Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gherkin binary detected as trojan #812

Closed
rostrovsky opened this issue Nov 29, 2019 · 2 comments
Closed

Gherkin binary detected as trojan #812

rostrovsky opened this issue Nov 29, 2019 · 2 comments

Comments

@rostrovsky
Copy link

Summary

Our antivirus detects trojan in gherkin@7.0.4 which is a dependency for wdio-cucumberjs-json-reporter@1.1.2 used in webdriver.io BDD UI tests.

Expected Behavior

Please make it safe.

Current Behavior

gherkin_trojan

Possible Solution

  • Code review focused on safety & security
  • Removal of unsafe dependencies

Steps to Reproduce (for bugs)

  1. Install wdio-cucumberjs-json-reporter@1.1.2:

    npm i wdio-cucumberjs-json-reporter@1.1.2

  2. Try to run binary

    .\node_modules\wdio-cucumberjs-json-reporter\node_modules\gherkin\executables\gherkin-windows-386.exe

Context & Motivation

Usage of this library is heavily jeopardized by security concerns.
It is intended to be used in highly regulated enterprise environment.

Your Environment

  • Version used: gherkin@7.0.4
  • Operating System and version: MS Windows Server 2016 Standard 10.0.14393 Build 14393
  • Antivirus software: McAfee VirusScan Enterprise + AntiSpyware Enterprise 8.8
  • Node.js: 10.13.0
  • npm: 6.4.1
@rostrovsky rostrovsky changed the title Gherking binary detected as trojan Gherkin binary detected as trojan Nov 29, 2019
@rostrovsky rostrovsky mentioned this issue Nov 29, 2019
Open
@aslakhellesoy
Copy link
Contributor

aslakhellesoy commented Nov 29, 2019
edited
Loading

Gherkin v7 delegates the parsing to Go executables that are bundled inside the module. These packages are built by us (https://github.com/cucumber/cucumber/tree/master/gherkin/go) and should be safe to use.

That said, we've realised that antivirus software will keep reporting these executables as trojans, not because they are trojans, but because they are executables the antivirus isn't able to assess.

So in Gherkin v8 and onwards we are no longer bundling executables and have restored the native JavaScript parser.

I will recommend to the wdio-cucumberjs-json-reporter project that they upgrade to Gherkin v8.

@rostrovsky
Copy link
Author

Thanks for the explanation 👍

@bugjam bugjam mentioned this issue Jan 20, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aslakhellesoy @rostrovsky