[CI] issue: 4705805 Add antivirus scan to release job #1142
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR integrates automated antivirus scanning into the LibVMA release pipeline by adding a new antivirus.sh helper script, mounting external scanning infrastructure paths, and introducing a configurable do_antivirus parameter. The change follows the existing .ci directory pattern where helper scripts (similar to do_release.sh, blackduck_source.sh) validate release artifacts by invoking external tooling and capturing results as Jenkins artifacts. The scanning step runs conditionally after package creation, examining both the source RPM and tarball produced by the release workflow. The implementation extends the security validation workflow that already includes Black Duck source scanning, providing an additional layer of security verification before release artifacts are published to the NFS release folder mounted at /auto/mswg/release/vma.
Important Files Changed
| Filename | Score | Overview |
|---|---|---|
.ci/pipeline/release_jjb.yaml |
5/5 | Adds do_antivirus boolean parameter (default: true) to make antivirus scanning configurable |
.ci/pipeline/release_matrix_job.yaml |
4/5 | Adds volume mounts for antivirus dependencies and new conditional pipeline step for scanning |
.ci/antivirus.sh |
1/5 | New script invoking external antivirus tool - contains critical inverted exit-status logic bug |
Confidence score: 1/5
- This PR has critical logic errors that will cause the release pipeline to behave incorrectly
- Score reflects a serious bug in
.ci/antivirus.shwhere exit status logic is inverted (lines 47-56): the script exits with status 1 (failure) when NO infections are found and status 0 (success) when infections ARE found. Additionally, the error handling at line 21-23 prints a message but does not exit when the version is missing, and line 35-36 useslswithout error checking which could fail silently if files are missing. The tarball check at lines 53-54 also lacks an else branch, meaning a failed tarball scan would not override a previous success status. .ci/antivirus.shrequires immediate attention - the exit status logic must be fixed before merge, error handling must be added for missing files, and the script needs proper validation of all required parameters
Sequence Diagram
sequenceDiagram
participant User
participant Jenkins
participant Git
participant Docker
participant BuildScript as "do_release.sh"
participant AntivirusScript as "antivirus.sh"
participant AntivirusHelper as "antivirus-scan.sh"
participant ReleaseFolder as "Release Folder"
participant MailServer as "Mail Server"
User->>Jenkins: Trigger release job with parameters
Note over User,Jenkins: release_tag, sha1, revision,<br/>release_folder, do_release, do_antivirus
Jenkins->>Jenkins: Update displayName with release_tag
Jenkins->>Git: Checkout commit (sha1/tag)
Git-->>Jenkins: Source code
Jenkins->>Docker: Launch privileged RHEL 8.6 container
Docker-->>Jenkins: Container ready
Jenkins->>BuildScript: Execute .ci/do_release.sh
BuildScript->>BuildScript: Build source RPM and tarball
BuildScript->>ReleaseFolder: Copy packages to release_folder/version/
ReleaseFolder-->>BuildScript: Success
BuildScript-->>Jenkins: Build artifacts ready
Jenkins->>Jenkins: Archive pkg/build_pkg.log and RPMs
alt do_antivirus is true
Jenkins->>AntivirusScript: Execute .ci/antivirus.sh
AntivirusScript->>ReleaseFolder: List libvma-*.src.rpm and libvma-*.tar.gz
ReleaseFolder-->>AntivirusScript: Package names
AntivirusScript->>AntivirusHelper: Scan RPM via sudo as swx-jenkins
AntivirusHelper-->>AntivirusScript: Scan results
AntivirusScript->>AntivirusScript: Log to ${pkg_name}_antivirus.log
AntivirusScript->>AntivirusHelper: Scan tarball via sudo as swx-jenkins
AntivirusHelper-->>AntivirusScript: Scan results
AntivirusScript->>AntivirusScript: Log to ${tarball_name}_antivirus.log
AntivirusScript->>AntivirusScript: Check logs for "Possibly Infected:............. 0"
AntivirusScript-->>Jenkins: Exit status (0=clean, 1=infected)
Jenkins->>Jenkins: Archive logs/
end
Jenkins->>MailServer: Send notification email
Note over Jenkins,MailServer: To: notification_email<br/>Subject: Release build ended<br/>Body: Tag, Build URL, Status
MailServer-->>User: Email notification
3 files reviewed, 5 comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
9c1cc03 to
5b3d0c5
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR integrates antivirus scanning into the libvma release pipeline by adding a new .ci/antivirus.sh script and corresponding pipeline infrastructure. The change introduces a new boolean do_antivirus parameter in release_jjb.yaml (default: true) that gates execution of the antivirus step in release_matrix_job.yaml. The pipeline mounts two external paths (/auto/BACKUP/logs_of_LOGS and /auto/GLIT/SCRIPTS/HELPERS) required by the antivirus infrastructure, then invokes antivirus.sh with the release folder path to scan both RPM and tarball artifacts. This follows the established pattern of other CI helper scripts like blackduck_source.sh and do_release.sh, where external security/quality checks are conditionally executed during the release process and their logs are archived as Jenkins artifacts.
Important Files Changed
| Filename | Score | Overview |
|---|---|---|
.ci/pipeline/release_jjb.yaml |
5/5 | Adds do_antivirus boolean parameter (default: true) to control antivirus scanning in release job |
.ci/pipeline/release_matrix_job.yaml |
3/5 | Adds volume mounts for antivirus infrastructure and new conditional "Antivirus" step that invokes antivirus.sh with release folder path |
.ci/antivirus.sh |
2/5 | New script that scans RPM and tarball artifacts for malware; contains multiple critical logic errors in validation, error handling, and status reporting |
Confidence score: 2/5
- This PR contains critical logic errors in the antivirus.sh script that will cause it to malfunction in production, potentially masking scan failures or exiting prematurely.
- Score reflects that while the pipeline integration is sound, the core scanning script has five unresolved critical issues: (1) premature exit on first scan failure due to
set -epreventing tarball scan, (2) missing else branch causing successful RPM scan status to mask tarball failures, (3) missing exit after version validation error allowing execution to continue with undefined variables, (4) silentcdfailure risk, and (5)lscommands lacking error handling for zero/multiple matches. - The
.ci/antivirus.shscript requires immediate attention to fix status reporting logic (lines 47-55), add proper exit on validation failure (line 23), handlecderrors (line 34), and implement proper error handling forlscommands (lines 35-36).
