sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

fix: add HTTP timeout to reqwest client and CVE stage timeout #79

Merged
sharang merged 1 commits from fix/cve-scan-http-timeout into main 2026-05-13 07:30:27 +00:00
Conversation 0 Commits 1 Files Changed 2
+21 -9
sharang commented 2026-05-13 06:48:13 +00:00
Owner
Copy Link
Copy Source

Summary

  • The reqwest::Client was constructed with no timeout, so any hung NVD/OSV request could stall the scan indefinitely
  • With 1098 SBOM entries producing hundreds of CVE alerts, sequential NVD enrichment calls (called serially in a loop) would hang forever if NVD rate-limited or dropped a connection
  • Adds 30s per-request timeout (10s connect) at the client level
  • Adds 10-minute overall timeout wrapper around the CVE scanning stage as a defense-in-depth so even unexpected hangs can't block the pipeline

Test plan

  • Trigger scan on a large repo (1000+ deps) and verify it progresses past Stage 3 CVE Scanning
  • Verify that scan continues even if NVD/OSV is slow

🤖 Generated with Claude Code

## Summary - The `reqwest::Client` was constructed with no timeout, so any hung NVD/OSV request could stall the scan indefinitely - With 1098 SBOM entries producing hundreds of CVE alerts, sequential NVD enrichment calls (called serially in a loop) would hang forever if NVD rate-limited or dropped a connection - Adds 30s per-request timeout (10s connect) at the client level - Adds 10-minute overall timeout wrapper around the CVE scanning stage as a defense-in-depth so even unexpected hangs can't block the pipeline ## Test plan - [ ] Trigger scan on a large repo (1000+ deps) and verify it progresses past Stage 3 CVE Scanning - [ ] Verify that scan continues even if NVD/OSV is slow 🤖 Generated with [Claude Code](https://claude.com/claude-code)
sharang added 1 commit 2026-05-13 06:48:14 +00:00
fix: add HTTP timeout to reqwest client and CVE stage timeout
CI / Check (pull_request) Successful in 9m39s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details
4d5eedcc8b 
Without a timeout on the reqwest client, sequential NVD API calls
for each CVE alert could hang indefinitely. With 1098 SBOM entries
producing hundreds of alerts, this would stall the scan pipeline.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sharang merged commit e67a13535a into main 2026-05-13 07:30:27 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
critical
enhancement
high
infrastructure
performance
security
v0.3.0
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
sharang (Sharang Parnerkar)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sharang/compliance-scanner-agent#79
Delete Branch "fix/cve-scan-http-timeout"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?