Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to check issues against Virus Total #945

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

AdmiringWorm
Copy link
Member

This pull requests adds the ability to check if there are already virus reports available on VirusTotal for the specified download url.
If there is no report available, it will add to the comment details as such.

This code requires that a secret variable is added to the Settings page of this repository called VIRUS_TOTAL_API_KEY, and needs to be added by someone with access to a VirusTotal api key and the repository settings page.

@AdmiringWorm AdmiringWorm requested review from gep13 and pauby February 24, 2021 14:27
@AdmiringWorm
Copy link
Member Author

Example of the details comments with the information added can be seen here:

With viruses in the report: AdmiringWorm#59 (comment)
With no viruses found: AdmiringWorm#47 (comment)
With no report available: AdmiringWorm#60 (comment)

@tunisiano187
Copy link
Contributor

tunisiano187 commented May 10, 2021

Maybe hybrid-analysis could be interesting, as VT is used by them + others ;-)
https://www.hybrid-analysis.com/docs/api/v2

max limit to 100m so no sorry

@AdmiringWorm
Copy link
Member Author

@tunisiano187 the intention from my end isn't to upload any files, only to check and verify any existing virus scan results.

@tunisiano187
Copy link
Contributor

tunisiano187 commented May 10, 2021

yes , Hybrid analysis do that with their own scans + Virus Total's without limit per hour ... that was the interesting point.
but i don't know if that's possible to send the hash directly to scan...

@AdmiringWorm
Copy link
Member Author

I see, TBH, I had never heard of the website before.
Looking at it now, it does seem that it supports getting reports from a sha256 at least, but that would obviously not scan any new files.

@ferdnyc
Copy link

ferdnyc commented Jul 8, 2021

@tunisiano187

Maybe hybrid-analysis could be interesting, as VT is used by them + others ;-) https://www.hybrid-analysis.com/docs/api/v2
max limit to 100m so no sorry

It looks like those limits only apply to direct uploads, though -- I just submitted a Chocolatey package to their API directly via the download URL (swig.4.0.2.04082020.nupkg, chosen pretty much at random), and they were able to scan it from there. I'm assuming the size limit wouldn't apply, going that route.
I assume incorrectly.

A bigger issue may be that they don't appear to support .nupkg files vey well, at current... you can see the results of the scan by looking up this hash in their API tool, if you have an API key:

33082cb5097d8535a98a80949109eb06391551b4f1eb24988635d6c7ea37f13c

They list the type as "Microsoft OOXML" (which is accurate), and the type strings as "docx" and "office" (which are not). The scan seems to be treating the package as a document, rather than an executable.

Ahhh, dangit. I just tried to point it at the URL for a larger .exe installer, and you're right -- the 100MB limit applies no matter how you submit the file to be scanned. So, doubly scratch that.

@AdmiringWorm AdmiringWorm force-pushed the virus-total branch 2 times, most recently from 7f3fd9b to 08d7df4 Compare June 3, 2022 11:28
@mkevenaar
Copy link
Member

Hi @AdmiringWorm I wanted to take this for a spin on your branch, but it seems that you have switched branches

@AdmiringWorm
Copy link
Member Author

Hi @AdmiringWorm I wanted to take this for a spin on your branch, but it seems that you have switched branches

Yeah, I was working on something else and had the branch changed to the work in progress there.

I have switched back to the branch for this PR, so if you want to check it out then feel free to do so now.

gep13
gep13 previously requested changes Jun 30, 2022
Copy link
Member

@gep13 gep13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor suggestions here, otherwise, this LGTM!