Sequence Diagram
sequenceDiagram
participant User
participant Jenkins
participant ReleaseScript as "do_release.sh"
participant AntivirusScript as "antivirus.sh"
participant FileSystem as "Release Folder"
participant AntivirusScanner as "GLIT Antivirus Scanner"
participant Email as "Email System"
User->>Jenkins: "Trigger release build with release_tag"
Jenkins->>Jenkins: "Set displayName to include release_tag"
Jenkins->>ReleaseScript: "Execute .ci/do_release.sh"
ReleaseScript->>FileSystem: "Build and copy RPM packages and tarballs"
ReleaseScript->>Jenkins: "Archive build_pkg.log and packages"
alt do_antivirus is enabled
Jenkins->>AntivirusScript: "Execute .ci/antivirus.sh with release_folder"
AntivirusScript->>FileSystem: "Navigate to release_folder/release_version"
AntivirusScript->>FileSystem: "Identify libvma-*.src.rpm and libvma-*.tar.gz"
AntivirusScript->>AntivirusScanner: "Scan RPM_SRC_PATH"
AntivirusScanner-->>AntivirusScript: "Return scan results to RPM_LOG"
AntivirusScript->>AntivirusScanner: "Scan TARBALL_SRC_PATH"
AntivirusScanner-->>AntivirusScript: "Return scan results to TARBALL_LOG"
AntivirusScript->>AntivirusScript: "Check 'Possibly Infected: 0' in both logs"
alt No infections found
AntivirusScript->>Jenkins: "Exit with status 0"
else Infections found
AntivirusScript->>Jenkins: "Exit with status 1"
end
Jenkins->>Jenkins: "Archive logs/ directory"
end
Jenkins->>Email: "Send notification to notification_email with build status"
Email-->>User: "Deliver release completion email"
3 files reviewed, 3 comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
3 times, most recently
from
8973433 to
ddafe53
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR adds antivirus scanning to the LibVMA release pipeline by introducing a new conditional step that scans RPM and tarball artifacts before distribution. A new .ci/antivirus.sh script is added that invokes an external NVIDIA antivirus scanning tool, mounts required infrastructure directories, and archives scan logs. The release_jjb.yaml parameter definition is extended with a do_antivirus boolean (default: true) to allow toggling the scan, and release_matrix_job.yaml integrates the scan step into the existing release workflow. This change fits into the broader .ci/ infrastructure that already handles Black Duck security scans, Docker image builds, and release packaging—extending the security validation layer to include malware detection before artifacts are published to the NFS release folder.
Important Files Changed
| Filename | Score | Overview |
|---|---|---|
.ci/pipeline/release_jjb.yaml |
5/5 | Added do_antivirus boolean parameter with defaulttrueto enable conditional antivirus scanning |
.ci/pipeline/release_matrix_job.yaml |
4/5 | Mounted two host paths for antivirus infrastructure and added conditional antivirus step that archives logs |
.ci/antivirus.sh |
1/5 | New script to scan RPM and tarball artifacts, but contains critical error-handling bugs in shebang and status logic |
Confidence score: 1/5
- This PR introduces critical bugs that will cause immediate failures in production and prevent proper error reporting during antivirus scans
- Score reflects multiple blocking issues in
.ci/antivirus.sh: the shebang's-eflag makes status-checking logic unreachable on scan failures, the status variable logic can mask tarball failures when RPM succeeds, and previously-identified issues (missing exit after release_version error, silent cd failure, ls command failures, logs directory mismatch) remain unresolved - Pay extremely close attention to
.ci/antivirus.sh—the script will not function correctly in its current form and requires immediate fixes before merge
Sequence Diagram
sequenceDiagram
participant User
participant "Jenkins Pipeline" as Jenkins
participant "Release Script" as Release
participant "File System" as FS
participant "Antivirus Scanner" as AV
participant "Email Service" as Email
User->>Jenkins: "Trigger release job with release_tag"
Jenkins->>Jenkins: "Set displayName to LibVMA-${release_tag}"
Jenkins->>Release: "Run .ci/do_release.sh"
Release->>FS: "Build and publish RPM and tarball to ${release_folder}/${release_version}/"
Release->>Jenkins: "Archive build logs and packages"
alt do_antivirus is enabled
Jenkins->>FS: "Read libvma-*.src.rpm and libvma-*.tar.gz from ${release_folder}/${release_version}/"
Jenkins->>AV: "Run antivirus-scan.sh on RPM package"
AV->>FS: "Write scan results to ${pkg_name}_antivirus.log"
Jenkins->>AV: "Run antivirus-scan.sh on tarball"
AV->>FS: "Write scan results to ${tarball_name}_antivirus.log"
Jenkins->>FS: "Check logs for 'Possibly Infected:............. 0'"
alt Infection detected
FS-->>Jenkins: "Exit with status 1"
else No infection
FS-->>Jenkins: "Exit with status 0"
end
Jenkins->>Jenkins: "Archive antivirus logs"
end
alt notification_email is not empty
Jenkins->>Email: "Send release summary with tag, build url, and status"
Email->>User: "Deliver email notification"
end
Jenkins->>User: "Release job complete"
3 files reviewed, 1 comment
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
ddafe53 to
779315d
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR introduces an antivirus scanning capability to the release pipeline by adding a new bash script (.ci/antivirus.sh) and integrating it as a conditional step in the release matrix job. The script scans generated RPM and tarball packages using an external antivirus tool before artifacts are published to the release NFS share. The feature is controlled by a new do_antivirus boolean parameter (defaulting to true) in the Jenkins job definition, following the existing pattern of optional CI steps like Black Duck scanning. The script locates the release directory based on the version tag, runs the antivirus scanner (mounted from host paths /auto/GLIT/SCRIPTS/HELPERS), parses scan logs for infection counts, and exits with non-zero status if infections are detected. This integrates with the existing .ci/ Jenkins Job Builder (JJB) infrastructure that orchestrates the libvma build, test, and release workflow.
Important Files Changed
| Filename | Score | Overview |
|---|---|---|
.ci/antivirus.sh |
2/5 | New bash script that scans release RPM and tarball packages using external antivirus tool; has multiple logic issues including missing exit on error, silent failures if files don't exist, and incorrect exit status handling when tarball scan fails. |
.ci/pipeline/release_jjb.yaml |
4/5 | Adds do_antivirus boolean parameter to gate the antivirus scan step; straightforward addition mirroring existing parameter pattern with only a minor typo in description. |
.ci/pipeline/release_matrix_job.yaml |
3/5 | Integrates antivirus step into release pipeline with host-path volume mounts for scanner binaries and logs; potential issues with undefined release_folder variable, missing timeout, and external infrastructure dependencies. |
Confidence score: 2/5
- This PR introduces several critical logic flaws and missing error handling that could cause silent failures or incorrect exit codes in production release pipelines.
- Score lowered due to: (1) antivirus.sh script continues execution when
release_versionis unset (line 26), (2) incorrect exit status when tarball scan fails but RPM succeeds (lines48–52), (3) no validation that${release_folder}is populated before passing to the script, (4) missing timeout on potentially long-running antivirus scan, (5) ls glob patterns will break with multiple matching files (lines 37, 42), (6) external host-path dependencies may not exist in all Kubernetes environments (lines 27–29 of release_matrix_job.yaml). - Pay special attention to
.ci/antivirus.shlines 26 (missing exit after error message), 37 and 42 (unquoted and unvalidated ls globs), and 48–52 (missing else branch for tarball scan failure); also verify thatrelease_folderis correctly set in release_matrix_job.yaml line 54.
