fix: scanner timeouts, semgrep memory cap, syft remote lookups, Script error #78
@@ -19,26 +19,33 @@ impl Scanner for GitleaksScanner {
|
|||||||
|
|
||||||
#[tracing::instrument(skip_all)]
|
#[tracing::instrument(skip_all)]
|
||||||
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
|
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
|
||||||
let output = tokio::process::Command::new("gitleaks")
|
let output = tokio::time::timeout(
|
||||||
.args([
|
std::time::Duration::from_secs(300),
|
||||||
"detect",
|
tokio::process::Command::new("gitleaks")
|
||||||
"--source",
|
.args([
|
||||||
".",
|
"detect",
|
||||||
"--report-format",
|
"--source",
|
||||||
"json",
|
".",
|
||||||
"--report-path",
|
"--report-format",
|
||||||
"/dev/stdout",
|
"json",
|
||||||
"--no-banner",
|
"--report-path",
|
||||||
"--exit-code",
|
"/dev/stdout",
|
||||||
"0",
|
"--no-banner",
|
||||||
])
|
"--exit-code",
|
||||||
.current_dir(repo_path)
|
"0",
|
||||||
.output()
|
])
|
||||||
.await
|
.current_dir(repo_path)
|
||||||
.map_err(|e| CoreError::Scanner {
|
.output(),
|
||||||
scanner: "gitleaks".to_string(),
|
)
|
||||||
source: Box::new(e),
|
.await
|
||||||
})?;
|
.map_err(|_| CoreError::Scanner {
|
||||||
|
scanner: "gitleaks".to_string(),
|
||||||
|
source: "timed out after 5 minutes".into(),
|
||||||
|
})?
|
||||||
|
.map_err(|e| CoreError::Scanner {
|
||||||
|
scanner: "gitleaks".to_string(),
|
||||||
|
source: Box::new(e),
|
||||||
|
})?;
|
||||||
|
|
||||||
if output.stdout.is_empty() {
|
if output.stdout.is_empty() {
|
||||||
return Ok(ScanOutput::default());
|
return Ok(ScanOutput::default());
|
||||||
|
|||||||
@@ -5,20 +5,22 @@ use compliance_core::CoreError;
|
|||||||
|
|
||||||
#[tracing::instrument(skip_all, fields(repo_id = %repo_id))]
|
#[tracing::instrument(skip_all, fields(repo_id = %repo_id))]
|
||||||
pub(super) async fn run_syft(repo_path: &Path, repo_id: &str) -> Result<Vec<SbomEntry>, CoreError> {
|
pub(super) async fn run_syft(repo_path: &Path, repo_id: &str) -> Result<Vec<SbomEntry>, CoreError> {
|
||||||
let output = tokio::process::Command::new("syft")
|
let output = tokio::time::timeout(
|
||||||
.arg(repo_path)
|
std::time::Duration::from_secs(300),
|
||||||
.args(["-o", "cyclonedx-json"])
|
tokio::process::Command::new("syft")
|
||||||
// Enable remote license lookups for all ecosystems
|
.arg(repo_path)
|
||||||
.env("SYFT_GOLANG_SEARCH_REMOTE_LICENSES", "true")
|
.args(["-o", "cyclonedx-json"])
|
||||||
.env("SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES", "true")
|
.output(),
|
||||||
.env("SYFT_PYTHON_SEARCH_REMOTE_LICENSES", "true")
|
)
|
||||||
.env("SYFT_JAVA_USE_NETWORK", "true")
|
.await
|
||||||
.output()
|
.map_err(|_| CoreError::Scanner {
|
||||||
.await
|
scanner: "syft".to_string(),
|
||||||
.map_err(|e| CoreError::Scanner {
|
source: "timed out after 5 minutes".into(),
|
||||||
scanner: "syft".to_string(),
|
})?
|
||||||
source: Box::new(e),
|
.map_err(|e| CoreError::Scanner {
|
||||||
})?;
|
scanner: "syft".to_string(),
|
||||||
|
source: Box::new(e),
|
||||||
|
})?;
|
||||||
|
|
||||||
if !output.status.success() {
|
if !output.status.success() {
|
||||||
let stderr = String::from_utf8_lossy(&output.stderr);
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
||||||
|
|||||||
@@ -19,15 +19,30 @@ impl Scanner for SemgrepScanner {
|
|||||||
|
|
||||||
#[tracing::instrument(skip_all)]
|
#[tracing::instrument(skip_all)]
|
||||||
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
|
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
|
||||||
let output = tokio::process::Command::new("semgrep")
|
let output = tokio::time::timeout(
|
||||||
.args(["--config=auto", "--json", "--quiet"])
|
std::time::Duration::from_secs(600),
|
||||||
.arg(repo_path)
|
tokio::process::Command::new("semgrep")
|
||||||
.output()
|
.args([
|
||||||
.await
|
"--config=auto",
|
||||||
.map_err(|e| CoreError::Scanner {
|
"--json",
|
||||||
scanner: "semgrep".to_string(),
|
"--quiet",
|
||||||
source: Box::new(e),
|
"--max-memory",
|
||||||
})?;
|
"500",
|
||||||
|
"--jobs",
|
||||||
|
"1",
|
||||||
|
])
|
||||||
|
.arg(repo_path)
|
||||||
|
.output(),
|
||||||
|
)
|
||||||
|
.await
|
||||||
|
.map_err(|_| CoreError::Scanner {
|
||||||
|
scanner: "semgrep".to_string(),
|
||||||
|
source: "timed out after 10 minutes".into(),
|
||||||
|
})?
|
||||||
|
.map_err(|e| CoreError::Scanner {
|
||||||
|
scanner: "semgrep".to_string(),
|
||||||
|
source: Box::new(e),
|
||||||
|
})?;
|
||||||
|
|
||||||
if !output.status.success() && output.stdout.is_empty() {
|
if !output.status.success() && output.stdout.is_empty() {
|
||||||
let stderr = String::from_utf8_lossy(&output.stderr);
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
||||||
|
|||||||
@@ -32,7 +32,7 @@ pub fn AppShell() -> Element {
|
|||||||
// Not authenticated — redirect to Keycloak login
|
// Not authenticated — redirect to Keycloak login
|
||||||
rsx! {
|
rsx! {
|
||||||
document::Script {
|
document::Script {
|
||||||
dangerous_inner_html: "window.location.href = '/auth';"
|
"window.location.href = '/auth';"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user