Is Shellcheck Safe?
Hi,
I downloaded, extracted, and ran 0.8.0
https://github.com/koalaman/shellcheck/releases
After running, I submitted the file to virustotal with the below result.
https://www.virustotal.com/gui/file/f4bce23c11c3919c1b20bcb0f206f6b44c44e26f2bc95f8aa708716095fa0651
Should I be concerned that I ran the program once?
Thanks
–
8 thoughts on - Is Shellcheck Safe?
Il 2022-01-17 06:30 Thomas Stephen Lee ha scritto:
I don’t see anything wrong with the shellcheck repository. Anyway the golden rules always apply: check you script on a test machine and, if needed, update your bash script on the production server.
Regards.
ShellCheck is available in EPEL (v0.3.8), at least for rhel7, if that is any indication of it’s trustworthiness. The (older) EPEL version scans clean on VirusTotal.
You could look at the source code changes between the two releases and make a judgement if you feel there is any reason to be concerned. Alternatively I would suggest submitting a copy to the AV vendor who flagged it for further investigation as a potential false positive.
Phil
Hi, ShellCheck author here.
Regarding the scanner “Bkav Pro” detecting “VEX.Webshell” according to VirusTotal.com, this is a false positive that seems to trigger on every Haskell binary including a simple “Hello World”. It further appears to trigger on a number of unrelated repositories. See internal issue https://github.com/koalaman/shellcheck/issues/2432
The Bkav Corporation does not appear to have a false positive submission process that I could find using Google Translate on bkav.com.vn, but I
emailed a general product contact address about it. Hopefully they’ll make the check more accurate in the future.
Regards, Vidar Holen
(Sorry about the bad reply-to, I wasn’t on the list when the discussion started)
Thanks a lot for the clarification.
This is purely a Bkav Pro issue. I don’t know what it’s looking for, but it’s clearly not accurate enough. All the search hits I get about VEX.Webshell are questions about why this single and rather unknown scanner is identifying it in a wide variety of files.
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
Hi Vidar,
What OS do you use to build the binary?
Thanks
—
Lee
The ShellCheck binaries are built on Ubuntu based Docker images via GitHub Actions, which also uses Ubuntu.
PS: Bkav reports that the issue has been fixed, and re-visiting the original VirusTotal.com URL no longer shows any detected issues. The same is true when uploading new Haskell binaries.
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
Hi Vidar,
Thanks a lot for the prompt action and reply. I tested Haskell hello world in a few vagrant images (Fedora, Ubuntu, Debian, etc.), which gave clean results on virustotal. Great to see the issue is fixed now.
—
Lee