feat!(detector): timeout can be set, default is no timeout (#2185)

* feat!(detector): timeout can be set, default is no timeout

* fix(detector/cve): fix typo

Co-authored-by: Shunichi Shinohara <[email protected]>

* fix(detector): correct log msg

---------

Co-authored-by: Shunichi Shinohara <[email protected]>

Author: MaineK00n

config/vulnDictConf.go

@@ -39,6 +39,12 @@ type VulnDict struct {
 	SQLite3Path string
 
 	DebugSQL bool
+
+	// Timeout for entire request (type: http only)
+	TimeoutSec uint
+
+	// Timeout for each request (type: http only)
+	TimeoutSecPerRequest uint
 }
 
 // GetType returns type

detector/cti.go

@@ -146,7 +146,10 @@ func getCTIsViaHTTP(cveIDs []string, urlPrefix string) (responses []ctiResponse,
 		}
 	}
 
-	timeout := time.After(2 * 60 * time.Second)
+	var timeout <-chan time.Time
+	if config.Conf.Cti.TimeoutSec > 0 {
+		timeout = time.After(time.Duration(config.Conf.Cti.TimeoutSec) * time.Second)
+	}
 	var errs []error
 	for i := 0; i < nReq; i++ {
 		select {
@@ -174,8 +177,11 @@ func httpGetCTI(url string, req ctiRequest, resChan chan<- ctiResponse, errChan
 	var resp *http.Response
 	count, retryMax := 0, 3
 	f := func() (err error) {
-		//  resp, body, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
-		resp, body, errs = gorequest.New().Timeout(10 * time.Second).Get(url).End()
+		req := gorequest.New().Get(url)
+		if config.Conf.Cti.TimeoutSecPerRequest > 0 {
+			req = req.Timeout(time.Duration(config.Conf.Cti.TimeoutSecPerRequest) * time.Second)
+		}
+		resp, body, errs = req.End()
 		if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 			count++
 			if count == retryMax {
@@ -186,7 +192,7 @@ func httpGetCTI(url string, req ctiRequest, resChan chan<- ctiResponse, errChan
 		return nil
 	}
 	notify := func(err error, t time.Duration) {
-		logging.Log.Warnf("Failed to HTTP GET. retrying in %s seconds. err: %+v", t, err)
+		logging.Log.Warnf("Failed to HTTP GET. retrying in %f seconds. err: %+v", t.Seconds(), err)
 	}
 	if err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify); err != nil {
 		errChan <- xerrors.Errorf("HTTP Error %w", err)

detector/cve_client.go

@@ -80,7 +80,10 @@ func (client goCveDictClient) fetchCveDetails(cveIDs []string) (cveDetails []cve
 			}
 		}
 
-		timeout := time.After(2 * 60 * time.Second)
+		var timeout <-chan time.Time
+		if config.Conf.CveDict.TimeoutSec > 0 {
+			timeout = time.After(time.Duration(config.Conf.CveDict.TimeoutSec) * time.Second)
+		}
 		var errs []error
 		for range cveIDs {
 			select {
@@ -113,15 +116,19 @@ func httpGet(key, url string, resChan chan<- response, errChan chan<- error) {
 	var errs []error
 	var resp *http.Response
 	f := func() (err error) {
-		resp, body, errs = gorequest.New().Timeout(10 * time.Second).Get(url).End()
+		req := gorequest.New().Get(url)
+		if config.Conf.CveDict.TimeoutSecPerRequest > 0 {
+			req = req.Timeout(time.Duration(config.Conf.CveDict.TimeoutSecPerRequest) * time.Second)
+		}
+		resp, body, errs = req.End()
 		if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 			return xerrors.Errorf("HTTP GET Error, url: %s, resp: %v, err: %+v",
 				url, resp, errs)
 		}
 		return nil
 	}
 	notify := func(err error, t time.Duration) {
-		logging.Log.Warnf("Failed to HTTP GET. retrying in %s seconds. err: %+v", t, err)
+		logging.Log.Warnf("Failed to HTTP GET. retrying in %f seconds. err: %+v", t.Seconds(), err)
 	}
 	err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify)
 	if err != nil {
@@ -177,7 +184,10 @@ func httpPost(url string, query map[string]string) ([]cvemodels.CveDetail, error
 	var errs []error
 	var resp *http.Response
 	f := func() (err error) {
-		req := gorequest.New().Timeout(10 * time.Second).Post(url)
+		req := gorequest.New().Post(url)
+		if config.Conf.CveDict.TimeoutSecPerRequest > 0 {
+			req = req.Timeout(time.Duration(config.Conf.CveDict.TimeoutSecPerRequest) * time.Second)
+		}
 		for key := range query {
 			req = req.Send(fmt.Sprintf("%s=%s", key, query[key])).Type("json")
 		}
@@ -188,7 +198,7 @@ func httpPost(url string, query map[string]string) ([]cvemodels.CveDetail, error
 		return nil
 	}
 	notify := func(err error, t time.Duration) {
-		logging.Log.Warnf("Failed to HTTP POST. retrying in %s seconds. err: %+v", t, err)
+		logging.Log.Warnf("Failed to HTTP POST. retrying in %f seconds. err: %+v", t.Seconds(), err)
 	}
 	err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify)
 	if err != nil {

detector/exploitdb.go

@@ -181,7 +181,10 @@ func getExploitsViaHTTP(cveIDs []string, urlPrefix string) (
 		}
 	}
 
