-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: 🔒 replace exe.exe to avoid security scan findings #551
Conversation
For what it may be worth, here is the GH Actions run link where this binary file passed your unit tests in my fork: https://github.com/erikpaasonen/mimetype/actions/runs/9781337916 |
57533b8
to
7c65e83
Compare
Apologies for the force push on this branch. I screwed up merge from my fork's |
Thank you! The updated exe file is smaller, but it's still 1.34MB. To avoid this increase in repo size, we can use a C Hello world program, which is only a few KB instead of 1MB. C uses dynamic linking, go uses static, that's where the difference comes from.
Edit: don't worry about the force push. It's actually good, because it does not pollute git with many commits. |
gcc -O3 -o exe.exe main.c
Great catch! I recompiled, however now the unit tests fail in my fork's branch:
I figure this is your area of expertise so I pushed the commit anyway to get feedback. Unsure whether the unit tests can be adjusted to allow for detecting this type or whether I really do need to wrestle the binary into Good news though: the VirusTotal scan comes back clean, and can confirm that this file passes the Xray scan as well. |
For executable files Windows uses When compiling a program, by default, the compiler will generate the executable for current OS. So the options to get a PE executable for Windows are:
I say, let's try the easy options first (2 and 3) and see if Xray is ok with them. |
Yes, I wasn't sure whether this was a hard-and-fast requirement for this project:
Perhaps I should have directly said cross-compiling rather than abstract it by the phrase "wrestling the binary into [format]". 👍 I'm uncomfortable proposing an executable which is being flagged as malicious (even if without merit) since the nature of this PR is to placate non-nuanced security tooling in the first place. If we trade one legit exception for another we've just shuffled the problem I'm trying to solve sideways. The file you provided has more VirusTotal detections than I'd like in my git commit history, so I'd prefer to cross-compile rather than use that one. Unfortunately every single executable in That said, one of them had only a single detection, and that one is merely an "unsafe" AI score marking. Can't eliminate all outliers, but any reasonable/real-world security tooling would agree the prepondernace of evidence is that this file is safe enough. So I'm least-uncomfortable with consuming Jfrog Xray scan is also clean on this file. 👍 |
Hi, |
After considering #550 and #551, there seems it's hard to create a windows executable that satisfies these 2 conditions: - is small in size - does not trigger antivirus alerts; seems like many antiviruses just don't care what's inside an exe. If it's .exe then it's a virus. Looking back on it, adding fixture files is not perfect: seems nice to have the library tests work with real files, but: - it does not count towards test-coverage - real files increase repo size Going forward I think I will remove more and more of the files in testdata folder, and add more unit tests.
After considering #550 and #551, there seems it's hard to create a windows executable that satisfies these 2 conditions: - is small in size - does not trigger antivirus alerts; seems like many antiviruses just don't care what's inside an exe. If it's .exe then it's a virus. Looking back on it, adding fixture files is not perfect: seems nice to have the library tests work with real files, but: - it does not count towards test-coverage - real files increase repo size Going forward I think I will remove more and more of the files in testdata folder, and add more unit tests.
@chkp-erezca, please update to https://github.com/gabriel-vasile/mimetype/releases/tag/v1.4.5 |
fixes #550
I was unsure what the source code for the existing binary was, so I blindly tried with a simple Go package with this as
main.go
:Happy to recompile on Go 1.22 if specific source code is needed for this binary.