Anti-viruses report the bomb.zip test file as malicious

[vmonier]

Hello, This is for sure related to https://github.com/hashicorp/go-getter/issues/407 but the introduction of a zip bomb file into the repository generates alerts in EDR/Antivirus: https://www.virustotal.com/gui/file/f1dc920869794df3e258f42f9b99157104cd3f8c14394c1b9d043d6fcda14c0a

This will either create troubles for repository users, or may even prevent the go-getter project from working properly (either because the AV will delete the test file and so, tests will fail or because the AV will block the access to the file when running the tests).

May you remove this file from the repository, or "encrypt" it so AV won't complain? I think even a simple XOR with a hard coded "password" inside the test would be enough for the AVs to not complain about the bomb.zip file (you may upload it to VT and check if any AV still consider the zip as malicious)

Thanks

[SrikanthBhandary]

More Info:

[jossef]

I agree with @vmonier - encrypting / encoding this resource zip would resolve this. Just make sure to not decrypt/decode it to the filesystem as it will trigger EDRs. make sure to load it to memory without filesystem footprint.

Currently cloning the project triggers EDRs and container scanning tools like Trivy, which is super annoying and confusing.

[picatz]

👋 Hello! Sorry for the AV noise introduced in https://github.com/hashicorp/go-getter/issues/407. We can certainly encode the file, or find another way to test our mitigations that doesn't trip up EDRs.

We can try to get that sorted out in the near future. Until then, happy to review a PR if anyone is up for it.

[picatz]

v1.7.1 was released which fixes this issue. Any downstream dependencies will need to update to this version to avoid the AV noise.