Sequence Diagram
sequenceDiagram
participant User
participant Jenkins
participant ReleaseJob as "Release Job"
participant DoReleaseScript as "do_release.sh"
participant ReleaseFolder as "Release Folder"
participant AntivirusScript as "antivirus.sh"
participant AntivirusScan as "antivirus-scan.sh"
participant Email as "Email Service"
User->>Jenkins: "Trigger LibVMA-release with release_tag"
Jenkins->>ReleaseJob: "Start pipeline with parameters"
ReleaseJob->>ReleaseJob: "Set display name with release_tag"
ReleaseJob->>DoReleaseScript: "Execute .ci/do_release.sh"
DoReleaseScript->>ReleaseFolder: "Build and copy RPM/tarball packages"
ReleaseFolder-->>DoReleaseScript: "Packages created"
DoReleaseScript-->>ReleaseJob: "Release step complete"
ReleaseJob->>ReleaseJob: "Archive build logs and packages"
alt do_antivirus enabled
ReleaseJob->>AntivirusScript: "Execute antivirus.sh with release_folder"
AntivirusScript->>ReleaseFolder: "List libvma-*.src.rpm and libvma-*.tar.gz"
ReleaseFolder-->>AntivirusScript: "Package names returned"
AntivirusScript->>AntivirusScan: "sudo scan RPM_SRC_PATH"
AntivirusScan-->>AntivirusScript: "RPM scan results logged"
AntivirusScript->>AntivirusScan: "sudo scan TARBALL_SRC_PATH"
AntivirusScan-->>AntivirusScript: "Tarball scan results logged"
AntivirusScript->>AntivirusScript: "Check for 'Possibly Infected: 0' in logs"
alt No infections found
AntivirusScript-->>ReleaseJob: "Exit status 0"
else Infections detected
AntivirusScript-->>ReleaseJob: "Exit status 1"
end
ReleaseJob->>ReleaseJob: "Archive antivirus logs"
end
alt notification_email not empty
ReleaseJob->>Email: "Send release summary email"
Email-->>User: "Email with build status and URL"
end
ReleaseJob-->>Jenkins: "Pipeline complete"
Jenkins-->>User: "Release job finished"
3 files reviewed, 1 comment
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
779315d to
285386b
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR adds an antivirus scanning step to the libvma release pipeline by introducing a new .ci/antivirus.sh script and integrating it into the release matrix job. The scan verifies that RPM and tarball artifacts are free of malware before distribution, using NVIDIA's internal av_scan.sh tool. The feature is controlled by a new do_antivirus parameter (default: true) in the JJB job definition, allowing operators to disable scanning during debugging. Two NFS mount points (/auto/BACKUP/logs_of_LOGS, /auto/GLIT/SCRIPTS/HELPERS) are added to the Kubernetes pod to provide access to the antivirus tooling and log storage. The script validates release artifacts by pattern-matching scan logs for zero infections and exits non-zero if any threats are detected. This change follows the existing pattern of CI helper scripts (e.g., do_release.sh, blackduck_source.sh) that orchestrate external tooling from parameterized Jenkins jobs.
PR Description Notes:
- The "Why?" and "How?" subsections are left blank in the PR description but should explain the security compliance rationale and implementation approach.
Important Files Changed
| Filename | Score | Overview |
|---|---|---|
.ci/pipeline/release_jjb.yaml |
5/5 | Adds do_antivirus boolean parameter (default: true) to conditionally enable antivirus scanning; fixes typo 'packges' → 'packages'. |
.ci/pipeline/release_matrix_job.yaml |
3/5 | Adds Antivirus pipeline step that mounts two NFS paths, invokes antivirus.sh, and archives logs; relies on unvalidated parameters. |
.ci/antivirus.sh |
2/5 | New Bash script that scans RPM and tarball artifacts using internal av_scan.sh; contains error-handling gaps and environment-specific dependencies. |
Confidence score: 3/5
- This PR is moderately safe to merge but requires careful review of the antivirus script's error handling before production use.
- Score lowered due to: (1)
.ci/antivirus.shlacks validation for required parameters$1(release_folder) and$2(release_tag) before use, risking incorrect directory scans or silent failures; (2) hardcoded NFS mount paths inrelease_matrix_job.yamlare NVIDIA-specific and will break in any external CI environment; (3) script continues execution whenrelease_versionis unset (line 35) instead of exiting, leading to downstream failures; (4) tarball scan failure on line 75 doesn't updatestatus, causing false-positive exit code 0 if RPM scan succeeded; (5)mkdir -p logs(line 32) creates directory relative topwdbut logs are written to$WORKSPACE/logs/, causing potential path mismatch. - Pay close attention to
.ci/antivirus.sh(critical: parameter validation at lines 24–35, tarball status update at lines 71–76, directory creation at line 32) and the NFS mount assumptions in.ci/pipeline/release_matrix_job.yaml(lines 27–29) which will require modification for non-NVIDIA deployments.
Sequence Diagram
sequenceDiagram
participant User
participant "Jenkins Pipeline" as Jenkins
participant "Release Script" as ReleaseScript
participant "Antivirus Script" as AntivirusScript
participant "File System" as FS
participant "External Antivirus" as ExternalAV
participant "Email Service" as Email
User->>Jenkins: Trigger release build with release_tag
Jenkins->>Jenkins: Set displayName to "-${release_tag}"
Jenkins->>Jenkins: Send start email notification
Note over Jenkins: Step 1: Release
Jenkins->>ReleaseScript: Execute .ci/do_release.sh
ReleaseScript->>FS: Build and create packages
FS-->>ReleaseScript: Package files created
ReleaseScript-->>Jenkins: Archive build_pkg.log and RPM files
Note over Jenkins: Step 2: Antivirus (if enabled)
alt do_antivirus is true
Jenkins->>AntivirusScript: Execute .ci/antivirus.sh with ${release_folder} and ${release_tag}
AntivirusScript->>FS: Navigate to release folder
AntivirusScript->>FS: List libvma-*.src.rpm
FS-->>AntivirusScript: RPM package name
AntivirusScript->>FS: List libvma-*.tar.gz
FS-->>AntivirusScript: Tarball name
AntivirusScript->>ExternalAV: Scan RPM package (antivirus-scan.sh)
ExternalAV-->>AntivirusScript: Scan results logged to RPM_LOG
AntivirusScript->>ExternalAV: Scan tarball (antivirus-scan.sh)
ExternalAV-->>AntivirusScript: Scan results logged to TARBALL_LOG
AntivirusScript->>AntivirusScript: Check for "Possibly Infected:............. 0" in logs
alt No infections found
AntivirusScript-->>Jenkins: Exit with status 0
else Infections detected
AntivirusScript-->>Jenkins: Exit with status 1
end
Jenkins->>Jenkins: Archive logs/ directory
end
Note over Jenkins: Pipeline Stop
Jenkins->>Email: Send release completion notification to ${notification_email}
Email-->>User: Email with release status and build URL
3 files reviewed, 2 comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
285386b to
5dd9518
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR integrates an antivirus scanning step into the libvma release pipeline. A new antivirus.sh script is added to .ci/ that scans both source RPM and tarball artifacts using an internal tool before they are published. The release_jjb.yaml file gains a do_antivirus boolean parameter (defaulting to true) to control whether the scan runs, following the existing pattern of the do_release toggle. The release_matrix_job.yaml file is updated to invoke the scan conditionally. This change fits into the existing CI/CD infrastructure documented in .ci/README.md, where helper scripts like do_release.sh and blackduck_source.sh already perform pre-release validation. The antivirus scan becomes another quality gate that must pass before artifacts reach the NFS release folder or external distribution channels.
