From 043e593097f0d86051237ac551d6141a00c4c96d Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 12 Nov 2024 19:55:56 +0100
Subject: [PATCH] fix(clamav): detection of daily DB

Daily DB could cycle between daily.cld and daily.cvd

Freshclam tries to fetch daily.cvd, but in case that it's outdated, it
will fetch diffs and construct daily.cld instead.

```
Properly loaded 2067774 signatures from /var/lib/clamav/tmp.76d8729fde/clamav-306c76ad22d1f1bb9c4a6f49e1bedaf1.tmp-daily.cvd
Database test passed.
daily.cvd updated (version: 27455, sigs: 2067774, f-level: 90, builder: raynman)
Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.
```

Make sure both files are checked.

Signed-off-by: Martin Basti <mbasti@redhat.com>
---
 task/clamav-scan/0.1/clamav-scan.yaml | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml
index e234f6fb55..823775f11e 100644
--- a/task/clamav-scan/0.1/clamav-scan.yaml
+++ b/task/clamav-scan/0.1/clamav-scan.yaml
@@ -100,7 +100,7 @@ spec:
             interval=20  # interval between checks in seconds
             elapsed=0
 
-            until [ -f /var/lib/clamav/daily.cld ] || [ "$elapsed" -ge "$timeout" ]; do
+            until [ -f /var/lib/clamav/ready.txt ] || [ "$elapsed" -ge "$timeout" ]; do
               if (( elapsed % 60 == 0 )) && [ $elapsed -ne 0 ]; then
                 echo "Waiting for database to be downloaded... Elapsed time: $((elapsed / 60)) minute(s)"
               fi
@@ -108,11 +108,26 @@ spec:
               elapsed=$((elapsed + interval))
             done
 
-            if [ ! -f /var/lib/clamav/daily.cld ]; then
-              echo "Error: Timed out waiting for daily.cld after $((elapsed / 60)) minute(s)."
+            if [ ! -f /var/lib/clamav/ready.txt ] ; then
+              echo "Error: Timed out waiting for database download after $((elapsed / 60)) minute(s)."
               exit 1
             fi
 
+            DAILY_DB_FILE=""
+            for DB_PATH in "/var/lib/clamav/daily.cvd" "/var/lib/clamav/daily.cld"; do
+              if [ -f "${DB_PATH}" ]; then
+                DAILY_DB_FILE="${DB_PATH}"
+                break
+              fi
+            done
+            if [ -z "${DAILY_DB_FILE}" ]; then
+              echo "Daily DB file not found!"
+              exit 1
+            fi
+
+            db_version=$(sigtool --info "${DAILY_DB_FILE}" | grep 'Version')
+
+
             echo "Scanning image for arch $arch. This operation may take a while."
             clamscan $destination -ri --max-scansize=4095M --max-filesize=4095M \
               --max-scantime=0 --max-files=0 --max-recursion=1000 --max-dir-recursion=20000 --max-embeddedpe=4095M \
@@ -123,7 +138,6 @@ spec:
               --alert-phishing-ssl=yes --alert-phishing-cloak=yes --alert-partition-intersection=yes \
               | tee /work/logs/clamscan-result-$arch.log || true
 
-            db_version=$(sigtool --info /var/lib/clamav/daily.cld | grep 'Version')
             echo "Executed-on: Scan was executed on clamscan version - $(clamscan --version) Database $db_version" | tee -a "/work/logs/clamscan-result-$arch.log"
 
             digests_processed+=("\"$arch_sha\"")
@@ -231,6 +245,8 @@ spec:
         #!/usr/bin/env bash
         clamscan --version
         cp -r /var/lib/clamav/* /tmp/clamdb
+        echo "DB files copied"
+        touch /tmp/clamdb/ready.txt
       volumeMounts:
         - mountPath: /tmp/clamdb
           name: dbfolder