ClamAV reporting calibre as being infected with CVE 2017 0141

Looks like a reserved ID, though, nothing to see here...
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0141

Anyway, that file is the bundled rapydscript-to-javascript transpiler
used to build the experimental new server. In the unlikely event that
there is an *actual* vulnerability there (and note that calibre is
open-source and certainly does not deliberately ship vulnerabilities) it
will never be accessed regardless -- unless you use calibre's python
interpreter to rebuild the presumably-modified *.pyj files from the
source code checkout described in the manual under "Setting up a calibre
development environment".

Since the CVE has no information in it, it is impossible for anyone to say if it is genuine or not. Though typically, when a CVE is reserved, it means the entity that reserved it is practicing responsible disclosure -- which means contacting the project maintainers for the project that has the vulnerability. Since I am the project maintainer for rapydscript and I have not been contacted about any security issues in it, I find it unlikely. Most probably, clamav is using some heuristic to detect whatever the issue is in that CVE and that heuristic is falsely matching the code in the rapydscript compiler, which, is in anycase not used during normal calibre operations as Eli points out (all rapydscript files are pre-compiled in calibre binaries).

If and when that CVE is actually disclosed feel free to update this ticket and I will take another look. But I would be very surprised if it were an actual bug in rapydscript.