cancel
Showing results for 
Search instead for 
Did you mean: 

Magento 2 security scan

Magento 2 security scan

If i have Minify JavaScript Files enabled I am getting the following:

Your site is compromised with injected JavaScript. (97)
The malicious code signature(s) has been found in resources:
/static/version1523986969/_cache/merged/1e06f00c89935c8b986715dfcd5c1785.min.js

 

Magereport scan doesn't show any issues. If I disable Minify JavaScript Files. The Security scan comes back with no issues found. Is this a glitch in the security scan right now? If not , how can I determine what is causing the issue when I enable minify? 

 

I have magento 2.2.3 installed. I seen a few others have made post similar in some of my other searches but none have stated if its a glitch or what is causing the  issue.

 

Thanks

3 REPLIES

Re: Magento 2 security scan

I have the exact same issues for two sites I set up to be scanned..

I've verified that there really isn't a real infection and the reports are false positives.

 

I tried to contact Magento regarding this at the email address provided and got this bounce:

 

Your message to the Office 365 group securityscan@magento.com couldn't be delivered.
The group securityscan isn't set up to receive messages from

 

I've had to disable the scans for now because they cant be trusted.

Would be nice to be able to flag something as a false positive or report it in a better way than on the forums..

 

 

Re: Magento 2 security scan

Confirming exact same issue here, only seems to happen with minified js

Have scanned with many other tools and checked all files, no malware is flagged, and only the Magento Security Scan Tool shows Your site is compromised with injected JavaScript. (68)

Seems to be a false positive, but no idea how to report this , or even if Magento are interested ?

Re: Magento 2 security scan

Just tacking on another instance of this is happening to me.  I have other security scanners running that say nothing of this issue.  I have also downloaded mwscan.txt and grepped as instructed in the current verion of magento-malware-scanner (https://github.com/gwillem/magento-malware-scanner/blob/master/docs/usage.md) without finding any issues.  As such, this is probably a false positive, but would be great for Magento to confirm and correct the test case.