Important Files Changed
| Filename | Score | Overview |
|---|---|---|
.ci/pipeline/release_jjb.yaml |
5/5 | Added do_antivirus boolean parameter (default: true) to enable/disable antivirus scans in the release job. |
.ci/pipeline/release_matrix_job.yaml |
4/5 | Added conditional pipeline step to invoke antivirus.sh script when do_antivirus is enabled. |
.ci/antivirus.sh |
2/5 | New script that scans source RPM and tarball for malware; contains critical logic issues with hardcoded paths, missing error handling, and set -e interaction problems. |
Confidence score: 3/5
- This PR introduces a valuable security feature but the core scanning script has multiple implementation flaws that could cause silent failures or false negatives.
- Score lowered primarily due to: 1) the hardcoded
-0folder suffix inantivirus.shthat will break if release iteration numbers differ; 2)set -ecausing premature exit if the first scan fails, preventing the second scan from running; 3) missing validation forlscommands that could match zero or multiple files; 4) the second scan failure not being properly aggregated into the final exit status if the first scan succeeds. - Pay close attention to
.ci/antivirus.shfor the logic and error-handling issues; verify that the hardcoded path structure matches your actual release build output and test failure scenarios for both scans.
Sequence Diagram
sequenceDiagram
participant User
participant "Jenkins Pipeline" as Jenkins
participant "Release Job" as Release
participant "do_release.sh" as RelScript
participant "Release Folder" as Folder
participant "Antivirus Step" as AV
participant "antivirus.sh" as AVScript
participant "antivirus-scan.sh" as AVScan
participant "Email System" as Email
User->>Jenkins: Trigger release with release_tag
Jenkins->>Jenkins: Set displayName to include release_tag
Jenkins->>Release: Start Release step
Release->>RelScript: Execute .ci/do_release.sh
RelScript->>Folder: Build and copy packages (RPM, tarball)
RelScript-->>Release: Return build artifacts
Release->>Jenkins: Archive pkg/build_pkg.log and RPM files
alt do_antivirus == true
Jenkins->>AV: Start Antivirus step
AV->>AVScript: Execute .ci/antivirus.sh
AVScript->>AVScript: Validate release_folder and release_version
AVScript->>AVScript: Locate libvma-*.src.rpm and libvma-*.tar.gz
AVScript->>AVScan: Scan RPM (sudo -u swx-jenkins)
AVScan-->>AVScript: Write results to RPM_LOG
AVScript->>AVScan: Scan tarball (sudo -u swx-jenkins)
AVScan-->>AVScript: Write results to TARBALL_LOG
AVScript->>AVScript: Check for "Possibly Infected: 0" in logs
alt No infections found
AVScript-->>AV: Exit status 0
else Infections found
AVScript-->>AV: Exit status 1
end
AV->>Jenkins: Archive logs/ directory
end
Jenkins->>Email: Send notification email
Email->>User: Deliver build status (tag, URL, result)
3 files reviewed, 2 comments
Author
Author
|
bot:retest |
2 similar comments
Author
|
bot:retest |
Author
|
bot:retest |
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
5dd9518 to
603ebb8
Compare
ntsemah
changed the title
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds antivirus scanning step to the release pipeline that scans both RPM and tarball packages before release.
Key changes:
- New
.ci/antivirus.shscript that validates release artifacts and invokes external antivirus scanner - Pipeline configuration adds
do_antivirusparameter (default: true) and required volume mounts for scanner access - Antivirus step runs after release build, archives scan logs, and fails the build if infections detected
Critical issues found:
- Parameter mismatch: Pipeline passes
${release_tag}but script expects variable namedrelease_version, causing immediate script failure - Incomplete status logic: If RPM scan fails but tarball scan passes, final status incorrectly reports success
- Unhandled failures:
set -eflag causes script to abort if antivirus command fails, preventing second scan from running
Confidence Score: 0/5
- This PR will fail immediately in production due to critical parameter naming mismatch between pipeline and script
- Score of 0 reflects the certainty that the antivirus step will fail on every execution: the pipeline passes
${release_tag}as the second argument, but the script checks for${release_version}environment variable (line 17), which will never be set, causing immediate exit with error. Additionally, the status check logic has two separate bugs that could mask scan failures even if the parameter issue is fixed. .ci/antivirus.shand.ci/pipeline/release_matrix_job.yamlrequire immediate fixes for parameter naming and status logic before this feature can function
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/antivirus.sh | 1/5 | New script with critical parameter name mismatch (release_version vs release_tag), incomplete status logic allowing false success, and unhandled scan command failures due to set -e |
| .ci/pipeline/release_matrix_job.yaml | 1/5 | Passes ${release_tag} to antivirus script that expects release_version, causing script failure; also adds required volume mounts for antivirus tooling |
| .ci/pipeline/release_jjb.yaml | 4/5 | Adds do_antivirus boolean parameter (defaulting to true) and fixes existing typo in do_release description |
Sequence Diagram
sequenceDiagram
participant Pipeline as Release Pipeline
participant Script as antivirus.sh
participant FS as File System
participant AV as Antivirus Scanner
Pipeline->>Script: Execute with ${release_folder} ${release_tag}
Script->>Script: Validate release_folder parameter
Script->>Script: Validate release_version parameter (expects release_tag)
Script->>FS: Check ${release_folder}/vma_v_${release_version}-0/src exists
FS-->>Script: Directory status
Script->>FS: Create ${WORKSPACE}/logs/ directory
Script->>FS: cd to release_src_folder
Script->>FS: ls -1 libvma-*.src.rpm
FS-->>Script: pkg_name
Script->>FS: ls -1 libvma-*.tar.gz
FS-->>Script: tarball_name
Script->>AV: sudo antivirus-scan.sh RPM_SRC_PATH
AV-->>Script: Log to RPM_LOG
Script->>AV: sudo antivirus-scan.sh TARBALL_SRC_PATH
AV-->>Script: Log to TARBALL_LOG
Script->>Script: Check RPM_LOG for 'Possibly Infected: 0'
Script->>Script: Check TARBALL_LOG for 'Possibly Infected: 0'
Script->>Pipeline: Exit with status (0=clean, 1=infected)
3 files reviewed, 3 comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
603ebb8 to
7fbd572
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR adds antivirus scanning to the release pipeline using an external scanning tool. The implementation includes a new bash script that validates environment variables, constructs file paths, runs antivirus scans on both RPM and tarball packages, and reports results.
