asf-tooling opened a new issue, #1061:
URL: https://github.com/apache/tooling-trusted-releases/issues/1061
**ASVS Level(s):** L2-only
**Description:**
### Summary
The OSV vulnerability scanning functionality makes external HTTP requests to
`api.osv.dev` without specifying timeouts. The codebase provides a
`create_secure_session()` utility that accepts an optional `timeout` parameter,
but OSV scanning does not use it. This can cause worker processes to hang if
the OSV API is slow or unresponsive, leading to worker starvation and task
failures. Worker process isolation and worker manager 300s timeout backstop
provide some protection but are coarse-grained.
### Details
The issue exists in `atr/sbom/osv.py` in the `scan_bundle()`,
`_fetch_vulnerabilities_for_batch()`, and `_fetch_vulnerability_details()`
functions. HTTP requests are made without explicit timeout configuration.
### Recommended Remediation
Apply timeout to session creation:
```python
import aiohttp
from atr import util
_OSV_REQUEST_TIMEOUT = aiohttp.ClientTimeout(total=60, connect=10)
async def scan_bundle(...):
async with util.create_secure_session(timeout=_OSV_REQUEST_TIMEOUT) as
session:
# ... make requests with session
async def _fetch_vulnerabilities_for_batch(...):
async with util.create_secure_session(timeout=_OSV_REQUEST_TIMEOUT) as
session:
# ... make requests with session
async def _fetch_vulnerability_details(...):
async with util.create_secure_session(timeout=_OSV_REQUEST_TIMEOUT) as
session:
# ... make requests with session
```
Apply same fix to:
- Distribution platform checks (`atr/shared/distribution.py`)
- Apache metadata sources (`atr/datasources/apache.py`)
- GitHub API (`atr/tasks/gha.py`)
- Thread messages (`atr/util.py`)
### Acceptance Criteria
- [ ] Timeout added to OSV scanning HTTP requests
- [ ] Timeout added to distribution platform checks
- [ ] Timeout added to Apache metadata sources
- [ ] Timeout added to GitHub API requests
- [ ] Timeout added to thread message fetching
- [ ] Unit tests verify timeout enforcement
- [ ] Integration tests verify graceful timeout handling
- [ ] Worker process monitoring confirms no hangs
### References
- Source reports: L2:15.1.3.md
- Related findings: FINDING-052, FINDING-195, FINDING-056, FINDING-204
- ASVS sections: 15.1.3
- CWE: CWE-400
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
