Remove CRITICAL false positives for popular open-source projects

[tstromberg]

We're using Wolfi as a benchmark open-source repo. There are a dozen or so CRITICAL false positives that exist, mainly relating to Python code.

• probable false: combo/stealer/password in coredns #273
• probable false: 3P/malpedia/win/unidentified/107 with jlinenative.dll in multiple packages #284
• ref/path/dev/shm critical for byobu-6.12/usr/bin/vigpg: /dev/shm/.vigpg-XXXXXXXXXXXX #285
• probable false: evasion/base64/php_functions in cassandra-reaper-3.6, dotty-3.4 #286
• probable false: combo/backdoor/php and evasion/script/obfuscation in composer-2.7 #287
• probable false: evasion/fake/process/name in datadog-agent-7.54 #288
• probable false: net/ddos in datadog-agent-oci-compat-7.54 (synflood) #289
• probable-false: techniques/code_eval in gawk-5.3 ($at_eval) #290
• probable false: combo/backdoor/py_setuptools & combo/backdoor/remote_eval in google-cloud-sdk-469 #291

[imjasonh]

We're using Wolfi as a benchmark open-source repo. There are a dozen or so CRITICAL false positives that exist, mainly relating to Python code.

Is there a list of these somewhere? I'd love to investigate.

[egibs]

Linking recent false positive fix PRs for posterity:

• Remove Kiteshield false negatives #293
• Remove remaining false negatives #297
• Turn off MALPEDIA_Win_Unidentified_107_Auto rule #298
• Resolve datadog-agent DDOS false positive #299
• Resolve datadog-agent kworker false positives #300
• Resolve eval false-positive for gawk #301
• Add separate rule for mkstemp paths in /dev/shm #302
• Tweak password_finder_mimipenguin rule #303
• Update synflood ignore_ref; add clean object to validate against #315
• Fix mlflow false positives re: exec; add clean sample #340
• Address reverse shell false positives within neuvector-enforce agent #352
• Ignore SIGNATURE_BASE_SUSP_PS1_JAB_Pattern_Jun22_1 rule #355
• Fix GitLab healthcheck script false positive #364
• Turn off ELCEEF_HTML_Smuggling_A rule; fix OCI scanning and path displays #365
• Address false positives for playwright and mongosh #367
• Address false positives for Chromium, KOTS, and Nuclei #368
• Address py3-setuptools false positives #369
• Bump bincapz version to 0.16.0 ahead of release #370
• More /dev/tcp rule tweaks for GitLab healthcheck script #372
• Address false positives for SQLPad and Lerna #375
• Address false positives for remaining public packages #378
• Address mlflow PyPI index JSON false positive #385
• Address false positives for mlflow and pytorch #387
• Address false positives with google-cloud-sdk #388
• Address more run-tests.php false positives #389
• Address Kibana false positives #391
• Address false positives with argo-workflows-ui #392
• Address Spark false positives #397

[egibs]

Closing this out -- we've resolved most of the outstanding false positives; new false positives are handled as they show up.