Key Changes:
- New
.ci/antivirus.shscript performs validation and executes antivirus scans via sudo - Pipeline integration adds
do_antivirusparameter and Antivirus step - Volume mount added for
/auto/GLIT/SCRIPTS/HELPERSto access scanning tool
Critical Issues Found:
- Line 15 has inverted validation logic that causes immediate exit when the directory exists (should be opposite)
set -eflag prevents both scans from running if first scan fails or returns non-zero exit code
Confidence Score: 1/5
- This PR contains critical logic bugs that will cause the antivirus step to fail immediately
- Line 15 has inverted conditional logic (exits when directory exists instead of when it doesn't exist), and the
set -eflag from the shebang will cause the script to terminate if the first antivirus scan returns non-zero, preventing the second scan and final validation logic from executing. These are blocking issues that prevent the feature from working as intended. .ci/antivirus.shrequires immediate fixes to lines 15 and 26-27 before this PR can be merged
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/antivirus.sh | 1/5 | New script adds antivirus scanning for RPM and tarball packages. Critical bugs: inverted logic on line 15 causes immediate exit, set -e prevents both scans from completing. |
| .ci/pipeline/release_matrix_job.yaml | 4/5 | Adds Antivirus step with volume mount and artifact archiving. Integration appears correct - environment variables are passed via Jenkins params. |
| .ci/pipeline/release_jjb.yaml | 5/5 | Adds do_antivirus boolean parameter for enabling/disabling antivirus scan. Minor typo fix in existing parameter description. |
Sequence Diagram
sequenceDiagram
participant Jenkins
participant ReleaseJob
participant DoRelease as do_release.sh
participant AntivirusScript as antivirus.sh
participant AntivirusTool as antivirus-scan.sh
participant FileSystem
Jenkins->>ReleaseJob: Start with params (release_tag, revision, release_folder, do_antivirus)
ReleaseJob->>DoRelease: Execute with env vars
DoRelease->>DoRelease: Validate params & build packages
DoRelease->>FileSystem: Create release directory structure
DoRelease->>FileSystem: Copy RPM & tarball to release_folder/vma_v_{tag}-0/src
alt do_antivirus is true
ReleaseJob->>AntivirusScript: Execute with WORKSPACE=$PWD
AntivirusScript->>AntivirusScript: Validate WORKSPACE, release_folder, revision, release_tag
AntivirusScript->>AntivirusScript: Construct release_src_folder path
AntivirusScript->>AntivirusScript: Validate release_src_folder exists (BUG: inverted logic)
AntivirusScript->>FileSystem: Create logs directory
AntivirusScript->>AntivirusTool: Scan RPM package
AntivirusTool-->>AntivirusScript: Return scan results
AntivirusScript->>FileSystem: Write RPM_LOG
AntivirusScript->>AntivirusTool: Scan tarball (may not execute if first scan fails due to set -e)
AntivirusTool-->>AntivirusScript: Return scan results
AntivirusScript->>FileSystem: Write TARBALL_LOG
AntivirusScript->>AntivirusScript: Check both logs for infections
AntivirusScript-->>ReleaseJob: Exit 0 (clean) or 1 (infected)
end
ReleaseJob->>Jenkins: Report build status
3 files reviewed, 2 comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
7fbd572 to
a001c4a
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds antivirus scanning step to the release pipeline to scan RPM and tarball packages before release
Key Changes
- Added
antivirus.shscript that validates environment, locates release packages, and runs external antivirus scanner - Added Antivirus step to release pipeline with
do_antivirustoggle parameter - Added volume mount for antivirus scanner path
- Fixed typo: "packges" → "packages" in existing description
Critical Issues Found
- Environment variables not passed: The antivirus step uses
env WORKSPACE=$PWDwhich creates a clean environment, clearing all required pipeline parameters (release_folder,release_tag,revision), causing immediate script failure - Typo in error message:
EERRORinstead ofERRORin antivirus.sh:15
Confidence Score: 0/5
- This PR will fail in production due to missing environment variables
- The antivirus step invocation clears all environment variables except WORKSPACE, causing the script to fail immediately when checking for required variables (release_folder, release_tag, revision)
- .ci/pipeline/release_matrix_job.yaml must be fixed before merge - the script invocation will fail
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/antivirus.sh | 3/5 | New script to scan release packages for viruses; has a typo in error message but logic is sound |
| .ci/pipeline/release_matrix_job.yaml | 0/5 | Critical issue: invocation clears all environment variables, causing script to fail immediately |
Sequence Diagram
sequenceDiagram
participant Jenkins
participant Release Step
participant Antivirus Step
participant antivirus.sh
participant External Scanner
Jenkins->>Jenkins: Set parameters (release_tag, release_folder, revision)
Jenkins->>Release Step: Execute .ci/do_release.sh
Release Step->>Release Step: Build and copy packages to release_folder
Note over Release Step: Creates libvma-{tag}-{rev}.src.rpm<br/>and libvma-{tag}.tar.gz
alt do_antivirus enabled
Jenkins->>Antivirus Step: Execute antivirus.sh
Note over Antivirus Step: Environment variables:<br/>release_folder, release_tag, revision
Antivirus Step->>antivirus.sh: Validate environment variables
antivirus.sh->>antivirus.sh: Construct paths to packages
antivirus.sh->>External Scanner: Scan src.rpm
External Scanner-->>antivirus.sh: Log results to RPM_LOG
antivirus.sh->>External Scanner: Scan tarball
External Scanner-->>antivirus.sh: Log results to TARBALL_LOG
antivirus.sh->>antivirus.sh: Check both logs for infections
alt No infections found
antivirus.sh-->>Jenkins: Exit 0 (success)
else Infections found
antivirus.sh-->>Jenkins: Exit 1 (failure)
end
end
Jenkins->>Jenkins: Archive logs and send notification
3 files reviewed, 2 comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
a001c4a to
97bb298
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds automated antivirus scanning to the release pipeline, scanning both RPM and tarball packages before release.
- Introduces
.ci/antivirus.shscript that validates environment variables, constructs package paths based on release metadata, and scans packages using the existing/auto/GLIT/SCRIPTS/HELPERS/antivirus-scan.shscanner - Adds conditional
Antivirusstep to release pipeline (enabled by default viado_antivirusparameter) - Mounts antivirus scanner directory into the build container
- Archives scan logs as artifacts for review
- Fixes typo in
release_jjb.yaml('packges' -> 'packages')
The implementation follows existing patterns in the codebase (similar to how do_release.sh is structured) with proper error handling and validation.
Confidence Score: 4/5
- This PR is safe to merge with minor concerns about pattern matching brittleness
- The implementation is straightforward and follows existing codebase patterns. All environment variables are properly validated before use. The antivirus scan logic is sound with
|| truepreventing premature exit and proper boolean checks for both scan results. The only concern is the hardcoded grep pattern for 'Possibly Infected:............. 0' which is fragile if scanner output format changes, but this is not a blocking issue. - No files require special attention - the changes are well-structured and defensive
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/antivirus.sh | 4/5 | New script that validates environment variables, scans RPM and tarball packages with antivirus, and checks results. Logic is sound with proper error handling. |
| .ci/pipeline/release_jjb.yaml | 5/5 | Adds do_antivirus boolean parameter (default true) and fixes typo 'packges' -> 'packages'. Simple configuration change. |
| .ci/pipeline/release_matrix_job.yaml | 5/5 | Adds antivirus step with volume mount for scanner script, conditionally enabled via ${do_antivirus} parameter. Archives logs on completion. |
Sequence Diagram
sequenceDiagram
participant Pipeline as Release Pipeline
participant Release as do_release.sh
participant AV as antivirus.sh
participant Scanner as antivirus-scan.sh
participant FS as File System
Pipeline->>Release: Execute release step
Release->>FS: Create packages in release_folder
Note over Release,FS: Creates vma_v_{tag}-0/src/libvma-{tag}-{rev}.src.rpm<br/>and libvma-{tag}.tar.gz
alt do_antivirus enabled
Pipeline->>AV: Execute with WORKSPACE=$PWD
AV->>AV: Validate environment variables<br/>(WORKSPACE, release_folder, revision, release_tag)
AV->>FS: Check release_src_folder exists
AV->>AV: Construct file paths<br/>(pkg_name, tarball_name)
AV->>Scanner: Scan RPM package
Scanner-->>AV: Write results to RPM_LOG
AV->>Scanner: Scan tarball
Scanner-->>AV: Write results to TARBALL_LOG
AV->>AV: Check both logs for "Possibly Infected: 0"
alt Both clean
AV-->>Pipeline: exit 0 (success)
else Infection found
AV-->>Pipeline: exit 1 (failure)
end
Pipeline->>FS: Archive logs/
end
3 files reviewed, no comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
2 times, most recently
from
b59970c to
f4f4728
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds antivirus scanning capability to the LibVMA release pipeline. Introduces a new bash script that validates release packages (RPM and tarball) using an external antivirus scanner, with configurable execution via a new do_antivirus pipeline parameter.
