ossf
BUG: Scorecard complains about ELF files even when they are testcases and not-executable
Describe the bug
Some projects need ELF files for purposes other than running code.
For example, AFL contains ELF files that are example testcases that have crashed the strings program.
I imagine binary analysis tools have the same problem.
However, allstar complains about these files even if they are marked non-executable.
Reproduction steps See example: https://github.com/google/AFL/issues/155
Expected behavior Non-executable files should not be considered a security risk. Under reasonable assumptions (ie a testcase is not gonna exploit a buffer overflow in our program and use that to own the user), these files cannot do anything malicious. I've been told that these files are problematic because they are not reviewable. However, plenty of things are not reviewable, that are still accepted e.g. PNG and PDF files which are often included in repos.
Additional context I don't think the fact that these files can be malicious if they are marked executable is a reason to flag them. It's possible to hide executables in other files that can be executed, see this PDF (viewable using evince, not chrome sadly) made by corkami which you can mark executable and execute as an elf, so binary files that aren't usually executable can attack users using this same method. CorkaMInuX.pdf
