open-vsx.org icon indicating copy to clipboard operation
open-vsx.org copied to clipboard
verified publisher icon EclipseFdn

Deploy ClamAV in Staging

Open janbro opened this issue 1 month ago • 4 comments

We are preparing to implement automated extension security scanning in the Open VSX publishing workflow (see: https://github.com/eclipse/openvsx/issues/1396). To support development and integration testing, we need a ClamAV-based scanning service deployed in the staging environment of open-vsx.org.

Purpose

ClamAV will be used to scan uploaded extensions for known malware signatures before they are accepted. Deploying the scanning service in staging will allow us to test upload flows, performance boundaries, and failure handling before proposing a production rollout.

Proposed Service

We intend to use the following wrapper around clamd:

Repository: https://github.com/ajilach/clamav-rest

This provides a minimal REST API layer to ClamAV so the backend can perform scans via HTTP rather than managing a direct socket connection.

Key Endpoints

Method Endpoint Description
POST /v2/scan Accepts uploaded file data and returns ClamAV scan results.
Port Description
9000 HTTP REST listening port

Relevant Environment Variables for Deployment

Variable Purpose Recommended Why Relevant
MAX_FILE_SIZE Do not scan files larger than this size. 512M Reflects the vsix file upload limit
MAX_SCAN_SIZE Total data scanned per file. 512M Reflects the vsix file upload limit
MAX_RECURSION Maximum nested archive depth. 16 Important because VSCode extensions may contain nested archives.
SIGNATURE_CHECKS How many times per day to refresh malware signature DB. 2 Ensures signature database remains up to date.

See https://github.com/ajilach/clamav-rest?tab=readme-ov-file#environment-variables for a complete list of options.

Note on Signature Database Persistence

The ClamAV signature data directory can be persisted to reduce update overhead. If not persisted, the signatures will be re-fetched each time the container is recreated, which increases initialization time and external network dependency.

# optional: persisting the data directory
#   volumeMounts:
#   - name: clamav-data
#     mountPath: /clamav/data

https://github.com/ajilach/clamav-rest/blob/e2f4ce71e844e7b3c33b0e62a2743afcc6ecd04e/kubernetes_example/deployment.yaml#L58-L61

Requested Deployment Tasks

  1. Deploy clamav-rest
  2. Configure the environment variables listed above.
  3. Ensure access is internal-only available to the Open VSX server in staging.

This will support the upcoming work on secure extension publishing flows.

janbro avatar Nov 10 '25 06:11 janbro

Thanks for creating this issue @janbro!

@MWEclipse @fredg02 - Can your team help with this issue? Let me know if you have any questions!

chrisguindon avatar Nov 10 '25 15:11 chrisguindon

Per @fredg02 request - I created a pointer in the EF Helpdesk: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/6864

chrisguindon avatar Nov 10 '25 16:11 chrisguindon

Sharing an update from @pstankie: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/6864#note_5324483

Clamav rest (and clamav) has been deployed to staging.

More info on howto use the deployment at https://github.com/EclipseFdn/clamav-rest/tree/master/charts

Also:

  • I forked the original repository to https://github.com/EclipseFdn/clamav-rest, although disconnected the fork
  • this is still WiP. Currently - refactoring Dockerfile

Please test it and if that fulfils expectations and is approved I will move forward with TODO tasks in https://github.com/EclipseFdn/clamav-rest/tree/master/charts/README.md

@netomi - Since our contractors don't have access to staging, could you take a look to see if the service is available?

chrisguindon avatar Nov 14 '25 15:11 chrisguindon

yes the clamav-rest-staging service is available.

netomi avatar Nov 14 '25 15:11 netomi