Skip to content

Handle the Case of Suspicious Packages when Trust Tool Results (Paranoid) Mode is Disabled #483

New issue
New issue
Closed
#484
Closed
Handle the Case of Suspicious Packages when Trust Tool Results (Paranoid) Mode is Disabled#483
#484
Assignees
KunalSin9h
Labels
blockedThinks which are blocked and cannot be worked further.bugSomething isn't working
@abhisek

Description

@abhisek
abhisek
opened on May 6, 2025

Ref: safedep/vet-action#109 (comment)

For malicious package handling, we follow the rule:

  1. Fail if confirmed malicious with verification record
  2. Fail if suspicious and trust-tool-results (paranoid) is enabled

This is handled by MalwareAnalyzer
https://github.com/safedep/vet/blob/main/pkg/analyzer/malware.go

In case of [2], the markdown summary report however indicate that the Malware policy has failed using ❌ Ideally it should be ⚠ or something like that.

Incorrect behaviour example:
k9exp/vet-action-issue-verify#3

I don't think we need to do anything in Markdown Summary reporter. The fix will most likely be in:
https://github.com/safedep/vet/blob/main/pkg/analyzer/malware.go#L92

Here we need to follow a consistent logic before triggering a Malware related policy violation

Metadata

Metadata

Assignees

Labels

blockedThinks which are blocked and cannot be worked further.bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions