Ana06
commented
1 year ago I am thinking we should require libraries.python3.vm in ida.plugin.capa.vm and didier-stevens-suite.vm (and in general in other python packages) so that there are no conflicts with the basic libraries we install. I am not sure if we then want a python3.vm package that commando-vm can also use to keep the python version in sync as I assume they don't want to install our libraries. Or does it make sense to use the same libraries.python3.vm for both projects? @mandiant/flare-vm opinions?
Installing several versions of the same software can be an issue (see for example: https://github.com/mandiant/VM-Packages/issues/622). That's why I think we should have metapackages for at least the several tools. This will make it easier in the future to keep them in sync.
python3.vm
We are currently using python
[3.10.0, 3.11.0)in libraries.python3.vm, ida.plugin.capa.vm and didier-stevens-suite.vm.openjdk.vm
We are currently using the open source openjdk in ghidra.vm and dex2jar.vm while we use javaruntime (last version of Java Oracle with a commercial license) in bytecodeviewer.vm. I propose we use a openjdk metapackage for all of them.
I think the only issue is that we need a workaround to open jar files by default.
At the moment we are using openjdk version
[21.0.0], but I think we should update it to[21.0.0, 21.1.0)to prevent automatic updates. Only the metapackage will be tested when the dependency is updated. But even without the metapackage we are not testing that tools keep working in the CI only that they install successfully.nodejs.vm
malware-jail.vm and pkg-unpacker (in https://github.com/mandiant/VM-Packages/pull/670) use nodejs version
[20.7.0]. I propose to update to[20.7.0, 20.8.0)to prevent automatic updates for the reasons mention above.@mandiant/flare-vm opinions? any other tools we should move to a metapackage?