File 80-check-malware-scan-clamav of Package post-build-checks-malwarescan.19794

#!/bin/bash

TARGET=/usr/src/packages
SCANSCRIPT=/var/lib/clamav/.script
export TARGET
export BUILD_ROOT
export SCANSCRIPT

# Current known misdetections:
EXCLUDELIST=""
# Fixed misdetections:
# bsc#1172626 - lvm2 unit-test gets misdetected as Unix.Exploit.Lotoor-7768640-0
#EXCLUDELIST="usr.share.lvm2-testsuite.unit.unit-test"
export EXCLUDELIST

echo '
#!/bin/bash

mkdir /usr/src/packages/BUILD/scan

for r in $( find /.build.packages/{RPMS,SRPMS,OTHER}/ -type f -name "*.rpm" ); do
  F=$(file --brief "$r")
  case $F in
	RPM\ *) ;;
	*) echo "skipping non RPM file $r: $F" ; continue ;;
  esac
  f=${r##*/}
  case "$f" in
	kiwi-test-dummy*) echo "skipping known broken rpm $f" ; continue ;;
  esac
  for script in postin posttrans postun prein pretrans verifyscript; do
	  body=$(rpm -qp --qf "%{$script}" "$r")
	  if test "$body" = "(none)" -o -z "$body"; then
		  continue
	  fi
	  rpm -qp --qf "#!%{${script}prog}\\n" "$r" >"/usr/src/packages/BUILD/scan/$f.$script"
	  echo "$body" >>"/usr/src/packages/BUILD/scan/$f.$script"
  done
  rpm -qp --qf "[#!%{triggerscriptprog}\\n%{triggerscripts}\\n]" "$r" >"/usr/src/packages/BUILD/scan/$f.triggers"
  mkdir -p /usr/src/packages/BUILD/scan/"$f.d"
  pushd . > /dev/null 
  cd /usr/src/packages/BUILD/scan/"$f.d"
  echo "unpacking $r"
  rpm2cpio "$r" | cpio --quiet --extract --unconditional --preserve-modification-time --make-directories > /dev/null
  if [ "$?" -gt 0 ]; then
	echo "unpacking RPM packages does not work on this host.
Is the filesystem is full?

Please have a look.
"
  exit 42
  fi
  popd > /dev/null
done

jobs=
if clamscan -j2 --help >/dev/null 2>/dev/null; then
  jobs="$(getconf _NPROCESSORS_ONLN)"
  if test -n "$jobs"; then
	jobs=-j$jobs
  fi
fi
echo "clamscan $jobs -ir --exclude $EXCLUDELIST /usr/src/packages/BUILD/scan:"
/usr/bin/clamscan $jobs -ir --exclude "$EXCLUDELIST " /usr/src/packages/BUILD/scan
ret=$?
rm -rf /usr/src/packages/BUILD/scan 
exit $ret
' > $BUILD_ROOT/$SCANSCRIPT

( cd $BUILD_ROOT ; chroot . bash $SCANSCRIPT 2>&1 )
ret=$?
rm -f $BUILD_ROOT/$SCANSCRIPT


if [ "$ret" != 0 ]; then
  echo "clamav: positive result about one or more files in the system.
return value: $ret"
  echo "

The test has failed. Please check the files mentioned above!

"
  exit 1
else
  echo "clamav: negative malware scan result."
  echo test passed.
fi
exit 0