[CentOS] Is shellcheck safe?

Sat Jan 22 20:34:36 UTC 2022
Vidar Holen <vidar at vidarholen.net>

The ShellCheck binaries are built on Ubuntu based Docker images via GitHub
Actions, which also uses Ubuntu.

PS: Bkav reports that the issue has been fixed, and re-visiting the
original VirusTotal.com URL no longer shows any detected issues. The same
is true when uploading new Haskell binaries.

On Fri, Jan 21, 2022 at 10:31 PM Thomas Stephen Lee <lee.iitb at gmail.com>
wrote:

> On Thu, Jan 20, 2022 at 10:09 AM Vidar Holen <vidar at vidarholen.net> wrote:
> >
> > This is purely a Bkav Pro issue. I don't know what it's looking for, but
> it's clearly not accurate enough. All the search hits I get about
> VEX.Webshell are questions about why this single and rather unknown scanner
> is identifying it in a wide variety of files.
> >
> > On Wed, Jan 19, 2022 at 6:31 PM Thomas Stephen Lee <lee.iitb at gmail.com>
> wrote:
> >>
> >> Thanks a lot for the clarification.👍
> >> By the way, is this a Haskell bug?
> >>
> >> Thanks
> >>
> >> ---
> >> Lee
> >>
> >> On Thu, Jan 20, 2022 at 5:07 AM Vidar Holen via CentOS
> >> <centos at centos.org> wrote:
> >> >
> >> > Hi, ShellCheck author here.
> >> >
> >> > Regarding the scanner "Bkav Pro" detecting "VEX.Webshell" according to
> >> > VirusTotal.com, this is a false positive that seems to trigger on
> every
> >> > Haskell binary including a simple "Hello World". It further appears to
> >> > trigger on a number of unrelated repositories. See internal issue
> >> > https://github.com/koalaman/shellcheck/issues/2432
> >> >
> >> > The Bkav Corporation does not appear to have a false positive
> submission
> >> > process that I could find using Google Translate on bkav.com.vn, but
> I
> >> > emailed a general product contact address about it. Hopefully they'll
> make
> >> > the check more accurate in the future.
> >> >
> >> > Regards,
> >> > Vidar Holen
> >> >
> >> > (Sorry about the bad reply-to, I wasn't on the list when the
> discussion
> >> > started)
>
> Hi Vidar,
>
> What OS do you use to build the binary?
>
> Thanks
>
> ---
> Lee
>