-	timeout := time.After(2 * 60 * time.Second)
+	var timeout <-chan time.Time
+	if config.Conf.Exploit.TimeoutSec > 0 {
+		timeout = time.After(time.Duration(config.Conf.Exploit.TimeoutSec) * time.Second)
+	}
 	var errs []error
 	for i := 0; i < nReq; i++ {
 		select {
@@ -209,8 +212,11 @@ func httpGetExploit(url string, req exploitRequest, resChan chan<- exploitRespon
 	var resp *http.Response
 	count, retryMax := 0, 3
 	f := func() (err error) {
-		//  resp, body, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
-		resp, body, errs = gorequest.New().Timeout(10 * time.Second).Get(url).End()
+		req := gorequest.New().Get(url)
+		if config.Conf.Exploit.TimeoutSecPerRequest > 0 {
+			req = req.Timeout(time.Duration(config.Conf.Exploit.TimeoutSecPerRequest) * time.Second)
+		}
+		resp, body, errs = req.End()
 		if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 			count++
 			if count == retryMax {
@@ -221,7 +227,7 @@ func httpGetExploit(url string, req exploitRequest, resChan chan<- exploitRespon
 		return nil
 	}
 	notify := func(err error, t time.Duration) {
-		logging.Log.Warnf("Failed to HTTP GET. retrying in %s seconds. err: %+v", t, err)
+		logging.Log.Warnf("Failed to HTTP GET. retrying in %f seconds. err: %+v", t.Seconds(), err)
 	}
 	err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify)
 	if err != nil {

detector/kevuln.go

@@ -276,7 +276,10 @@ func getKEVulnsViaHTTP(cveIDs []string, urlPrefix string) (
 		}
 	}
 
-	timeout := time.After(2 * 60 * time.Second)
+	var timeout <-chan time.Time
+	if config.Conf.KEVuln.TimeoutSec > 0 {
+		timeout = time.After(time.Duration(config.Conf.KEVuln.TimeoutSec) * time.Second)
+	}
 	var errs []error
 	for i := 0; i < nReq; i++ {
 		select {
@@ -304,8 +307,11 @@ func httpGetKEVuln(url string, req kevulnRequest, resChan chan<- kevulnResponse,
 	var resp *http.Response
 	count, retryMax := 0, 3
 	f := func() (err error) {
-		//  resp, body, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
-		resp, body, errs = gorequest.New().Timeout(10 * time.Second).Get(url).End()
+		req := gorequest.New().Get(url)
+		if config.Conf.KEVuln.TimeoutSecPerRequest > 0 {
+			req = req.Timeout(time.Duration(config.Conf.KEVuln.TimeoutSecPerRequest) * time.Second)
+		}
+		resp, body, errs = req.End()
 		if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 			count++
 			if count == retryMax {
@@ -316,7 +322,7 @@ func httpGetKEVuln(url string, req kevulnRequest, resChan chan<- kevulnResponse,
 		return nil
 	}
 	notify := func(err error, t time.Duration) {
-		logging.Log.Warnf("Failed to HTTP GET. retrying in %s seconds. err: %+v", t, err)
+		logging.Log.Warnf("Failed to HTTP GET. retrying in %f seconds. err: %+v", t.Seconds(), err)
 	}
 	err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify)
 	if err != nil {

detector/msf.go

@@ -147,7 +147,10 @@ func getMetasploitsViaHTTP(cveIDs []string, urlPrefix string) (
 		}
 	}
 
