Open ghost opened 1 year ago
Hi @Widdar77, thank you very much for the report. Are you sure this is not a false positive?
Hi @abravalheri
Thank you very much for the reply!
That is basically a question i want to ask a dev here cause i can't answer this. I'm not experienced with this topic and only an end-user that can't read the code or inspect anything. I'm dependent on the expertise of the developers. Can you guarantee that this is a false alarm and nothing is infected? (This package is a dependency for an app i want to use and i just scan all stuff i download to my computer)
As far as I know the only person generating the .exe
files in this repository is @jaraco based on the code in https://github.com/pypa/setuptools/blob/main/launcher.c (which you can inspect to ensure it is safe for you; see also https://github.com/pypa/setuptools/blob/v68.2.2/tools/build_launchers.py). I am very sure he is not intentionally introducing any malware.
I did a quick search and this report comes up in other places for other software that ship pre-compiled stuff (e.g. in the go
community) and there seems to be a generalised suspicion that the heuristics employed are prone to false positives:
In these issues you see stories where the provider seems to be irresponsive about false positives (I also got an NET::ERR_CERT_DATE_INVALID
error when trying to access their website, which is a bit concerning for a company in the "security" field).
Maybe you should contact virustotal
(which I assume to be the service you are using) and report that the MaxSecure Trojan.Malware.300983.susgen
heuristic has been reported to be prone to false positives and suggest for them to investigate this further?
Another thing is that, if you install things with pip install ...
instead of python setup.py install
(the later is deprecated and should not be used anyway), none of the gui-*.exe
or cli-*.exe
files are executed.
Thanks for the reply. Then i could also delete the gui-.exe and cli-.exe after installation with pip install?
In theory yes, but I haven't tested...
Also note that setuptools
is not a regular "package". It is a "package" for creating "packages"...
In most of the cases pip
will install a brand new setuptools
in an isolated Python virtual environment if you need to pip install
another package that does not have a wheel
published on PyPI...
The best would be exporting PIP_USE_PEP517=true
environment variable to avoid those files get used. (there are other ways though to force pip
to use the deprecated installation method for some packages, so some tools trying to tap into that may still be subject to failures).
setuptools version
68.2.2
Python version
Python 3.11
OS
Windows
Additional environment information
No response
Description
When i scan the downloaded zip from master or last release 68.2.2 and scan the zip package or the different cli-.exe and gui-.exe directly, i have virus detection with virustotal.com, here are the results: https://www.virustotal.com/gui/file/7b2e59ba9dab730c6aaa28ffb1f7a3a198e2bbb4330a974609b5193f1baeb212?nocache=1 https://www.virustotal.com/gui/file/32acc1bc543116cbe2cff10cb867772df2f254ff2634c870aef0b46c4b696fdb
I'm not so experienced with this case and worry now if the project/files are secure to execute?
Expected behavior
Expected no virus alarm.
How to Reproduce
Reproducable by re-scanning.
Output
Scanns: https://www.virustotal.com/gui/file/7b2e59ba9dab730c6aaa28ffb1f7a3a198e2bbb4330a974609b5193f1baeb212?nocache=1 https://www.virustotal.com/gui/file/32acc1bc543116cbe2cff10cb867772df2f254ff2634c870aef0b46c4b696fdb