Rhino 1.7.7.2 Malware reports

[tyanko1]

Hello,

I am one of the maintainers of the Maven Central Repository (https://repo1.maven.org) at Sonatype. Our content delivery provider, Fastly, recently informed us of an SBL (Spamhaus Block List) abuse report related to a Rhino distribution currently hosted in Central. The implicated artifact is: http://central.maven.org/maven2/org/mozilla/rhino/1.7.7.2/rhino-1.7.7.2.jar

The SBL abuse report was previously located at https://www.spamhaus.org/sbl/query/SBL466948

I've since spoken with an SBL representative and they have removed the report after running the artifact through one of their internal virus scanning tools. I wanted to raise this issue, however, as this is the second time we've received a malware report for Rhino 1.7.7.2. It seems that this artifact is being flagged as malicious by certain malware detection vendors (we were not told which).

It might be worth some research to determine the cause of this activity. If it is determined that the artifact is indeed vulnerable, please let us know and we will remove it from Maven Central.

A quick glance revealed the following issues which may be related, though they do pertain to different versions:

• https://github.com/mozilla/rhino/issues/425
• https://sainaen.github.io/rhino-appscan-results/

[tyanko1]

For reference, here is the link to the virustotal report run by the SBL team. https://www.virustotal.com/gui/file/5c6dae050ceb71774a5fc82ce6e3f0392daf0ffa9ec3596f70d4d07ee50b8970/detection

The "Relations" tab may be of interest as it lists two known malware components that exhibit similarities to Rhino.