asf-tooling opened a new issue, #1072:
URL: https://github.com/apache/tooling-trusted-releases/issues/1072
**ASVS Level(s):** L2-only
**Description:**
### Summary
The OSV API pagination implementation has no maximum page limit, and
vulnerability detail fetching has no concurrency bounds. Components with
hundreds of vulnerabilities cause hundreds of sequential HTTP requests,
consuming worker resources for extended periods. The pagination while loop has
no iteration limit, and unique vulnerability detail fetching has no total count
or individual timeout limits.
### Details
The issue exists in `atr/sbom/osv.py` lines 227-246 (pagination loop) and
268-283 (detail fetching). Unbounded loops and sequential requests can cause
worker resource exhaustion.
### Recommended Remediation
Add limits to pagination and detail fetching:
```python
import asyncio
_MAX_PAGINATION_PAGES = 20
_MAX_VULNERABILITIES_PER_COMPONENT = 500
_MAX_VULNERABILITY_DETAILS = 200
_VULNERABILITY_DETAIL_TIMEOUT = 10 # seconds per detail fetch
async def _fetch_vulnerabilities_for_batch(...):
"""Fetch vulnerabilities with pagination limits."""
page_count = 0
vulnerability_count = 0
while page_token:
page_count += 1
if page_count > _MAX_PAGINATION_PAGES:
log.warning(
f"Reached maximum pagination pages
({_MAX_PAGINATION_PAGES}), "
f"stopping pagination for component"
)
break
# Fetch page
vulnerabilities = # ... fetch from OSV API
vulnerability_count += len(vulnerabilities)
if vulnerability_count > _MAX_VULNERABILITIES_PER_COMPONENT:
log.warning(
f"Component has more than
{_MAX_VULNERABILITIES_PER_COMPONENT} vulnerabilities, "
f"truncating results"
)
break
# Process vulnerabilities
# ...
async def _fetch_vulnerability_details(...):
"""Fetch vulnerability details with limits and timeouts."""
# Truncate unique_ids if too many
if len(unique_ids) > _MAX_VULNERABILITY_DETAILS:
log.warning(
f"Truncating vulnerability detail fetching from
{len(unique_ids)} "
f"to {_MAX_VULNERABILITY_DETAILS}"
)
unique_ids = list(unique_ids)[:_MAX_VULNERABILITY_DETAILS]
# Fetch with timeout per detail
async def fetch_with_timeout(vuln_id: str):
try:
return await asyncio.wait_for(
_fetch_single_vulnerability(vuln_id),
timeout=_VULNERABILITY_DETAIL_TIMEOUT
)
except asyncio.TimeoutError:
log.warning(f"Timeout fetching vulnerability {vuln_id}")
return None
tasks = [fetch_with_timeout(vid) for vid in unique_ids]
return await asyncio.gather(*tasks, return_exceptions=True)
```
### Acceptance Criteria
- [ ] Maximum pagination pages limit added (_MAX_PAGINATION_PAGES)
- [ ] Maximum vulnerabilities per component limit added
(_MAX_VULNERABILITIES_PER_COMPONENT)
- [ ] Maximum vulnerability details limit added (_MAX_VULNERABILITY_DETAILS)
- [ ] Individual timeout added for detail fetching
(_VULNERABILITY_DETAIL_TIMEOUT)
- [ ] Warning logs added when limits are reached
- [ ] Unit tests verify limits are enforced
- [ ] Integration tests verify OSV scanning with limits
- [ ] Worker timeout monitoring confirms no hangs
### References
- Source reports: L2:15.2.2.md
- Related findings: FINDING-193
- ASVS sections: 15.2.2
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
