From e67a13535a26dc7e567e47adbf37f48573859de1 Mon Sep 17 00:00:00 2001
From: Sharang Parnerkar <sharang@meghsakha.com>
Date: Wed, 13 May 2026 07:30:26 +0000
Subject: [PATCH] fix: add HTTP timeout to reqwest client and CVE stage timeout
 (#79)

---
 compliance-agent/src/agent.rs                 |  7 +++++-
 compliance-agent/src/pipeline/orchestrator.rs | 23 ++++++++++++-------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/compliance-agent/src/agent.rs b/compliance-agent/src/agent.rs
index 9ad55ea..61e73e6 100644
--- a/compliance-agent/src/agent.rs
+++ b/compliance-agent/src/agent.rs
@@ -35,11 +35,16 @@ impl ComplianceAgent {
             config.litellm_model.clone(),
             config.litellm_embed_model.clone(),
         ));
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .connect_timeout(std::time::Duration::from_secs(10))
+            .build()
+            .unwrap_or_default();
         Self {
             config,
             db,
             llm,
-            http: reqwest::Client::new(),
+            http,
             session_streams: Arc::new(DashMap::new()),
             session_pause: Arc::new(DashMap::new()),
             session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)),
diff --git a/compliance-agent/src/pipeline/orchestrator.rs b/compliance-agent/src/pipeline/orchestrator.rs
index 9a68606..9b8d8c5 100644
--- a/compliance-agent/src/pipeline/orchestrator.rs
+++ b/compliance-agent/src/pipeline/orchestrator.rs
@@ -174,19 +174,26 @@ impl PipelineOrchestrator {
                 k.expose_secret().to_string()
             }),
         );
-        let cve_alerts = match async {
-            cve_scanner
-                .scan_dependencies(&repo_id, &mut sbom_entries)
-                .await
-        }
-        .instrument(tracing::info_span!("stage_cve_scanning"))
+        let cve_alerts = match tokio::time::timeout(
+            std::time::Duration::from_secs(600),
+            async {
+                cve_scanner
+                    .scan_dependencies(&repo_id, &mut sbom_entries)
+                    .await
+            }
+            .instrument(tracing::info_span!("stage_cve_scanning")),
+        )
         .await
         {
-            Ok(alerts) => alerts,
-            Err(e) => {
+            Ok(Ok(alerts)) => alerts,
+            Ok(Err(e)) => {
                 tracing::warn!("[{repo_id}] CVE scanning failed: {e}");
                 Vec::new()
             }
+            Err(_) => {
+                tracing::warn!("[{repo_id}] CVE scanning timed out after 10 minutes");
+                Vec::new()
+            }
         };
 
         // Stage 4: Pattern Scanning (GDPR + OAuth)