File 80-check-malware-scan-clamav of Package post-build-checks-malwarescan.37951

#!/bin/bash

TARGET=/usr/src/packages
SCANSCRIPT=/var/lib/clamav/.script
export TARGET
export BUILD_ROOT
export SCANSCRIPT

# Fixed misdetections:
# bsc#1172626 - lvm2 unit-test gets misdetected as Unix.Exploit.Lotoor-7768640-0
# bsc#1199055 qemu-system-tricore|qemu-system-ppc64
# bsc#1222509 python tarballs: Win.Virus.Expiro-10026576-0
#EXCLUDELIST="usr.share.lvm2-testsuite.unit.unit-test"
#EXCLUDELIST="(Python-3.*tar.xz|pip-.*-py3-none-any.whl)"
#
# Current known misdetections:
EXCLUDELIST="pdfium-6425.tar.bz2"
export EXCLUDELIST

echo '
#!/bin/bash

mkdir /usr/src/packages/BUILD/scan

for r in $( find /.build.packages/{SRPMS,RPMS,OTHER}/ -type f -name "*.rpm" ); do
    F=$(file --brief "$r")
    case $F in
        RPM\ *) ;;
        *) echo "skipping non RPM file $r: $F" ; continue ;;
    esac
    RPM_NAME=$(env LC_ALL=C rpm --nodigest --nosignature -qp --qf "%{NAME}" "$r")
    case $RPM_NAME in
        *-debuginfo|*-debugsource)
            echo "Skipping unpack $r"
            continue
            ;;
    esac
    f=${r##*/}
    case "$f" in
        kiwi-test-dummy*) echo "skipping known broken rpm $f" ; continue ;;
    esac
    for script in postin posttrans postun prein pretrans verifyscript; do
        body=$(rpm -qp --qf "%{$script}" "$r")
        if test "$body" = "(none)" -o -z "$body"; then
            continue
        fi
        rpm -qp --qf "#!%{${script}prog}\\n" "$r" >"/usr/src/packages/BUILD/scan/$f.$script"
        echo "$body" >>"/usr/src/packages/BUILD/scan/$f.$script"
    done
    rpm -qp --qf "[#!%{triggerscriptprog}\\n%{triggerscripts}\\n]" "$r" >"/usr/src/packages/BUILD/scan/$f.triggers"
    mkdir -p /usr/src/packages/BUILD/scan/"$f.d"
    pushd . > /dev/null
    cd /usr/src/packages/BUILD/scan/"$f.d"
    echo "unpacking $r"
    rpm2cpio "$r" | cpio --quiet -i -u -m -d > /dev/null
    if [ "$?" -gt 0 ]; then
        echo "unpacking RPM packages does not work on this host.
Is the filesystem is full?

Please have a look.
"
       exit 42
    fi
  popd > /dev/null
done

echo "clamscan -ir ${EXCLUDELIST:+--exclude $EXCLUDELIST} /usr/src/packages/BUILD/scan:"
/usr/bin/clamscan -ir ${EXCLUDELIST:+--exclude "$EXCLUDELIST"}  /usr/src/packages/BUILD/scan
ret=$?
rm -rf /usr/src/packages/BUILD/scan
exit $ret
' > $BUILD_ROOT/$SCANSCRIPT

( cd $BUILD_ROOT ; chroot . bash $SCANSCRIPT 2>&1 )
ret=$?
rm -f $BUILD_ROOT/$SCANSCRIPT


if [ "$ret" != 0 ]; then
  echo "clamav: positive result about one or more files in the system.
return value: $ret"
  echo "

The test has failed. Please check the files mentioned above!

"
  exit 1
else
  echo "clamav: negative malware scan result."
  echo test passed.
fi
exit 0