[Question]: AzureRmWebAppDeployment - sudden failures: Malicious Entry error

[DanOrlovsky]

Task name

AzureRmWebAppDeployment

Task version

4.230.1

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

windows-2022

Question

We're facing a sudden issue with deployments where our health-checks license files appear to be throwing a "Malicious Entry" error:

2023-10-31T16:27:15.7274519Z ##[error]Error: Malicious entry: Licenses\AspNetCore.HealthChecks.Uris_7.0.0.txt

This error first reported on our HeathChecks.KeyVaults pacakge - so I removed that and tried a new build, and now it's throwing on the URI's package.

Our deployments are down but we'd like to keep in the health checks, but may need some guidance as we're hitting a wall with troubleshooting.
We used a previous artifact that was successful on AzureRmWebAppDeployment 4.229.0 - but when I kicked off the deployment again, it used version 4.230.1 and failed.

[timkatje]

Not that the verbose logs shine any more light, but adding them for completion:

2023-10-31T19:04:33.7152115Z ##[debug]This is zip package
2023-10-31T19:04:33.7264777Z ##[debug]Deployment Failed with Error: Error: Malicious entry: Licenses\AspNetCore.HealthChecks.AzureKeyVault_6.0.1.txt
2023-10-31T19:04:33.7266053Z ##[debug]task result: Failed
2023-10-31T19:04:33.7306116Z ##[error]Error: Malicious entry: Licenses\AspNetCore.HealthChecks.AzureKeyVault_6.0.1.txt
2023-10-31T19:04:33.7317226Z ##[debug]Processed: ##vso[task.issue type=error;]Error: Malicious entry: Licenses\AspNetCore.HealthChecks.AzureKeyVault_6.0.1.txt
2023-10-31T19:04:33.7320496Z ##[debug]Processed: ##vso[task.complete result=Failed;]Error: Malicious entry: Licenses\AspNetCore.HealthChecks.AzureKeyVault_6.0.1.txt
2023-10-31T19:04:33.7321867Z ##[debug]Application Insights is not configured for the App Service. Skipping adding release annotation.
2023-10-31T19:04:33.7322838Z ##[debug]Azure_App_Service_Deploy_PackageArtifactAlias=_Planner
2023-10-31T19:04:33.7323466Z ##[debug]release.releaseId=3328

[timkatje]

So, further background on this.

We have a task in the yaml build pipeline that collects all of the licenses for packages used in the project, which creates a NOTICE.txt file with a summary. The task also has a feature that collects all licenses files detected and stores them in the /Licenses directory.

Something appears to be marking some of these text files as malicious when being uploaded to Azure App Service. But we can find little to no information on what process is potentially scanning this file and marking it thus. When I upload the file to VirusTotal, not a single scanner flags it. So, what unique feature in the Azure App Service Deployment task is doing this? It's just a text file, and turning on verbose logging didn't reveal any useful details.

If something gets flagged malicious that's obviously not, it should be reported why and how we can address it.

Temporarily we'll disable the step that outputs the license files in a central location, but we'd like to keep this feature for compliance reasons.

[ericmattingly]

Hi all, we are actively investigating this and will post updates at https://status.dev.azure.com/_admin/event/437430728

[DanOrlovsky]

@ericmattingly I noticed the version was rolled back this morning - and our release pipelines are now back to working. If this happens again when the new version is released, I'll open a new ticket. Thank you.