[CentOS] Is shellcheck safe?

Sun Jan 23 05:30:00 UTC 2022
Thomas Stephen Lee <lee.iitb at gmail.com>

On Sun, Jan 23, 2022 at 2:05 AM Vidar Holen <vidar at vidarholen.net> wrote:
>
> The ShellCheck binaries are built on Ubuntu based Docker images via GitHub Actions, which also uses Ubuntu.
>
> PS: Bkav reports that the issue has been fixed, and re-visiting the original VirusTotal.com URL no longer shows any detected issues. The same is true when uploading new Haskell binaries.
>
> On Fri, Jan 21, 2022 at 10:31 PM Thomas Stephen Lee <lee.iitb at gmail.com> wrote:
>>
>> On Thu, Jan 20, 2022 at 10:09 AM Vidar Holen <vidar at vidarholen.net> wrote:
>> >
>> > This is purely a Bkav Pro issue. I don't know what it's looking for, but it's clearly not accurate enough. All the search hits I get about VEX.Webshell are questions about why this single and rather unknown scanner is identifying it in a wide variety of files.
>> >
>> > On Wed, Jan 19, 2022 at 6:31 PM Thomas Stephen Lee <lee.iitb at gmail.com> wrote:
>> >>
>> >> Thanks a lot for the clarification.👍
>> >> By the way, is this a Haskell bug?
>> >>
>> >> Thanks
>> >>
>> >> ---
>> >> Lee
>> >>
>> >> On Thu, Jan 20, 2022 at 5:07 AM Vidar Holen via CentOS
>> >> <centos at centos.org> wrote:
>> >> >
>> >> > Hi, ShellCheck author here.
>> >> >
>> >> > Regarding the scanner "Bkav Pro" detecting "VEX.Webshell" according to
>> >> > VirusTotal.com, this is a false positive that seems to trigger on every
>> >> > Haskell binary including a simple "Hello World". It further appears to
>> >> > trigger on a number of unrelated repositories. See internal issue
>> >> > https://github.com/koalaman/shellcheck/issues/2432
>> >> >
>> >> > The Bkav Corporation does not appear to have a false positive submission
>> >> > process that I could find using Google Translate on bkav.com.vn, but I
>> >> > emailed a general product contact address about it. Hopefully they'll make
>> >> > the check more accurate in the future.
>> >> >
>> >> > Regards,
>> >> > Vidar Holen
>> >> >
>> >> > (Sorry about the bad reply-to, I wasn't on the list when the discussion
>> >> > started)
>>
>> Hi Vidar,
>>
>> What OS do you use to build the binary?
>>
>> Thanks
>>
>> ---
>> Lee

Hi Vidar,

Thanks a lot for the prompt action and reply.
I tested Haskell hello world in a few vagrant images (Fedora, Ubuntu,
Debian, etc.), which gave clean results on virustotal.
Great to see the issue is fixed now.

---
Lee