# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
# SPDX-License-Identifier: Apache-2.0
---
stages:
  - mirror_clamav_db

variables:
  CLAMAV_DB_PATH: "/var/lib/clamav"
  REPO_PATH: "${CI_PROJECT_DIR}"

update_clamav_db:
  stage: mirror_clamav_db
  image: ubuntu:latest
  before_script:
    - apt-get update && apt-get install -y clamav git-lfs wget bind9-host
    - git lfs install
    - apt-get install -y clamav-freshclam

  script:
    - |
      cat << EOF > /etc/clamav/freshclam.conf
      DatabaseMirror https://database.clamav.net
      DatabaseDirectory ${CLAMAV_DB_PATH}
      LogFileMaxSize 1M
      LogTime no
      LogVerbose no
      LogSyslog yes
      LogFacility LOG_LOCAL6
      LogRotate no
      DatabaseOwner clamav
      MaxAttempts 3
      ScriptedUpdates yes
      CompressLocalDatabase yes
      NotifyClamd no
      Foreground yes
      Debug yes
      ConnectTimeout 30
      ReceiveTimeout 60
      Bytecode yes
      Checks 12
      EOF
    # Run Freshclam to download the latest ClamAV database files
    - freshclam
    # Copy the database files to the repository
    - cp "$CLAMAV_DB_PATH"/*.cvd "$REPO_PATH"
    #- cp "$CLAMAV_DB_PATH"/*.cld "$REPO_PATH"
    #- cp "$REPO_PATH"/daily.cld "$REPO_PATH"/daily.cvd

    # Fetch database diff
    - DB_LATEST_VERSION=$(echo $(host -t txt current.cvd.clamav.net 1.1.1.1) | cut -d ':' -f7)
    - |
      for iter in {0..9}; do
        TO_DOWNLOAD_VERSION=$(($DB_LATEST_VERSION - $iter))
        if [ ! -f "daily-${TO_DOWNLOAD_VERSION}.cdiff" ]; then
          wget --user-agent="CVDUPDATE/1.1.2 (3b7f06ec-5337-4030-8856-d3840301cfe3)" https://database.clamav.net/daily-${TO_DOWNLOAD_VERSION}.cdiff
        fi
      done

    # Fetch additional database files
    - wget -O badmacro.ndb https://ftp.swin.edu.au/sanesecurity/badmacro.ndb
    - wget -O blurl.ndb https://ftp.swin.edu.au/sanesecurity/blurl.ndb
    - wget -O bofhland_cracked_URL.ndb https://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb
    - wget -O bofhland_malware_URL.ndb https://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb
    - wget -O bofhland_malware_attach.hdb https://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb
    - wget -O bofhland_phishing_URL.ndb https://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb
    - wget -O foxhole_filename.cdb https://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
    - wget -O foxhole_generic.cdb https://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
    - wget -O foxhole_js.cdb https://ftp.swin.edu.au/sanesecurity/foxhole_js.cdb
    - wget -O foxhole_js.ndb https://ftp.swin.edu.au/sanesecurity/foxhole_js.ndb
    - wget -O hackingteam.hsb https://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
    - wget -O junk.ndb https://ftp.swin.edu.au/sanesecurity/junk.ndb
    - wget -O jurlbl.ndb https://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
    - wget -O jurlbla.ndb https://ftp.swin.edu.au/sanesecurity/jurlbla.ndb
    - wget -O lott.ndb https://ftp.swin.edu.au/sanesecurity/lott.ndb
    - wget -O malwarehash.hsb https://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
    - wget -O phish.ndb https://ftp.swin.edu.au/sanesecurity/phish.ndb
    - wget -O phishtank.ndb https://ftp.swin.edu.au/sanesecurity/phishtank.ndb
    - wget -O porcupine.ndb https://ftp.swin.edu.au/sanesecurity/porcupine.ndb
    - wget -O rogue.hdb https://ftp.swin.edu.au/sanesecurity/rogue.hdb
    - wget -O scam.ndb https://ftp.swin.edu.au/sanesecurity/scam.ndb
    - wget -O shelter.ldb https://ftp.swin.edu.au/sanesecurity/shelter.ldb
    - wget -O spamattach.hdb https://ftp.swin.edu.au/sanesecurity/spamattach.hdb
    - wget -O spamimg.hdb https://ftp.swin.edu.au/sanesecurity/spamimg.hdb
    - wget -O spear.ndb https://ftp.swin.edu.au/sanesecurity/spear.ndb
    - wget -O spearl.ndb https://ftp.swin.edu.au/sanesecurity/spearl.ndb
    - wget -O winnow.attachments.hdb https://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
    - wget -O winnow_bad_cw.hdb https://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb
    - wget -O winnow_extended_malware.hdb https://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb
    - wget -O winnow_extended_malware_links.ndb https://ftp.swin.edu.au/sanesecurity/winnow_extended_malware_links.ndb
    - wget -O winnow_malware.hdb https://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb
    - wget -O winnow_malware_links.ndb https://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb
    - wget -O winnow_phish_complete_url.ndb https://ftp.swin.edu.au/sanesecurity/winnow_phish_complete_url.ndb
    - wget -O winnow_spam_complete.ndb https://ftp.swin.edu.au/sanesecurity/winnow_spam_complete.ndb
    - wget -O urlhaus.ndb https://urlhaus.abuse.ch/downloads/urlhaus.ndb

    # Configure git
    - git config --global user.email "git+bmi-opendesk-tooling-clamav-db-mirror-3684-issue-@opencode.de"
    - git config --global user.name "openDesk ClamAV DB Mirror"

    # Ensure database files are using Git LFS
    - git lfs track "*.cvd" "*.ndb" "*.cdb" "*.hdb" "*.hsb" "*.ldb" "*.cdiff"
    - git add .gitattributes

    # Check if there are any changes, add, commit, and push if needed
    - if ! [[ `git status --porcelain` ]]; then exit; fi
    - git add *.cvd *.ndb *.cdb *.hdb *.hsb *.ldb *.cdiff
    - git commit -m "Update ClamAV database files on $(date)"
    - git push https://gitlab-ci-token:${CI_PUSH_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git HEAD:${CI_COMMIT_REF_NAME}

  only:
    - schedules
...