asf-tooling opened a new issue, #1074:
URL: https://github.com/apache/tooling-trusted-releases/issues/1074
**ASVS Level(s):** L2-only
**Description:**
### Summary
SBOM conformance checking makes N sequential HTTP requests to `api.deps.dev`
with only aiohttp's default 300-second timeout. No explicit timeout or request
count limit is configured. SBOMs with 50 components result in 50 sequential API
calls, each waiting up to 300s.
### Details
The issue exists in `atr/sbom/conformance.py` lines 30-120. HTTP requests to
deps.dev API are made without explicit timeout configuration or request count
limits.
### Recommended Remediation
Add timeout and request count limits:
```python
import aiohttp
_HTTP_TIMEOUT = aiohttp.ClientTimeout(total=10)
_MAX_SUPPLIER_LOOKUPS = 50
async def check_conformance(sbom: dict) -> dict:
"""Check SBOM conformance with limits."""
components = sbom.get('components', [])
# Limit supplier lookups
if len(components) > _MAX_SUPPLIER_LOOKUPS:
log.warning(
f"SBOM has {len(components)} components, "
f"limiting supplier lookups to {_MAX_SUPPLIER_LOOKUPS}"
)
components = components[:_MAX_SUPPLIER_LOOKUPS]
async with util.create_secure_session(timeout=_HTTP_TIMEOUT) as session:
for component in components:
try:
# Lookup with timeout
supplier_info = await session.get(
f"https://api.deps.dev/v3alpha/purl/{component['purl']}"
)
except asyncio.TimeoutError:
log.warning(f"Timeout looking up supplier for
{component['purl']}")
continue
# Process supplier info
# ...
```
### Acceptance Criteria
- [ ] HTTP timeout added (_HTTP_TIMEOUT = 10 seconds)
- [ ] Request count limit added (_MAX_SUPPLIER_LOOKUPS = 50)
- [ ] Timeout applied to all deps.dev API requests
- [ ] Warning logged when limits are reached
- [ ] Unit tests verify timeout enforcement
- [ ] Unit tests verify request count limit
- [ ] Integration tests verify conformance checking with limits
- [ ] Worker timeout monitoring confirms no hangs
### References
- Source reports: L2:15.2.2.md
- Related findings: FINDING-193
- ASVS sections: 15.2.2
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
