Gradle 6.4 wrapper incorrectly marked as potentially malicious

[lptr]

I'm running VSCode on my macOS Catalina, using an SSH remote to open a Java project on a Windows 10 machine. Upon opening the project (see https://github.com/gradle/native-platform/tree/b8f27b864ff82621cb80e127579c1a75b682be91) I got the following warning pop-up:

The repo at this time uses a wrapper JAR from Gradle 6.4. The SHA256 of the JAR is 70239e6ca1f0d5e3b2808ef6d82390cf9ad58d3a3a0d271677a51d1b89475857, which matches the officially published one (see https://services.gradle.org/versions/all and https://services.gradle.org/distributions/gradle-6.4-wrapper.jar.sha256).

This means that the JAR should not be flagged, yet it is.

Environment

• Operating System: macOS Catalina / Windows 10
• JDK version: OpenJDK 11
• Visual Studio Code version: 1.45.1
• Java extension version: 0.62.0

[snjeza]

I can't reproduce the issue.
Is there the ~/.tooling/gradle/checksums/gradle-6.4-wrapper.jar.sha256 file on your ssh server?

[lptr]

Yes, and it has the correct contents:

PS C:\Users\vmadmin\.tooling\gradle\checksums> cat gradle-6.4-wrapper.jar.sha256
70239e6ca1f0d5e3b2808ef6d82390cf9ad58d3a3a0d271677a51d1b89475857

[lptr]

Where do these files come from? Is it possible that they were updated after I got the error?

[snjeza]

Where do these files come from? Is it possible that they were updated after I got the error?

Yes. You probably face a connection limit. Could you reproduce the error when starting VS Code again?

[fbricon]

Should be fixed with eclipse-jdtls/eclipse.jdt.ls#1486