Security concern about Windows binary (v2.23.0)
Geogboe opened this issue · 3 comments
Describe the bug
Want to first clarify that I believe this is a false positive but still wanted to bring it to the attention of the maintainers. When I tried to download the archive for this via Firefox I got a warning which prompted me to run it through virustotal which is flagging it for a multiple reasons -- all of which I don't fully understand not being familiar with the code.
Here's the report: https://www.virustotal.com/gui/file/be1c45308c479db5d0ef6db49eefdbd41c2dbe543027807909e180b49fec2f0e
Edit: updated description
To Reproduce
NA
Expected behavior
NA
Screenshots
NA
Versions:
- Version: 2.23.0
- OS: NA
- Shell Version: NA
Additional context
Here's what I tested
archive file:
Name: navi-v2.23.0-x86_64-pc-windows-gnu.zip
Size: 2611933 bytes (2550 KiB)
SHA256: 97539b0aa149c60dee1315d90e9339d84fb33ec80311b6d3c85aac07e5f22f22
executable:
Name: navi.exe
Size: 5172488 bytes (5051 KiB)
SHA256: be1c45308c479db5d0ef6db49eefdbd41c2dbe543027807909e180b49fec2f0e
VirusTotal report: https://www.virustotal.com/gui/file/be1c45308c479db5d0ef6db49eefdbd41c2dbe543027807909e180b49fec2f0e
I looked through the code base and build pipeline it looks like upx is being used to compress the binary: https://github.com/denisidoro/navi/actions/runs/7156992883/job/19487333651#step:5:208 and I'm thinking that might be making the bin more suspicious to scanners. I found a similar issue for another rust project: svenstaro/miniserve#1210 (comment) and even a pinned issue for upx itself: upx/upx#437
These are pretty small binaries so I just wonder how much larger it would be without running it through upx and if that would remove some of the warnings?
Thanks for opening your first issue here! In case you're facing a bug, please update navi to the latest version first. Maybe the bug is already solved! :)
I can disable upx for Windows :)
Here's a report from Hybrid Analysis for version 2.23.0.