scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

False positive detection of binary file for Binary-Artifacts checker

Open rouault opened this issue 1 year ago • 4 comments

Describe the bug False positive detection of binary file for Binary-Artifacts checker

Reproduction steps

Look at https://securityscorecards.dev/viewer/?uri=github.com/OSGeo/gdal. It indicates in Binary-Artifacts "Warn: binary detected: autotest/gdrivers/data/esric/Layers/_alllayers/L01/R0000C0000.bundle:1"

This is this file: https://github.com/OSGeo/gdal/blob/master/autotest/gdrivers/data/esric/Layers/_alllayers/L01/R0000C0000.bundle

It is a data file used by the regression test suite of the software, not an executable/binary file.

Expected behavior That file shouldn't be counted as binary artifact

rouault avatar Dec 31 '23 18:12 rouault

We're working on a feature this quarter for maintainers to mark test data as a false positive.

spencerschrock avatar Jan 02 '24 22:01 spencerschrock

Closing because this will be addressed with the Structured Results feature. We can always revisit if needed.

afmarcum avatar Mar 07 '24 21:03 afmarcum

@afmarcum Is there some documentation about "Structured Results" how to add an exemption for a false positive binary artifact? Couldn't find any

rouault avatar Mar 19 '24 00:03 rouault

@rouault reopening the issue until Structured Results is released and this issue can be resolved. Targeting early April.

afmarcum avatar Mar 20 '24 16:03 afmarcum