Disable shellcheck for virus_scan.j2.sh

shellcheck cannot deal with the jinja templating syntax.
cisagov · Jan 14, 2025 · 59012ec · 59012ec
1 parent cdd73f5
commit 59012ec
Showing 1 changed file with 51 additions and 45 deletions.
diff --git a/templates/virus_scan.j2.sh b/templates/virus_scan.j2.sh
@@ -1,7 +1,13 @@
 #!/usr/bin/env bash
-# Managed by cisagov/ansible-role-clamscan.
+# shellcheck disable=all
+# Managed by cisagov/ansible-role-clamav.
 # Beware:  This script will be run by root.
 
+# Note that we turn off all shellcheck checking for this script, since
+# the shellcheck linter cannot deal with the jinja templating.  We do,
+# however, validate the generated file with shfmt and shellcheck after
+# the templating is applied.
+
 set -o errexit
 set -o nounset
 set -o pipefail
@@ -13,27 +19,27 @@ LAST_DETECTION_FILENAME=/var/log/clamav/last_detection
 # log.  Use nice since clamscan can be temporarily CPU-hungry.
 echo -n Running clamscan...
 {% if clamav_install_from_package_manager %}
-  nice clamscan \
-{% else %}
-  nice /usr/local/bin/clamscan \
-{% endif %}
-  --database=/var/lib/clamav \
-{% if clamav_scan_copy %}
-  --copy={{ clamav_scan_quarantine_directory }} \
-{% endif %}
+nice clamscan \
+  {% else %}
+nice /usr/local/bin/clamscan \
+  {% endif %}
+--database=/var/lib/clamav \
+  {% if clamav_scan_copy %}
+--copy={{ clamav_scan_quarantine_directory }} \
+  {% endif %}
 {% for dir in clamav_scan_exclude_directories %}
-  --exclude-dir={{ dir }} \
-{% endfor %}
-  --infected \
+--exclude-dir={{ dir }} \
+  {% endfor %}
+--infected \
   --log=${LAST_SCAN_LOG_FILENAME} \
-{% if clamav_scan_move %}
-  --move={{ clamav_scan_quarantine_directory }} \
-{% endif %}
-  --recursive \
-{% for flag in clamav_scan_extra_flags %}
-  {{ flag }} \
-{% endfor %}
-  /
+  {% if clamav_scan_move %}
+--move={{ clamav_scan_quarantine_directory }} \
+  {% endif %}
+--recursive \
+  {% for flag in clamav_scan_extra_flags %}
+{{ flag }} \
+  {% endfor %}
+/
 echo done.
 
 # If any infections were found in the most recent run, touch the
@@ -43,40 +49,40 @@ latest_scan_log=${LAST_SCAN_LOG_FILENAME}-00
 
 # This function cleans the individual scan logs created by the csplit
 # command.
-cleanup_after_csplit () {
-    echo -n Cleaning up individual scan logs created by csplit...
-    rm -f ${prefix}*
-    echo done.
+cleanup_after_csplit() {
+  echo -n Cleaning up individual scan logs created by csplit...
+  rm -f ${prefix}*
+  echo done.
 }
 # Run cleanup_after_csplit when the script exits.
 trap cleanup_after_csplit EXIT
 
 # Split the scan log so that each scan is its own log file.
 echo -n Splitting the scan log into separate files for each scan run...
 tac "$LAST_SCAN_LOG_FILENAME" | csplit --prefix="$prefix" --quiet - \
-                                       "/^-* SCAN SUMMARY -*$/" "{*}"
+  "/^-* SCAN SUMMARY -*$/" "{*}"
 echo done.
 if [ -f "$latest_scan_log" ]; then
-    # Extract the number of infected files found.
-    echo -n Extracting number of infected files found in latest scan run...
-    num_infected_files=$(sed --quiet --regexp-extended \
-                             "s/^Infected files: ([[:digit:]]+)$/\1/p" \
-                             "$latest_scan_log")
-    echo done.  "$num_infected_files" infected files found.
-    if [ -n "$num_infected_files" ]; then
-        if [ "$num_infected_files" -ne 0 ]; then
-            # An infected file was found.
-            echo -n Touching $LAST_DETECTION_FILENAME...
-            touch "$LAST_DETECTION_FILENAME"
-            echo done.
-        fi
-    else
-        echo Unable to parse number of infected files from file \
-             $latest_scan_log. >&2
-        exit 1
+  # Extract the number of infected files found.
+  echo -n Extracting number of infected files found in latest scan run...
+  num_infected_files=$(sed --quiet --regexp-extended \
+    "s/^Infected files: ([[:digit:]]+)$/\1/p" \
+    "$latest_scan_log")
+  echo done. "$num_infected_files" infected files found.
+  if [ -n "$num_infected_files" ]; then
+    if [ "$num_infected_files" -ne 0 ]; then
+      # An infected file was found.
+      echo -n Touching $LAST_DETECTION_FILENAME...
+      touch "$LAST_DETECTION_FILENAME"
+      echo done.
     fi
-else
-    echo Unable to split file $LAST_DETECTION_FILENAME into constituent \
-         scan logs via csplit. >&2
+  else
+    echo Unable to parse number of infected files from file \
+      $latest_scan_log. >&2
     exit 1
+  fi
+else
+  echo Unable to split file $LAST_DETECTION_FILENAME into constituent \
+    scan logs via csplit. >&2
+  exit 1
 fi