False Positive: package.json in bats-file causes tools to misidentify it as an npm #101
Description
The bats-file repository contains a package.json file even though the project is a Bats/shell-based testing helper and not an npm/JavaScript package. This creates ambiguity for security scanners and dependency analyzers.
Tools that rely on manifest files to determine package ecosystem (such as software composition analysis tools, vulnerability scanners, and SBOM generators) detect the package.json and incorrectly classify bats-file as an npm package. As a result, it gets matched against npm advisories—specifically, the malicious npm package bats-file (MAL-2022-1471) listed in the OSV database.
This leads to false malware/vulnerability detections in environments where Helm plugins or other tools indirectly reference this repository.
Impact
Security scanners misidentify bats-file as an npm dependency.
It is incorrectly associated with the malicious npm package of the same name.
Produces false-positive malware alerts during CI/CD and container scanning.
Downstream tools (e.g., Helm Secrets plugin) trigger alerts simply by referencing this repo.
Why This Happens
The repository includes a package.json, but:
It is not published to npm.
It is not used for JavaScript packaging.
The project itself is shell-based and relies on Bats.
Presence of package.json alone is enough for scanners to treat the repo as an npm package and apply package-based vulnerability matching.
Suggested Fix
One of the following could help prevent misclassification:
Remove the package.json if it is not required.
Replace it with a non-package metadata file (e.g., bats-file.json or .bats-plugin).
Request
Please consider removing or renaming the package.json to avoid downstream tooling confusion and false malware detections.