Ghidra: Trojan detected in FunctionReachabilityPlugin.class

I bet its an false positive... Surely something from NSA is trustable..

/irony

The plugin itself is clean. Suspect it is getting flagged on either a string or the method to map paths between two functions.

https://github.com/quosego/ghidra.features/tree/master/src/ghidra/app/plugin/core/reachability

Edit: I could replicate as well
Either way I reported this back to BF

Agree, source code is clean. They need to clear the issue as if what is in the source code was what was compiled, it shouldn’t be flagged by any anti malware.

@gvisoc you can push rebuild of //Features//lib//Base.jar on your end and see if it can unflag it with another rebuild

I wrote a tutorial the day this came out regarding building and modifying. I shouldn't have removed it. Would've solved like 90% of the issues occuring for most people. Wanted to wait for the offical documentation to be released. Anyways, reuploading some parts.

https://github.com/quosego/ghidra.help/blob/master/MODULES.MD

Thanks @quosego, I'll go through that as soon as I can download the necessary tools (I'm currently behind a proxy) and figure out the Eclipse layout (I turned into an IDEA-listic ¯_(ツ)_/¯) for the sake of sorting this doubts out. Potentially within the weekend as now I'm behind a proxy. Also sorry for the delay --I'm in the Sydney timezone.

Nonetheless, that would not fix the issue as I can't contribute to this very repo until they disclose the full platform. The issue I see here is that the main official distribution, that passes the SHA-256 checksum, that we can't fully build, comes shipped with that detection. The scope of this issue affects the package we download as a release from the official website, so it's for the NSA to act on this positive (false, according to the source code), and either publish a note on the false positive and further fix it with BitDefender, or publish a release that doesn't give such a detection.

My point is that, from an external perspective and without having access to the master branch, there is a chance (the smallest, maybe) that one of the pipeline servers (build, package, deploy...) was compromised.

Edit: English as a second language miscellaneous problems.

Are you still seeing this? Does it happen if you extract FunctionReachabilityPlugin.class from the jar and scan just that file? I currently don't have access to BitDefender but VirusTotal is showing it as clean.

I've been decompiling the class with different products over the weekend only to see the recognisable source code (@quosego I wasn't able to properly build) and, besides, today the Bitdefender stopped reporting the file after an update (I was just checking the file again before reporting the false positive to Bitdefender).

I'm closing the issue @ryanmkurtz