the culprit is a false positive and related to this: https://github.com/hashicorp/go-getter/issues/419
👋 Hello! This is a false positive related to https://github.com/hashicorp/go-getter/issues/407 (CVE-2023-0821, attributed to Nomad GHSA because CVEs are objectively confusing).
The detected zip bomb detected by your company's anti-virus is an artifact related to a test that will not run without a special environment variable set.
We plan to address this in the near future, tracked in https://github.com/hashicorp/go-getter/issues/419
Sounds like this can be closed out since it will not relate in a vulndb entry (at least not right now). Let me know if you think this is incorrect.
Description
Hi,
I tried to download go-getter
v1.7.0
today as part of initializing the dev environment for Hashicorp's AWS Terraform provider. The md5 hash of the zip returns some worrying results on VirusTotal, and was blocked by my employer's antivirus before I could download it: https://www.virustotal.com/gui/file/868bd0a1e97d2782dad2d80beec056e99b298ebb4f5d5f2f2f5f035537cfdfaa/detection.Can someone take a look at this please? Apologies if I've not entered any of the fields correctly, I've not raised an issue in this community before!
Affected Modules, Packages, Versions and Symbols
Does this vulnerability already have an associated CVE ID?
No
CVE ID
No response
Credit
No response
CWE ID
No response
Pull Request
No response
Commit
No response
References
No response
Additional information
Output from when trying to run
go install
shows the URL the package is retrieved from: