choco submission security process currently doesn't check URLs against all major browsers' Safe Browsing lists (or equivalent)

[bkmdev]

Issue: choco submission security process currently doesn't check URLs against all major browsers' Safe Browsing lists (or equivalent)

Repro:

1. choco info tartool
2. Examine the Software Site | License | Source fields for tartool 1.0.0 [Approved], which list various URLs under https://tartool.codeplex.com/ .
3. Open https://tartool.codeplex.com/ in Chrome, Safari (and probably FF)

Expected: Package submissions are not in some malware flagged browser site list

Actual: If you open that in anything but IE, you will get some scary warning pages by the browser claiming that it has been flagged as a malicious site (see attached screenshots). Note, I don't know if in this case this package/domain is actually malicious, ie: could be a false positive, but a warning like this makes me: a. question choco's [Approved] "stamp", b. not want to use/install that package, or c. choco for that matter.

OSX Chrome v77

OSX Safari v11.0.1

Possible Solution: In addition to the VirusTotal checks that you already do (during the package submission process?), I would suggest adding automated security checks that check all package metadata fields that list URLs against the "safe browsing list" (or browser equivalent) on all major browsers, ie: Chrome, Safari, IE (now basically Chrome but not sure if they use Chrome safebrowsing list or are continuing to use their SmartFilters list, even for older versions).