-	timeout := time.After(2 * 60 * time.Second)
+	var timeout <-chan time.Time
+	if config.Conf.Metasploit.TimeoutSec > 0 {
+		timeout = time.After(time.Duration(config.Conf.Metasploit.TimeoutSec) * time.Second)
+	}
 	var errs []error
 	for i := 0; i < nReq; i++ {
 		select {
@@ -175,8 +178,11 @@ func httpGetMetasploit(url string, req metasploitRequest, resChan chan<- metaspl
 	var resp *http.Response
 	count, retryMax := 0, 3
 	f := func() (err error) {
-		//  resp, body, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
-		resp, body, errs = gorequest.New().Timeout(10 * time.Second).Get(url).End()
+		req := gorequest.New().Get(url)
+		if config.Conf.Metasploit.TimeoutSecPerRequest > 0 {
+			req = req.Timeout(time.Duration(config.Conf.Metasploit.TimeoutSecPerRequest) * time.Second)
+		}
+		resp, body, errs = req.End()
 		if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 			count++
 			if count == retryMax {
@@ -187,7 +193,7 @@ func httpGetMetasploit(url string, req metasploitRequest, resChan chan<- metaspl
 		return nil
 	}
 	notify := func(err error, t time.Duration) {
-		logging.Log.Warnf("Failed to HTTP GET. retrying in %s seconds. err: %+v", t, err)
+		logging.Log.Warnf("Failed to HTTP GET. retrying in %f seconds. err: %+v", t.Seconds(), err)
 	}
 	err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify)
 	if err != nil {

gost/microsoft.go

@@ -18,6 +18,7 @@ import (
 	"github.com/parnurzeal/gorequest"
 	"golang.org/x/xerrors"
 
+	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
 	"github.com/future-architect/vuls/util"
@@ -47,14 +48,18 @@ func (ms Microsoft) DetectCVEs(r *models.ScanResult, _ bool) (nCVEs int, err err
 		var errs []error
 		var resp *http.Response
 		f := func() error {
-			resp, body, errs = gorequest.New().Timeout(10 * time.Second).Post(u).SendStruct(content).Type("json").EndBytes()
+			req := gorequest.New().Post(u).SendStruct(content).Type("json")
+			if config.Conf.Gost.TimeoutSecPerRequest > 0 {
+				req = req.Timeout(time.Duration(config.Conf.Gost.TimeoutSecPerRequest) * time.Second)
+			}
+			resp, body, errs = req.EndBytes()
 			if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 				return xerrors.Errorf("HTTP POST error. url: %s, resp: %v, err: %+v", u, resp, errs)
 			}
 			return nil
 		}
 		notify := func(err error, t time.Duration) {
-			logging.Log.Warnf("Failed to HTTP POST. retrying in %s seconds. err: %+v", t, err)
+			logging.Log.Warnf("Failed to HTTP POST. retrying in %f seconds. err: %+v", t.Seconds(), err)
 		}
 		if err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify); err != nil {
 			return 0, xerrors.Errorf("HTTP Error: %w", err)
@@ -88,14 +93,18 @@ func (ms Microsoft) DetectCVEs(r *models.ScanResult, _ bool) (nCVEs int, err err
 		var errs []error
 		var resp *http.Response
 		f := func() error {
-			resp, body, errs = gorequest.New().Timeout(10 * time.Second).Post(u).SendStruct(content).Type("json").EndBytes()
+			req := gorequest.New().Post(u).SendStruct(content).Type("json")
+			if config.Conf.Gost.TimeoutSecPerRequest > 0 {
+				req = req.Timeout(time.Duration(config.Conf.Gost.TimeoutSecPerRequest) * time.Second)
+			}
+			resp, body, errs = req.EndBytes()
 			if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 				return xerrors.Errorf("HTTP POST error. url: %s, resp: %v, err: %+v", u, resp, errs)
 			}
 			return nil
 		}
 		notify := func(err error, t time.Duration) {
-			logging.Log.Warnf("Failed to HTTP POST. retrying in %s seconds. err: %+v", t, err)
+			logging.Log.Warnf("Failed to HTTP POST. retrying in %f seconds. err: %+v", t.Seconds(), err)
 		}
 		if err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify); err != nil {
 			return 0, xerrors.Errorf("HTTP Error: %w", err)
@@ -151,14 +160,18 @@ func (ms Microsoft) DetectCVEs(r *models.ScanResult, _ bool) (nCVEs int, err err
 		var errs []error
 		var resp *http.Response
 		f := func() error {
-			resp, body, errs = gorequest.New().Timeout(10 * time.Second).Post(u).SendStruct(content).Type("json").EndBytes()
+			req := gorequest.New().Post(u).SendStruct(content).Type("json")
+			if config.Conf.Gost.TimeoutSecPerRequest > 0 {
+				req = req.Timeout(time.Duration(config.Conf.Gost.TimeoutSecPerRequest) * time.Second)
+			}
+			resp, body, errs = req.EndBytes()
 			if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 				return xerrors.Errorf("HTTP POST error. url: %s, resp: %v, err: %+v", u, resp, errs)
 			}
 			return nil
 		}
 		notify := func(err error, t time.Duration) {
-			logging.Log.Warnf("Failed to HTTP POST. retrying in %s seconds. err: %+v", t, err)
+			logging.Log.Warnf("Failed to HTTP POST. retrying in %f seconds. err: %+v", t.Seconds(), err)
 		}
 		if err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify); err != nil {
 			return 0, xerrors.Errorf("HTTP Error: %w", err)

gost/util.go

@@ -13,6 +13,7 @@ import (
 	"github.com/parnurzeal/gorequest"
 	"golang.org/x/xerrors"
 
