Since the 21st Sept. I get the following messages from my daily ClamAV scan:
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/rubyzip-1.2.2/test/data/path_traversal/tuzovakaoff/symlink.zip: Sanesecurity.Malware.27384.ZipHeur.ZipSlip.UNOFFICIAL FOUND
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/rubyzip-1.2.2/test/data/path_traversal/relative1.zip: Sanesecurity.Malware.27384.ZipHeur.ZipSlip.UNOFFICIAL FOUND
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/rubyzip-1.2.2/test/data/path_traversal/jwilk/relative2.zip: Sanesecurity.Malware.27384.ZipHeur.ZipSlip.UNOFFICIAL FOUND
This is because the Sanesecurity signature base gets those three files as vulnerable to a known risk.
Joining in on the request to exclude test_files from gemspec. as can be seen on rubygems/rubygems#735 many packages are removing this as it is not needed anymore.
For me specifically due to malware scanning of packages before admitting to network, the file zipWithEncryption.zip causes a silly alert as the 3rd party system can not scan it. Removing the tests (which are not needed anymore) will solve the issue, and lighten the gem.