Revert "Add support for Virus Total (#3294)"

This reverts commit 313f6d0.

.github/workflows/checkAndSubmitAddonMetadata.yml

@@ -15,9 +15,6 @@ on:
       issueTitle:
         required: true
         type: string
-    secrets:
-      virusTotalApiKey:
-        required: true
 
 jobs:
   getAddonId:
@@ -228,103 +225,11 @@ jobs:
       uses: peter-evans/close-issue@v3
       with:
         issue-number: ${{ inputs.issueNumber }}
-
-  virusTotal-analysis:
-    needs: createPullRequest
-    runs-on: windows-latest
-    strategy:
-      matrix:
-        python-version: [ 3.11 ]
-    permissions:
-      contents: read
-      issues: write
-    env:
-      API_KEY: ${{ secrets.virusTotalApiKey }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Download add-on metadata
-        uses: actions/download-artifact@v4
-        with:
-          name: addonMetadata
-      - name: Install virusTotal
-        run: choco install vt-cli
-      - name: Set Virus Total analysis status
-        id: setVirusTotalAnalysisStatus
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const setVirusTotalAnalysisStatus = require('./.github/workflows/virusTotalAnalysis.js')
-            setVirusTotalAnalysisStatus({core})
-      - name: Upload results
-        id: uploadResults
-        if: failure()
-        uses: actions/upload-artifact@v4
-        with:
-          name: VirusTotal
-          path: vt.json
-          overwrite: true
-      - name: Upload manual approval
-        id: uploadManualApproval
-        if: failure()
-        uses: actions/upload-artifact@v4
-        with:
-          name: manualApproval
-          path: reviewedAddons.json
-          overwrite: true
-      - name: Warn if analysis fails
-        if: failure()
-        uses: peter-evans/create-or-update-comment@v4
-        with:
-          issue-number: ${{ inputs.issueNumber }}
-          body: |
-            VirusTotal has flagged this add-on as malicious.
-            You can open this link and [see the results of the analysis](${{ steps.setVirusTotalAnalysisStatus.outputs.analysisUrl }}).
-            Please contact the flagged security vendors to get them to review and unflag the false positive.
-            Please ask here or email info@nvaccess.org if you need assistance with this process.
   codeQL-analysis:
-    needs: [createPullRequest]
+    needs: createPullRequest
     uses: ./.github/workflows/codeql-analysis.yml
-  createManualApproval:
-    needs: [getAddonId, virusTotal-analysis, codeQL-analysis]
-    if: ${{ always() && contains(join(needs.*.result, ','), 'failure') }}
-    runs-on: windows-latest
-    strategy:
-      matrix:
-        python-version: [ 3.11 ]
-    permissions:
-      contents: write
-      issues: write
-      pull-requests: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Download artifacts
-        uses: actions/download-artifact@v4
-        with:
-          merge-multiple: true
-      - name: Create pull request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
-        with:
-          add-paths: reviewedAddons.json
-          title: Add reviewed add-on (${{ needs.getAddonId.outputs.addonId }})
-          branch: reviewedAddon${{ github.event.issue.number }}
-          commit-message: Add reviewed add-on (${{ needs.getAddonId.outputs.addonId }})
-          body: |
-          This add-on needs to be reviewed by NV Access due to analysis failure.
-          Review ${{ inputs.issueNumber }} for more information.
-          author: github-actions <github-actions@github.com>
-          delete-branch: true
-      - name: Request to keep issue opened
-        uses: peter-evans/create-or-update-comment@v4
-        with:
-          issue-number: ${{ inputs.issueNumber }}
-          body: |
-            Please, don't close this issue.
-            Wait until #${{ steps.cpr.outputs.pull-request-number }} is merged.
   mergeToMaster:
-    needs: [getAddonId, createPullRequest, codeQL-analysis, virusTotal-analysis]
+    needs: [getAddonId, createPullRequest, codeQL-analysis]
     permissions:
       contents: write
       pull-requests: write

.github/workflows/codeql-analysis.yml

@@ -15,9 +15,10 @@ jobs:
     runs-on: windows-latest
     permissions:
       actions: read
-      contents: read
+      contents: write
       security-events: write
       issues: write
+      pull-requests: write
     strategy:
       fail-fast: false
       matrix:
@@ -68,14 +69,18 @@ jobs:
           name: results-${{ matrix.language }}
           path: results/*.sarif
           overwrite: true
-      - name: Upload manual approval
-        id: uploadManualApproval
+      - name: Create pull request
+        id: cpr
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: peter-evans/create-pull-request@v6
         with:
-          name: manualApproval
-          path: reviewedAddons.json
-          overwrite: true
+          add-paths: reviewedAddons.json
+          title: Add reviewed add-on (${{ steps.setSecurityAnalysisStatus.outputs.addonId }})
+          branch: reviewedAddon${{ github.event.issue.number }}
+          commit-message: Add reviewed add-on (${{ steps.setSecurityAnalysisStatus.outputs.addonId }})
+          body: "This add-on needs to be reviewed by NV Access due to security analysis failure"
+          author: github-actions <github-actions@github.com>
+          delete-branch: true
       - name: Warn if analysis fails
         if: failure()
         uses: peter-evans/create-or-update-comment@v4
@@ -90,6 +95,8 @@ jobs:
             Please review the warnings and consider fixing this in the add-on.
             If you can provide more context on the failure in the submission, please do.
             See the [submission guide](https://github.com/nvaccess/addon-datastore/blob/master/docs/submitters/submissionGuide.md) for more details.
+            Please, don't close this issue.
+            Wait until #${{ steps.cpr.outputs.pull-request-number }} is merged.
   analyze:
     name: Analyze add-on
     needs: analyzeExcludingWarnings

.github/workflows/sendJsonFile.yml

@@ -98,5 +98,3 @@ jobs:
       issueAuthorId: ${{ github.event.issue.user.id }}
       issueAuthorName: ${{ github.event.issue.user.login }}
       issueTitle: ${{ github.event.issue.title }}
-    secrets:
-      virusTotalApiKey: ${{ secrets.virusTotalApiKey }}

README.md

@@ -20,10 +20,6 @@ The add-on store includes the following security measures:
   - The checksum allows NVDA to ensure that add-on releases are immutable.
 - [Code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can detect vulnerabilities in Python and JavaScript code included in submitted add-ons.
   - NV Access can manage [code scanning alerts](https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts), available from the Code scanning link from the [Security page](https://github.com/nvaccess/addon-datastore/security).
-- [Virus Total CLI](https://virustotal.github.io/vt-cli) is used to scan submitted add-ons.
-If malicious content is detected, the add-on will not be automatically included in the store.
-Please contact the flagged security vendors to get them to review and unflag the false positive. 
-Please email info@nvaccess.org if you need assistance with this process.
 
 
 ### Human review process / code audit