- New
.ci/antivirus.shscript validates environment variables, locates release packages, and scans both RPM and tarball files - Pipeline integration adds volume mount for antivirus scanner access and a new step to execute scanning
- Minor typo fix: 'packges' → 'packages' in job parameter description
Critical issue: Line 53 of release_matrix_job.yaml uses env WORKSPACE=$PWD which creates a clean environment, clearing all pipeline parameters (release_folder, release_tag, revision), causing the antivirus script to fail immediately with "ERROR: release_folder variable is empty".
Confidence Score: 1/5
- This PR cannot be merged as-is due to a critical bug that will cause the antivirus step to fail immediately in production
- The
env WORKSPACE=$PWDsyntax on line 53 creates a clean environment with only WORKSPACE set, which clears all pipeline parameters (release_folder, release_tag, revision). This will cause immediate failure when the script checks these required variables on lines 9-11. The feature is well-intentioned but will not function until this issue is resolved. .ci/pipeline/release_matrix_job.yamlrequires immediate fix to line 53 before this PR can be safely merged
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/antivirus.sh | 3/5 | New antivirus scanning script with proper validation checks; contains ` |
| .ci/pipeline/release_jjb.yaml | 5/5 | Adds do_antivirus boolean parameter to control antivirus scanning; fixes typo 'packges' to 'packages' |
| .ci/pipeline/release_matrix_job.yaml | 1/5 | Adds Antivirus step with volume mount; CRITICAL: env WORKSPACE=$PWD clears all pipeline variables causing immediate script failure |
Sequence Diagram
sequenceDiagram
participant Jenkins as Jenkins Pipeline
participant Matrix as release_matrix_job.yaml
participant Release as do_release.sh
participant AV as antivirus.sh
participant Scanner as antivirus-scan.sh
participant FS as File System
Jenkins->>Matrix: Start with release_tag, release_folder, revision
Matrix->>Release: Execute Release step
Release->>FS: Build and create RPM & tarball packages
FS-->>Release: Packages created in release_folder
Release-->>Matrix: Archive build logs & RPMs
alt do_antivirus enabled
Matrix->>AV: Execute with WORKSPACE=$PWD (+ all env vars)
AV->>AV: Validate WORKSPACE, release_folder, release_tag
AV->>AV: Construct release_src_folder path
AV->>FS: Check pkg_name and tarball_name exist
FS-->>AV: Files exist
AV->>Scanner: Scan RPM package as swx-jenkins user
Scanner-->>AV: Write results to RPM_LOG
AV->>Scanner: Scan tarball as swx-jenkins user
Scanner-->>AV: Write results to TARBALL_LOG
AV->>AV: Check both logs for "Possibly Infected: 0"
alt Both scans clean
AV-->>Matrix: Exit 0 (success)
else Infection found
AV-->>Matrix: Exit 1 (failure)
end
Matrix->>Matrix: Archive antivirus logs
end
Matrix-->>Jenkins: Pipeline complete
3 files reviewed, no comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
f4f4728 to
2e7eb28
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds antivirus scanning step to the release pipeline to scan RPM and tarball packages before release.
- Added
antivirus.shscript that validates environment variables, locates release packages, and invokes antivirus scanning - Added
do_antivirusboolean parameter to Jenkins job configuration with defaulttrue - Added antivirus step to release pipeline matrix job that executes after package creation
- Fixed typo in
do_releaseparameter description ("packges" → "packages") - Mounted
/auto/GLIT/SCRIPTS/HELPERSvolume for antivirus scanner access
Critical Issue: The antivirus step will fail immediately due to env WORKSPACE=$PWD .ci/antivirus.sh clearing all environment variables (release_folder, release_tag, revision) needed by the script. This bug prevents the feature from functioning.
Confidence Score: 0/5
- This PR cannot be merged - the antivirus feature will fail on every execution due to missing environment variables
- Score is 0 because the pipeline invocation uses
env WORKSPACE=$PWDwhich clears all environment variables before invoking the script, causingrelease_folder,release_tag, andrevisionto be undefined. The script will fail validation checks on line 9-10 immediately. This is a blocking bug that prevents the entire feature from working. .ci/pipeline/release_matrix_job.yamlline 53 must be fixed to preserve pipeline environment variables when invokingantivirus.sh
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/antivirus.sh | 1/5 | New antivirus scanning script with critical bug: pipeline variables won't be available due to env command clearing environment |
| .ci/pipeline/release_matrix_job.yaml | 1/5 | Added antivirus step with critical bug: env WORKSPACE=$PWD clears all pipeline parameters before invoking script |
Sequence Diagram
sequenceDiagram
participant Jenkins
participant ReleasePipeline
participant ReleaseScript as do_release.sh
participant AntivirusScript as antivirus.sh
participant AntivirusScan as antivirus-scan.sh
participant Filesystem
Jenkins->>ReleasePipeline: Trigger with params (release_tag, release_folder, revision, do_antivirus)
ReleasePipeline->>ReleasePipeline: Set environment variables
ReleasePipeline->>ReleaseScript: Execute with env vars
ReleaseScript->>Filesystem: Create packages (RPM, tarball)
ReleaseScript->>Filesystem: Copy to release_folder/vma_v_${release_tag}-0/src/
ReleaseScript-->>ReleasePipeline: Success
alt do_antivirus == true
ReleasePipeline->>AntivirusScript: Execute with env WORKSPACE=$PWD
Note over AntivirusScript: BUG: env clears all variables<br/>release_folder, release_tag, revision lost
AntivirusScript->>AntivirusScript: Validate WORKSPACE
AntivirusScript->>AntivirusScript: Check release_folder (FAILS)
AntivirusScript-->>ReleasePipeline: Exit 1 (validation failed)
else do_antivirus == false
ReleasePipeline->>ReleasePipeline: Skip antivirus
end
ReleasePipeline->>Jenkins: Send email notification
Additional Comments (1)
-
.ci/antivirus.sh, line 53 (link)logic: use
env WORKSPACE=$PWDinstead of setting variables inline before the script command
3 files reviewed, 1 comment
Author
|
Build to verify the antivirus step: |
Author
|
bot:retest |
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
2e7eb28 to
0239b2c
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds antivirus scanning step to the release pipeline to scan both RPM packages and tarballs before distribution.
Key changes:
- New
antivirus.shscript validates environment, locates release artifacts, and runs antivirus scans on bothlibvma-${release_tag}-${revision}.src.rpmandlibvma-${release_tag}.tar.gz - Pipeline integration adds
do_antivirusparameter (default: true) and mounts/auto/GLIT/SCRIPTS/HELPERSfor scanner access - Added Docker
runAsUserandrunAsGroupconfiguration for proper antivirus execution permissions
Critical issue:
The antivirus step uses env WORKSPACE=$PWD .ci/antivirus.sh which creates a clean environment, clearing all pipeline parameters (release_folder, release_tag, revision). This causes the script to fail immediately on line 9 when checking for $release_folder. The fix is simple: remove env WORKSPACE=$PWD and call .ci/antivirus.sh directly (like do_release.sh does) to inherit all environment variables.
