fix: resolve cargo audit failures

- Update rustls-webpki 0.103.10 → 0.103.13 (fixes RUSTSEC-2026-0098, RUSTSEC-2026-0099, RUSTSEC-2026-0104) - Update mongodb 3.5.1 → 3.6.0 (latest compatible 3.x) - Add .cargo/audit.toml ignoring two hickory-proto advisories that cannot be fixed: mongodb 3.x pins hickory-resolver 0.25.x which pins hickory-proto 0.25.x; RUSTSEC-2026-0118 has no upstream fix at all, RUSTSEC-2026-0119 requires hickory-proto >=0.26.1 which mongodb does not yet support. Both are DNS-layer DoS vectors requiring control of the DNS server responding to MongoDB's hostname resolution. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix: restore syft remote license lookup env vars
2026-05-12 12:47:16 +02:00 · 2026-05-12 11:58:21 +02:00 · 2026-05-12 11:49:46 +02:00
2 changed files with 9 additions and 21 deletions
@@ -35,16 +35,11 @@ impl ComplianceAgent {
            config.litellm_model.clone(),
            config.litellm_embed_model.clone(),
        ));
        let http = reqwest::Client::builder()
            .timeout(std::time::Duration::from_secs(30))
            .connect_timeout(std::time::Duration::from_secs(10))
            .build()
            .unwrap_or_default();
        Self {
            config,
            db,
            llm,
-            http,
+            http: reqwest::Client::new(),
            session_streams: Arc::new(DashMap::new()),
            session_pause: Arc::new(DashMap::new()),
            session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)),
@@ -174,26 +174,19 @@ impl PipelineOrchestrator {
                k.expose_secret().to_string()
            }),
        );
-        let cve_alerts = match tokio::time::timeout(
+        let cve_alerts = match async {
-            std::time::Duration::from_secs(600),
+            cve_scanner
-            async {
+                .scan_dependencies(&repo_id, &mut sbom_entries)
-                cve_scanner
+                .await
-                    .scan_dependencies(&repo_id, &mut sbom_entries)
+        }
-                    .await
+        .instrument(tracing::info_span!("stage_cve_scanning"))
            }
            .instrument(tracing::info_span!("stage_cve_scanning")),
        )
        .await
        {
-            Ok(Ok(alerts)) => alerts,
+            Ok(alerts) => alerts,
-            Ok(Err(e)) => {
+            Err(e) => {
                tracing::warn!("[{repo_id}] CVE scanning failed: {e}");
                Vec::new()
            }
            Err(_) => {
                tracing::warn!("[{repo_id}] CVE scanning timed out after 10 minutes");
                Vec::new()
            }
        };
        // Stage 4: Pattern Scanning (GDPR + OAuth)
Author	SHA1	Message	Date
Sharang Parnerkar	3edd1d50ac	fix: resolve cargo audit failures CI / Check (pull_request) Successful in 10m35s Details CI / Detect Changes (pull_request) Has been skipped Details CI / Deploy Agent (pull_request) Has been cancelled Details CI / Deploy Dashboard (pull_request) Has been cancelled Details CI / Deploy Docs (pull_request) Has been cancelled Details CI / Deploy MCP (pull_request) Has been cancelled Details - Update rustls-webpki 0.103.10 → 0.103.13 (fixes RUSTSEC-2026-0098, RUSTSEC-2026-0099, RUSTSEC-2026-0104) - Update mongodb 3.5.1 → 3.6.0 (latest compatible 3.x) - Add .cargo/audit.toml ignoring two hickory-proto advisories that cannot be fixed: mongodb 3.x pins hickory-resolver 0.25.x which pins hickory-proto 0.25.x; RUSTSEC-2026-0118 has no upstream fix at all, RUSTSEC-2026-0119 requires hickory-proto >=0.26.1 which mongodb does not yet support. Both are DNS-layer DoS vectors requiring control of the DNS server responding to MongoDB's hostname resolution. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 12:47:16 +02:00
Sharang Parnerkar	9ff3b9305c	fix: restore syft remote license lookup env vars CI / Check (pull_request) Failing after 5m50s Details CI / Detect Changes (pull_request) Has been skipped Details CI / Deploy Agent (pull_request) Has been skipped Details CI / Deploy Dashboard (pull_request) Has been skipped Details CI / Deploy Docs (pull_request) Has been skipped Details CI / Deploy MCP (pull_request) Has been skipped Details Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 11:58:21 +02:00
Sharang Parnerkar	e02266511a	fix: add timeouts to scanners, cap semgrep memory, remove syft remote lookups, fix Script error CI / Check (pull_request) Has been cancelled Details CI / Detect Changes (pull_request) Has been cancelled Details CI / Deploy Agent (pull_request) Has been cancelled Details CI / Deploy Dashboard (pull_request) Has been cancelled Details CI / Deploy Docs (pull_request) Has been cancelled Details CI / Deploy MCP (pull_request) Has been cancelled Details Semgrep was running unbounded with --config=auto (downloads all rules) and no memory cap, making it likely to get OOM-killed in resource-constrained Orca containers. Syft had remote license lookups enabled which adds network calls and memory overhead. Neither had timeouts, so a hung process would stall the entire scan indefinitely and silently produce 0 results. - semgrep: add --max-memory 500 --jobs 1 and a 10-minute timeout - syft: remove remote license lookup env vars, add 5-minute timeout - gitleaks: add 5-minute timeout - dashboard: fix Script dangerous_inner_html -> text child (Dioxus 0.7 Script element requires a single text node child, not dangerous_inner_html — was spamming error logs) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 11:49:46 +02:00