From 3e5c68f6297100aec2710919aba52c1a06c76070 Mon Sep 17 00:00:00 2001
From: Michal Srb <michal@redhat.com>
Date: Fri, 26 Jan 2024 17:40:09 +0100
Subject: [PATCH 1/2] Make ClamAV virus database updates more robust

See: OSCI-6251

freshclam will try to download incremental patches, but if one
or more patches are missing, it will update the database only
partially. If we then try to run freshclam again, it will try
to download the whole daily.cvd file.

If even the second run fails, we will continue with the older
version of the database.

Signed-off-by: Michal Srb <michal@redhat.com>
---
 rpminspect_runner.sh | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/rpminspect_runner.sh b/rpminspect_runner.sh
index 8b7587a..ac86744 100755
--- a/rpminspect_runner.sh
+++ b/rpminspect_runner.sh
@@ -164,6 +164,11 @@ update_clamav_database() {
     fi
 
     freshclam --config-file="$config_file" > freshclam.log 2>&1 || :
+    # freshclam returns 0 even if the update download fails
+    # https://github.com/Cisco-Talos/clamav/issues/965
+    # Let's check the log for the complaint about the outdated database
+    # and return non-zero if we find it there
+    ! grep -q 'virus database is older' freshclam.log
 }
 
 
@@ -211,7 +216,12 @@ commit_ref=$(echo "${repo_ref}" | awk -F'#' '{ print $2 }' | awk -F'?' '{ print
 
 fetch-my-conf.py "${repo_url}" "${CONFIG_BRANCHES}" "${commit_ref}" || :
 
-update_clamav_database
+if ! update_clamav_database; then
+    # Oops, incremental update of the ClamAV virus database has failed.
+    # Let's try again. freshclam should attempt to download the whole
+    # daily.cvd this time, instead of just incremental patches.
+    update_clamav_database || :
+fi
 
 # Update annobin
 # FIXME: we don't want to touch packages when the base image is Rawhide...
@@ -284,6 +294,7 @@ if [ -n "$TMT_TEST_DATA" ]; then
     - viewer.html
     - verbose.log
     - result.json
+    - freshclam.log
 EOF
     # if dist-git uses a custom rpminspect config, add that as an artifact as well
     for ext in ${exts} ; do

From 2e6baa904e1f3e5eb45fe5f733e0cf592ae723a4 Mon Sep 17 00:00:00 2001
From: Michal Srb <michal@redhat.com>
Date: Fri, 26 Jan 2024 17:53:31 +0100
Subject: [PATCH 2/2] Export freshclam.log as a tmt artifact

Signed-off-by: Michal Srb <michal@redhat.com>
---
 rpminspect_runner.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rpminspect_runner.sh b/rpminspect_runner.sh
index ac86744..49afadd 100755
--- a/rpminspect_runner.sh
+++ b/rpminspect_runner.sh
@@ -155,6 +155,8 @@ get_before_module_build() {
 }
 
 
+freshclam_log=${TMT_TEST_DATA:-.}/freshclam.log
+
 update_clamav_database() {
     # Update the virus dababase
     config_file="freshclam.conf"
@@ -163,12 +165,12 @@ update_clamav_database() {
         sed -i "s|^DatabaseMirror .*|DatabaseMirror $CLAMAV_DATABASE_MIRROR_URL|" "$config_file"
     fi
 
-    freshclam --config-file="$config_file" > freshclam.log 2>&1 || :
+    freshclam --config-file="$config_file" > "$freshclam_log" 2>&1 || :
     # freshclam returns 0 even if the update download fails
     # https://github.com/Cisco-Talos/clamav/issues/965
     # Let's check the log for the complaint about the outdated database
     # and return non-zero if we find it there
-    ! grep -q 'virus database is older' freshclam.log
+    ! grep -q 'virus database is older' "$freshclam_log"
 }