From 4d5eedcc8bfdf5dc62ac4fccaec45b3eba60a217 Mon Sep 17 00:00:00 2001
From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com>
Date: Wed, 13 May 2026 08:48:03 +0200
Subject: [PATCH] fix: add HTTP timeout to reqwest client and CVE stage timeout

Without a timeout on the reqwest client, sequential NVD API calls
for each CVE alert could hang indefinitely. With 1098 SBOM entries
producing hundreds of alerts, this would stall the scan pipeline.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 compliance-agent/src/agent.rs                 |  7 +++++-
 compliance-agent/src/pipeline/orchestrator.rs | 23 ++++++++++++-------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/compliance-agent/src/agent.rs b/compliance-agent/src/agent.rs
index 9ad55ea..61e73e6 100644
--- a/compliance-agent/src/agent.rs
+++ b/compliance-agent/src/agent.rs
@@ -35,11 +35,16 @@ impl ComplianceAgent {
             config.litellm_model.clone(),
             config.litellm_embed_model.clone(),
         ));
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .connect_timeout(std::time::Duration::from_secs(10))
+            .build()
+            .unwrap_or_default();
         Self {
             config,
             db,
             llm,
-            http: reqwest::Client::new(),
+            http,
             session_streams: Arc::new(DashMap::new()),
             session_pause: Arc::new(DashMap::new()),
             session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)),
diff --git a/compliance-agent/src/pipeline/orchestrator.rs b/compliance-agent/src/pipeline/orchestrator.rs
index 9a68606..9b8d8c5 100644
--- a/compliance-agent/src/pipeline/orchestrator.rs
+++ b/compliance-agent/src/pipeline/orchestrator.rs
@@ -174,19 +174,26 @@ impl PipelineOrchestrator {
                 k.expose_secret().to_string()
             }),
         );
-        let cve_alerts = match async {
-            cve_scanner
-                .scan_dependencies(&repo_id, &mut sbom_entries)
-                .await
-        }
-        .instrument(tracing::info_span!("stage_cve_scanning"))
+        let cve_alerts = match tokio::time::timeout(
+            std::time::Duration::from_secs(600),
+            async {
+                cve_scanner
+                    .scan_dependencies(&repo_id, &mut sbom_entries)
+                    .await
+            }
+            .instrument(tracing::info_span!("stage_cve_scanning")),
+        )
         .await
         {
-            Ok(alerts) => alerts,
-            Err(e) => {
+            Ok(Ok(alerts)) => alerts,
+            Ok(Err(e)) => {
                 tracing::warn!("[{repo_id}] CVE scanning failed: {e}");
                 Vec::new()
             }
+            Err(_) => {
+                tracing::warn!("[{repo_id}] CVE scanning timed out after 10 minutes");
+                Vec::new()
+            }
         };
 
         // Stage 4: Pattern Scanning (GDPR + OAuth)
-- 
2.52.0