https://ci.bleachbit.org/ is flagged as Dangerous by Google's Safe Browsing about bleachbit HOT 6 OPEN

@tonyping, thank you for the report. @az0, I also see this.

from bleachbit.

@tonyping

I've read their docs, modified the text of the page to add the "fine print section," and requested a reviewed. The best I could figure out is that it's related to the builds of the new Python branch, so I uploaded all those files individually, but it didn't flag any individual files. I also uploaded the new installer to external scanners, but it didn't give any insights.

Google likes to automate everything, and I don't a way to report a false positive or get more details, so what's left is a blind process of reverse engineering.

For now I removed the folder 4.4.2.2333-mkhon-python310

See also #1448

from bleachbit.

@tonyping

Google likes to automate everything, and I don't a way to report a false positive or get more details, so what's left is a blind process of reverse engineering.

Yeah I reached a similar conclusion from the docs. They basically want you to just figure it out for yourself, although their criteria for malware does leaves too much room for interpretation and can lead to grey areas.

Those same areas that a software scanner can't reliably judge, nonetheless are still being tasked with. However, given Google's scale, I don't blame them, as I can't see any other feasible solution.

Have you tried Hybrid Analysis? https://www.hybrid-analysis.com

Maybe the sandbox reports show something. I submitted one but they do take a while to process.

from bleachbit.

Latest nightly:

https://www.hybrid-analysis.com/sample/f8617873259294fe3392a44207e8df0a9996c5cb169f868d97e0e11c04ca997a/64a510f4b3c160a68707138a

from bleachbit.

Here's irony: Google flags the latest comment in this discussion as unsafe too.

Security scanners flag BleachBit because

1. The application contains the Python runtime and GTK toolkit, which are general and contain many capabilities.
2. By design, the application has to do "unsafe" things such as reading/changing the registry, marking files for deletion, and checking running processes.

In the past with the false positives , the general process is to submit the application for review ("whitelisting"), even though they deal with many users and flagged software, but Google doesn't allow that.

Adding my digital certificate many help, but that's for beta and final releases---not for the CI site.

from bleachbit.

Google Search Console identified that https://ci.bleachbit.org/?prefix=dl/4.4.2.2265-mkhon-python310/ was the problem. As I removed it earlier, I requested a re-review. For now, the whole site is still flagged

from bleachbit.