scripts/private/messages.ps1 Outdated Show resolved Hide resolved
scripts/private/messages.ps1 Outdated Show resolved Hide resolved
scripts/private/messages.ps1 Outdated Show resolved Hide resolved
scripts/private/messages.ps1 Outdated Show resolved Hide resolved
@AdmiringWorm AdmiringWorm requested a review from gep13 March 1, 2024 09:30
@AdmiringWorm AdmiringWorm requested review from JPRuskin and removed request for pauby March 1, 2024 10:21
@@ -0,0 +1,3 @@
{
"powershell.codeFormatting.addWhitespaceAroundPipe": true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a fine change, but may have been an unintended addition?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this change was added it was automatically added by vscode, however as it is the default I decided to leave it in.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've decided to get this removed again


try {
# next we try to serialize as hash table
return $inputObject | ConvertFrom-Json -AsHashtable
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-AsHashtable may not be supported in PS5. We're using windows-latest in our tasks, but I think the way we're running it may take us to PowerShell rather than Pwsh. May be wrong! I don't know what we're targetting here, just noting as we normally dive into backwards compatibility.

That may also be fine, as this is being used post-IRM, which (I thought) should convert from JSON anyway, and this may just fall down to returning the object as-is. Looking at the API, though, it's... hm, fun.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-AsHashtable may not be supported in PS5.

You are right, it is not supported in PS5. We are however explicitly telling GitHub action to use Pwsh, so that is fine. Backwards compatibility is not a concern as these files aren't supposed to be ran on a users computer.

Also to mention, from what I remember when this was added the entire thing would fall over if -AsHashtable wasn't used.

@@ -19,7 +19,7 @@ class StatusCheckMessages {
static [string]$checkingUserMarkedDownloadUrlPublic = "Checking if user have marked the download URL as being public and not bedind a paywall";
static [string]$checkingUserProvidedDirectDownloadUrl = "Checking if the user have provided a direct download URL";
static [string]$checkingUserProvidedSoftwareProjectUrl = "Checking if user have provided a URL to the software project";
static [string]$checkingUserSearchedForOpenIssues = "Checking if the user have checked for already opened issues";
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't see associated calls for this being removed (e.g. line 69 of scripts/private/validations/Get-NewPackageValidationResult.ps1).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, not sure why it was removed, but I'll get it added back.

@@ -19,7 +19,7 @@ class StatusCheckMessages {
static [string]$checkingUserMarkedDownloadUrlPublic = "Checking if user have marked the download URL as being public and not bedind a paywall";
static [string]$checkingUserProvidedDirectDownloadUrl = "Checking if the user have provided a direct download URL";
static [string]$checkingUserProvidedSoftwareProjectUrl = "Checking if user have provided a URL to the software project";
static [string]$checkingUserSearchedForOpenIssues = "Checking if the user have checked for already opened issues";
static [string]$checkingvirusTotalCheckSearchedForOpenIssues = "Checking if the user have checked for already opened issues";
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
static [string]$checkingvirusTotalCheckSearchedForOpenIssues = "Checking if the user have checked for already opened issues";
static [string]$checkingvirusTotalCheckSearchedForOpenIssues = "Checking for Virus Total issues";

Minor, phrasing to update from the previous message. The variable name is a little... cloudy. It seems like $virusTotalCheck, below, is doing this work for this. It's possible this line should be rolled back?

Copy link
Member Author

@AdmiringWorm AdmiringWorm Mar 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggestion here doesn't follow the same format as the other check messages (These are the messages outputted in the GitHub action, but not anywhere else).

I'll figure out something to change this to, as it is currently wrong.

EDIT: When looking again, this was incorrectly renamed. Not sure what was going on here.

@@ -0,0 +1,72 @@
function Get-JsonResults() {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
function Get-JsonResults() {
function Get-JsonResults {

I didn't realise you could specify param blocks both as a simple and advanced function at once! Probably worth tidying up, though.

Edit: Ah, had a play. Looks like it's only trouble if you specify parameters in both places. Interesting!

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may also be worth supporting pipelining here, but... it's here, it works. No point in changing it if it's fine, etc.

@AdmiringWorm AdmiringWorm requested review from JPRuskin and removed request for gep13 March 1, 2024 13:29
@Alexander355a

This comment was marked as off-topic.

Alexander355a

This comment was marked as off-topic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants