Security Policy violation Binary Artifacts

[allstar-app]

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• lib/modules/manager/gradle-wrapper/fixtures/expectedFiles/gradle/wrapper/gradle-wrapper.jar
• lib/modules/manager/gradle-wrapper/fixtures/testFiles-copy/gradle/wrapper/gradle-wrapper.jar
• lib/modules/manager/gradle-wrapper/fixtures/testFiles/gradle/wrapper/gradle-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

---

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

[rarkins]

@JamieMagee @viceice do you think we're justified in ignoring it?

[JamieMagee]

Maybe...

If yes, we might open an issue upstream asking if we can configure ignore patterns. If no, we should see if there is an alternative to having gradle files in the repo

[viceice]

We should ignore them.

[HonkingGoose]

If yes, we might open an issue upstream asking if we can configure ignore patterns. If no, we should see if there is an alternative to having gradle files in the repo

There are issues asking for ignore lists already:

• Feature: provide an ignore list for Binary-Artifact check in GitHub action ossf/scorecard#1270
• add ability to pass ignore list ossf/scorecard#1406

[rarkins]

Seems like testdata is or was a magic name they ignore: ossf/scorecard#1256 (comment)

Maybe we could make __fixtures__/testdata/ ?

[allstar-app]

Updating issue after ping interval. Status:
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• lib/modules/manager/gradle-wrapper/fixtures/expectedFiles/gradle/wrapper/gradle-wrapper.jar
• lib/modules/manager/gradle-wrapper/fixtures/testFiles-copy/gradle/wrapper/gradle-wrapper.jar
• lib/modules/manager/gradle-wrapper/fixtures/testFiles/gradle/wrapper/gradle-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[allstar-app]

Updating issue after ping interval. Status:
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• lib/modules/manager/gradle-wrapper/fixtures/expectedFiles/gradle/wrapper/gradle-wrapper.jar
• lib/modules/manager/gradle-wrapper/fixtures/testFiles-copy/gradle/wrapper/gradle-wrapper.jar
• lib/modules/manager/gradle-wrapper/fixtures/testFiles/gradle/wrapper/gradle-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[allstar-app]

Updating issue after ping interval. Status:
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• lib/modules/manager/gradle-wrapper/fixtures/expectedFiles/gradle/wrapper/gradle-wrapper.jar
• lib/modules/manager/gradle-wrapper/fixtures/testFiles-copy/gradle/wrapper/gradle-wrapper.jar
• lib/modules/manager/gradle-wrapper/fixtures/testFiles/gradle/wrapper/gradle-wrapper.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

[rarkins]

FYI I've now suspended this app due to the noise caused by this false positive

[viceice]

You can also simply remove subscription hen no more notifications will be sent. 😅

[JamieMagee]

I spoke with @jeffmendoza, and it should now¹ be possible to set an ignore list of files. If I am reading the documentation correctly, we need to add a .allstar/allstar.yaml file with the content:

IgnorePaths:
  - ...
  - ...

Footnotes

1. https://github.com/ossf/allstar/pull/176 ↩