Add security-focused pipeline to scan for effective potential malware detection

[pombredanne]

Checking for the possible malware in the actual code would be awesome. This will complement the back-to-source binary analysis of software packages.

There are a few nice things we could add to such a pipeline:

• clamav of course
• https://github.com/DataDog/guarddog by @christophetd and team and is also behind this dataset https://github.com/nexB/vulnerablecode/issues/1406
• https://github.com/intel/cve-bin-tool by @terriko though this is more about package detection but it could complement nicely the work in VulnerableCode
• and likely a few more

[tdruez]

@pombredanne what would be the output of this pipeline? Some kind of report? Attaching extra data to the codebase resource? If this pipeline includes various tools, how do we aggregate those various data output?

[pombredanne]

what would be the output of this pipeline? Some kind of report? Attaching extra data to the codebase resource? If this pipeline includes various tools, how do we aggregate those various data output?

I could envision either of:

• a general purpose "TODO items/Needs attention" data structure that would store the results of running these tools in a semi-structured way, relating a TODO to one or more Resources. It could be simple Resource.extra_data for a start. It could be also used for policy violations, and other "todo" resulting from scans and we could have TODO's types for Malware, Vulnerabilities, Policy violations, License, etc.
• OR, a specific data structure about malware and vulnerabilities that would store the results of malware detection and VulnerableCode vulnerability checks in a more structured way.