Confidence Score: 1/5
- This PR cannot be merged - the antivirus step will fail 100% of the time due to environment variable handling
- The
env WORKSPACE=$PWDusage in.ci/pipeline/release_matrix_job.yaml:55clears all pipeline parameters, causing the antivirus script to fail immediately. This is a blocking bug that prevents the feature from working at all. .ci/pipeline/release_matrix_job.yamlrequires immediate fix to line 55; verifyantivirus.shlog file validation after fixing the environment issue
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/pipeline/release_matrix_job.yaml | 1/5 | Added antivirus step with CRITICAL bug: env WORKSPACE=$PWD clears all pipeline parameters, causing immediate script failure |
| .ci/antivirus.sh | 2/5 | New antivirus scanning script with validation logic and dual-file scanning; has missing log file validation before grep operations |
| .ci/pipeline/release_jjb.yaml | 5/5 | Added do_antivirus parameter (default: true) and fixed typo 'packges' → 'packages' |
Sequence Diagram
sequenceDiagram
participant Jenkins
participant Pipeline as release_matrix_job.yaml
participant Release as do_release.sh
participant Antivirus as antivirus.sh
participant Scanner as /auto/GLIT/SCRIPTS/HELPERS/antivirus-scan.sh
participant FS as File System
Jenkins->>Pipeline: Start with params (release_tag, release_folder, revision, do_antivirus)
Pipeline->>Release: Execute .ci/do_release.sh (inherits all env vars)
Release->>FS: Create packages at ${release_folder}/vma_v_${release_tag}-0/src/
Release->>FS: Write libvma-${release_tag}-${revision}.src.rpm
Release->>FS: Write libvma-${release_tag}.tar.gz
Release-->>Pipeline: Success
alt do_antivirus is true
Pipeline->>Antivirus: Execute env WORKSPACE=$PWD .ci/antivirus.sh
Note over Pipeline,Antivirus: BUG: env clears all pipeline parameters!
Antivirus->>Antivirus: Check $release_folder (EMPTY - will fail on line 9)
Antivirus-->>Pipeline: Exit 1 (ERROR: release_folder variable is empty)
end
Note over Pipeline: INTENDED FLOW (if env bug is fixed):
Pipeline->>Antivirus: Execute .ci/antivirus.sh (with env vars)
Antivirus->>Antivirus: Validate WORKSPACE, release_folder, release_tag
Antivirus->>FS: Check ${release_src_folder}/${pkg_name} exists
Antivirus->>FS: Check ${release_src_folder}/${tarball_name} exists
Antivirus->>Scanner: Scan ${pkg_name} > RPM_LOG
Scanner-->>Antivirus: Scan results
Antivirus->>Scanner: Scan ${tarball_name} > TARBALL_LOG
Scanner-->>Antivirus: Scan results
Antivirus->>Antivirus: grep 'Possibly Infected:............. 0' in both logs
alt Both scans clean
Antivirus-->>Pipeline: Exit 0 (Success)
Pipeline->>Jenkins: Archive logs/ artifacts
else Any scan infected
Antivirus-->>Pipeline: Exit 1 (Failure)
Pipeline->>Jenkins: Fail job with logs
end
3 files reviewed, 2 comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
0239b2c to
96bf706
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR adds antivirus scanning functionality to the LibVMA release pipeline. The implementation includes a new antivirus.sh script that scans both RPM and tarball release packages using an external antivirus tool, along with pipeline configuration changes to integrate this step into the release workflow.
Major changes:
- New
.ci/antivirus.shscript validates environment, locates release packages, runs antivirus scans, and reports results - Added
do_antivirusboolean parameter torelease_jjb.yamlto enable/disable scanning - New antivirus step in
release_matrix_job.yamlwith required volume mount for scanner scripts - Docker container now runs as user 6213/group 101 (likely required for scanner access)
- Removed
sudo -E -u swx-jenkinsfromdo_release.shfile operations
Critical issue found:
The antivirus step uses env WORKSPACE=$PWD .ci/antivirus.sh which creates a clean environment with ONLY the WORKSPACE variable set. This clears all pipeline parameters (release_folder, release_tag, revision) that the script requires, causing immediate failure on line 10 of antivirus.sh when checking for release_folder.
Confidence Score: 1/5
- This PR will fail immediately when the antivirus step executes due to environment variable mishandling
- The antivirus step uses
env WORKSPACE=$PWDwhich creates a clean environment that clears all required pipeline parameters (release_folder, release_tag, revision). The script will fail on line 10 when validating these required variables. This is a critical logic error that prevents the feature from functioning at all. .ci/pipeline/release_matrix_job.yamlline 55 - must removeenv WORKSPACE=$PWDprefix to pass pipeline parameters to the script
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/pipeline/release_matrix_job.yaml | 1/5 | Added antivirus step with broken environment setup - env WORKSPACE=$PWD clears all pipeline parameters, causing immediate script failure |
| .ci/antivirus.sh | 3/5 | New antivirus scanning script with basic validation and dual-scan logic for RPM and tarball files; script logic is sound but depends on correct environment variable passing from pipeline |
Sequence Diagram
sequenceDiagram
participant Pipeline as Release Pipeline
participant Release as do_release.sh
participant AV as antivirus.sh
participant Scanner as antivirus-scan.sh
participant FS as File System
Pipeline->>Pipeline: Set parameters (release_tag, release_folder, revision)
Pipeline->>Release: Execute release step
Release->>FS: Build packages (RPM + tarball)
Release->>FS: Copy to /auto/mswg/release/vma/vma_v_${release_tag}-0/src/
Release-->>Pipeline: Release complete
alt do_antivirus enabled
Pipeline->>AV: Execute antivirus step with env WORKSPACE=$PWD
Note over AV: Environment cleared - only WORKSPACE set!
AV->>AV: Validate WORKSPACE (passes)
AV->>AV: Check release_folder (FAILS - variable empty)
AV-->>Pipeline: Exit 1 - ERROR: release_folder variable is empty
else do_antivirus disabled
Pipeline->>Pipeline: Skip antivirus step
end
4 files reviewed, 1 comment
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
96bf706 to
04e755e
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR adds antivirus scanning to the release pipeline by creating a new antivirus.sh script that validates release packages (RPM and tarball) for malware before they are published.
Major changes:
- New
antivirus.shscript that scans both RPM and tarball files using/auto/GLIT/SCRIPTS/HELPERS/antivirus-scan.sh - Pipeline step added with
do_antivirusboolean parameter (defaults to true) - Volume mount added for
/auto/GLIT/SCRIPTS/HELPERSto access the antivirus scanner - Removed
sudo -E -u swx-jenkinscommands fromdo_release.shin favor of container-levelrunAsUser/runAsGroupconfiguration
Critical Issue:
The antivirus step uses env WORKSPACE=$PWD which creates a clean environment, clearing all pipeline parameters (release_folder, release_tag, revision) that the script requires. This will cause immediate failure.
