-
New Feature
-
Resolution: Unresolved
-
Major
-
None
When would we get clamav functionality in jenkins pipelines
[JENKINS-71476] jenkins pipeline for clamav
Hi Mark.
Can you provide the instructions to enable pipeline support in the ClamAV plugin?
Thank You,
John
Kalle Niemitalo
added a comment - Doesn't ClamAV have a command-line tool that you could run via the sh pipeline step (or bat on Windows), perhaps after deploying it to the agent via the Custom Tools plugin? That approach would avoid the ClamAV plugin and make the Jenkins controller more difficult to attack via any unknown ClamAV-related vulnerability.
The ClamAV plugin for Jenkins appears to display a pretty report of the scan, and the sh step cannot provide that; but I don't think such a report is necessary. If malware is found, then just write an error to the console log and fail the build. If you need to keep a report as evidence that the files were scanned, then save the report to a file and publish it as another artifact.
Kalle Niemitalo
added a comment - Doesn't ClamAV have a command-line tool that you could run via the sh pipeline step (or bat on Windows), perhaps after deploying it to the agent via the Custom Tools plugin? That approach would avoid the ClamAV plugin and make the Jenkins controller more difficult to attack via any unknown ClamAV-related vulnerability.
The ClamAV plugin for Jenkins appears to display a pretty report of the scan, and the sh step cannot provide that; but I don't think such a report is necessary. If malware is found, then just write an error to the console log and fail the build. If you need to keep a report as evidence that the files were scanned, then save the report to a file and publish it as another artifact. 
The last release of the clamav plugin was 8 years ago. If you would like to have Pipeline support in the ClamAV plugin, then you'll need to adopt the plugin and add that support yourself. Instructions are available if you're interested.