diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml index bfbee93412..2e56670eff 100644 --- a/task/clamav-scan/0.1/clamav-scan.yaml +++ b/task/clamav-scan/0.1/clamav-scan.yaml @@ -35,11 +35,11 @@ spec: steps: - name: extract-and-scan-image image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent workingDir: /work - # need to change user since 'oc image extract' requires more privileges when running as root - # https://bugzilla.redhat.com/show_bug.cgi?id=1969929 + # need to change user since 'oc image extract' requires more privileges when running as root + # https://bugzilla.redhat.com/show_bug.cgi?id=1969929 securityContext: runAsUser: 1000 env: @@ -60,7 +60,7 @@ spec: #!/usr/bin/env bash set -euo pipefail . /utils.sh - trap 'handle_error' EXIT + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT imagewithouttag=$(echo $IMAGE_URL | sed "s/\(.*\):.*/\1/" | tr -d '\n') @@ -96,6 +96,23 @@ spec: exit 0 fi + timeout=1200 # 20 minutes + interval=20 # interval between checks in seconds + elapsed=0 + + until [ -f /var/lib/clamav/daily.cvd ] || [ "$elapsed" -ge "$timeout" ]; do + if (( elapsed % 60 == 0 )) && [ $elapsed -ne 0 ]; then + echo "Waiting for database to be downloaded... Elapsed time: $((elapsed / 60)) minute(s)" + fi + sleep $interval + elapsed=$((elapsed + interval)) + done + + if [ ! -f /var/lib/clamav/daily.cvd ]; then + echo "Error: Timed out waiting for daily.cvd after $((elapsed / 60)) minute(s)." + exit 1 + fi + echo "Scanning image for arch $arch. This operation may take a while." clamscan $destination -ri --max-scansize=4095M --max-filesize=4095M \ --max-scantime=0 --max-files=0 --max-recursion=1000 --max-dir-recursion=20000 --max-embeddedpe=4095M \ @@ -105,6 +122,7 @@ spec: --alert-encrypted=yes --alert-encrypted-archive=yes --alert-encrypted-doc=yes --alert-macros=yes \ --alert-phishing-ssl=yes --alert-phishing-cloak=yes --alert-partition-intersection=yes \ | tee /work/logs/clamscan-result-$arch.log || true + db_version=$(sigtool --info /var/lib/clamav/daily.cvd | grep 'Version') echo "Executed-on: Scan was executed on clamscan version - $(clamscan --version) Database $db_version" | tee -a "/work/logs/clamscan-result-$arch.log"