Confidence Score: 1/5
- This PR has a critical bug that will cause the antivirus step to fail immediately in production
- The
env WORKSPACE=$PWDcommand in the pipeline clears all environment variables exceptWORKSPACE, makingrelease_folder,release_tag, andrevisionundefined. The antivirus script will fail validation on line 10. This is a blocking issue that prevents the feature from working. .ci/pipeline/release_matrix_job.yamlrequires immediate fix to removeenvcommand and preserve pipeline variables
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/antivirus.sh | 3/5 | New script for scanning release packages; solid validation logic and error handling with ` |
| .ci/pipeline/release_matrix_job.yaml | 1/5 | Adds antivirus step and volumes; critical bug with env WORKSPACE=$PWD clearing all environment variables needed by script |
Sequence Diagram
sequenceDiagram
participant Pipeline as Release Pipeline
participant Release as do_release.sh
participant FS as File System
participant AV as antivirus.sh
participant Scanner as antivirus-scan.sh
Pipeline->>Release: Execute (release_tag, revision, release_folder)
Release->>Release: Validate parameters
Release->>Release: Build RPM & tarball
Release->>FS: Copy to /auto/mswg/release/vma/vma_v_{tag}-0/src/
Release-->>Pipeline: Success
Pipeline->>AV: Execute with env WORKSPACE=$PWD
Note over Pipeline,AV: BUG: env clears all variables except WORKSPACE
AV->>AV: Validate WORKSPACE ✓
AV->>AV: Validate release_folder ✗ (undefined)
AV-->>Pipeline: Exit 1 (ERROR: release_folder variable is empty)
Note over AV,Scanner: Expected flow (if bug is fixed):
AV->>AV: Construct paths to RPM & tarball
AV->>Scanner: Scan RPM
Scanner-->>AV: Log output
AV->>Scanner: Scan tarball
Scanner-->>AV: Log output
AV->>AV: Check logs for "Possibly Infected: 0"
AV-->>Pipeline: Exit 0 or 1
4 files reviewed, 1 comment
Author
NirWolfer
approved these changes
Nov 6, 2025
Contributor
|
Please run on DR as well to check |
Author
NirWolfer
approved these changes
Nov 10, 2025
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
04e755e to
c37c562
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds antivirus scanning to the release pipeline by introducing a new antivirus.sh script that scans both RPM and tarball packages using an external antivirus tool (/auto/GLIT/SCRIPTS/HELPERS/antivirus-scan.sh). The implementation includes proper input validation, log capture, and conditional execution via a new do_antivirus parameter.
Key changes:
- New
antivirus.shscript validates inputs, constructs package paths, runs scans, and checks for infections - Pipeline integration adds volume mount for antivirus tooling and new conditional step
- Removes
sudofromdo_release.sh(now runs as configured user viarunAsUser/runAsGroup) - Fixes typo in
release_jjb.yaml("packges" → "packages")
The script follows the same path construction logic as do_release.sh to locate packages in /auto/mswg/release/vma/vma_v_{tag}-0/src/.
Confidence Score: 5/5
- This PR is safe to merge with minimal risk
- The implementation is clean and well-structured with proper error handling, input validation, and pipeline integration. The antivirus script correctly validates all required inputs, constructs paths consistently with existing code, and uses appropriate exit codes. The pipeline changes properly mount required volumes and integrate the new step conditionally. The removal of sudo commands aligns with the Kubernetes configuration using
runAsUser/runAsGroup. - No files require special attention
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .ci/antivirus.sh | 4/5 | New script that scans release packages for viruses using external antivirus tool. Good validation and error handling, clean implementation. |
| .ci/pipeline/release_matrix_job.yaml | 5/5 | Adds antivirus step to pipeline with proper volume mounting and conditional execution. Well integrated. |
Sequence Diagram
sequenceDiagram
participant Pipeline as Jenkins Pipeline
participant Release as do_release.sh
participant Antivirus as antivirus.sh
participant Scanner as /auto/GLIT/.../antivirus-scan.sh
participant NFS as NFS Storage
Pipeline->>Pipeline: Check do_release param
alt do_release == true
Pipeline->>Release: Execute with release_tag, revision, release_folder
Release->>Release: Build packages (RPM + tarball)
Release->>Release: Validate version matches tag
Release->>NFS: Copy packages to /auto/mswg/release/vma/vma_v_{tag}-0/src
NFS-->>Release: Packages stored
end
Pipeline->>Pipeline: Check do_antivirus param
alt do_antivirus == true
Pipeline->>Antivirus: Execute with WORKSPACE, release_folder, release_tag, revision
Antivirus->>Antivirus: Validate inputs (WORKSPACE, release_folder, release_tag)
Antivirus->>Antivirus: Construct paths to packages in NFS
Antivirus->>Scanner: Scan RPM package
Scanner-->>Antivirus: Write results to RPM log
Antivirus->>Scanner: Scan tarball
Scanner-->>Antivirus: Write results to tarball log
Antivirus->>Antivirus: Check both logs for "Possibly Infected: 0"
alt Both scans clean
Antivirus-->>Pipeline: Exit 0 (success)
else Infection detected
Antivirus-->>Pipeline: Exit 1 (failure)
end
Pipeline->>Pipeline: Archive logs/
end
4 files reviewed, no comments
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
c37c562 to
0814ca8
Compare
Greptile OverviewGreptile SummaryThis PR integrates antivirus scanning into the release pipeline by adding a new Key changes:
Critical issue found: The antivirus scan commands at lines 30-31 will cause the script to exit immediately if the antivirus tool returns non-zero (due to Confidence Score: 2/5
Important Files ChangedFile Analysis
Sequence DiagramsequenceDiagram
participant Pipeline as Release Pipeline
participant Release as do_release.sh
participant AV as antivirus.sh
participant Scanner as antivirus-scan.sh
participant Logs as Log Files
Pipeline->>Release: Execute release step
Release->>Release: Build src.rpm & tarball
Release->>Release: Copy to /auto/mswg/release/vma/vma_v_X.Y.Z-0/src
Pipeline->>AV: Execute antivirus step (if do_antivirus=true)
AV->>AV: Validate WORKSPACE, release_folder, release_tag
AV->>AV: Construct paths to src.rpm & tarball
AV->>AV: Verify files exist
AV->>Scanner: Scan libvma-X.Y.Z-1.src.rpm
Scanner-->>Logs: Write rpm_log
Note over AV,Scanner: If scan fails (non-zero exit),<br/>set -e terminates here ❌
AV->>Scanner: Scan libvma-X.Y.Z.tar.gz
Scanner-->>Logs: Write tarball_log
AV->>Logs: Check both logs for "Possibly Infected: 0"
alt Both clean
AV-->>Pipeline: Exit 0 (success)
else Infection found
AV-->>Pipeline: Exit 1 (failure)
end
|
Add antivirus scan step to the release job to scan release packages. Signed-off-by: Noam Tsemah <[email protected]>
ntsemah
force-pushed
the
HPCINFRA-3441
branch
from
0814ca8 to
f77ccec
Compare
Author
|
bot:retest |
dpressle
approved these changes
Nov 13, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add antivirus scan step to the release job
What
Add antivirus.sh script to .ci directory and a pipeline step that runs it to scan release packages (RPM and tarball).
Why ?
How ?
Change type
What kind of change does this PR introduce?
Check list