+	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
 	"github.com/future-architect/vuls/util"
@@ -59,7 +60,10 @@ func getCvesViaHTTP(cveIDs []string, urlPrefix string) (
 		}
 	}
 
-	timeout := time.After(2 * 60 * time.Second)
+	var timeout <-chan time.Time
+	if config.Conf.Gost.TimeoutSec > 0 {
+		timeout = time.After(time.Duration(config.Conf.Gost.TimeoutSec) * time.Second)
+	}
 	var errs []error
 	for i := 0; i < nReq; i++ {
 		select {
@@ -68,11 +72,11 @@ func getCvesViaHTTP(cveIDs []string, urlPrefix string) (
 		case err := <-errChan:
 			errs = append(errs, err)
 		case <-timeout:
-			return nil, xerrors.New("Timeout Fetching OVAL")
+			return nil, xerrors.New("Timeout Fetching Gost")
 		}
 	}
 	if len(errs) != 0 {
-		return nil, xerrors.Errorf("Failed to fetch OVAL. err: %w", errs)
+		return nil, xerrors.Errorf("Failed to fetch Gost. err: %w", errs)
 	}
 	return
 }
@@ -124,7 +128,10 @@ func getCvesWithFixStateViaHTTP(r *models.ScanResult, urlPrefix, fixState string
 		}
 	}
 
-	timeout := time.After(2 * 60 * time.Second)
+	var timeout <-chan time.Time
+	if config.Conf.Gost.TimeoutSec > 0 {
+		timeout = time.After(time.Duration(config.Conf.Gost.TimeoutSec) * time.Second)
+	}
 	var errs []error
 	for i := 0; i < nReq; i++ {
 		select {
@@ -148,8 +155,11 @@ func httpGet(url string, req request, resChan chan<- response, errChan chan<- er
 	var resp *http.Response
 	count, retryMax := 0, 3
 	f := func() (err error) {
-		//  resp, body, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
-		resp, body, errs = gorequest.New().Timeout(10 * time.Second).Get(url).End()
+		req := gorequest.New().Get(url)
+		if config.Conf.Gost.TimeoutSecPerRequest > 0 {
+			req = req.Timeout(time.Duration(config.Conf.Gost.TimeoutSecPerRequest) * time.Second)
+		}
+		resp, body, errs = req.End()
 		if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 			count++
 			if count == retryMax {
@@ -160,7 +170,7 @@ func httpGet(url string, req request, resChan chan<- response, errChan chan<- er
 		return nil
 	}
 	notify := func(err error, t time.Duration) {
-		logging.Log.Warnf("Failed to HTTP GET. retrying in %s seconds. err: %+v", t, err)
+		logging.Log.Warnf("Failed to HTTP GET. retrying in %f seconds. err: %+v", t.Seconds(), err)
 	}
 	err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify)
 	if err != nil {

oval/oval.go

@@ -84,7 +84,12 @@ func (b Base) CheckIfOvalFetched(osFamily, release string) (bool, error) {
 		if err != nil {
 			return false, xerrors.Errorf("Failed to join URLPath. err: %w", err)
 		}
-		resp, body, errs := gorequest.New().Timeout(10 * time.Second).Get(url).End()
+
+		req := gorequest.New().Get(url)
+		if config.Conf.OvalDict.TimeoutSecPerRequest > 0 {
+			req = req.Timeout(time.Duration(config.Conf.OvalDict.TimeoutSecPerRequest) * time.Second)
+		}
+		resp, body, errs := req.End()
 		if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 			return false, xerrors.Errorf("HTTP GET error, url: %s, resp: %v, err: %+v", url, resp, errs)
 		}
@@ -143,7 +148,11 @@ func (b Base) CheckIfOvalFresh(osFamily, release string) (ok bool, err error) {
 		if err != nil {
 			return false, xerrors.Errorf("Failed to join URLPath. err: %w", err)
 		}
-		resp, body, errs := gorequest.New().Timeout(10 * time.Second).Get(url).End()
+		req := gorequest.New().Get(url)
+		if config.Conf.OvalDict.TimeoutSecPerRequest > 0 {
+			req = req.Timeout(time.Duration(config.Conf.OvalDict.TimeoutSecPerRequest) * time.Second)
+		}
+		resp, body, errs := req.End()
 		if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
 			return false, xerrors.Errorf("HTTP GET error, url: %s, resp: %v, err: %+v", url, resp, errs)
 		}