vex: allow timeout to pull down VEX archive to be configurable

crozzy · crozzy · commit ff78510aeef7 · 2025-04-17T09:26:16.000-07:00
The timeout was hardcoded to 2m, this remains the default value but
users have the option to configure it to a different value using
updaters.config.rhel-vex.compressed_file_timeout.

Signed-off-by: crozzy &lt;joseph.crosland@gmail.com&gt;
diff --git a/duration.go b/duration.go
@@ -0,0 +1,27 @@
+package claircore
+
+import (
+	"errors"
+	"time"
+)
+
+// Duration is a serializeable [time.Duration].
+type Duration time.Duration
+
+// UnmarshalText implements [encoding.TextUnmarshaler].
+func (d *Duration) UnmarshalText(b []byte) error {
+	dur, err := time.ParseDuration(string(b))
+	if err != nil {
+		return err
+	}
+	*d = Duration(dur)
+	return nil
+}
+
+// MarshalText implements [encoding.TextMarshaler].
+func (d *Duration) MarshalText() ([]byte, error) {
+	if d == nil {
+		return nil, errors.New("cannot marshal nil duration")
+	}
+	return []byte(time.Duration(*d).String()), nil
+}
diff --git a/rhel/vex/fetcher.go b/rhel/vex/fetcher.go
@@ -27,9 +27,8 @@ import (
 )
 
 var (
-	compressedFileTimeout = 2 * time.Minute
-	deletedTemplate       = `{"document":{"tracking":{"id":"%s","status":"deleted"}}}`
-	cvePathRegex          = regexp.MustCompile(`^\d{4}/(cve-\d{4}-\d{4,}).json$`)
+	deletedTemplate = `{"document":{"tracking":{"id":"%s","status":"deleted"}}}`
+	cvePathRegex    = regexp.MustCompile(`^\d{4}/(cve-\d{4}-\d{4,}).json$`)
 )
 
 // Fetch pulls data down from the Red Hat VEX endpoints. The order of operations is:
@@ -107,7 +106,7 @@ func (u *Updater) Fetch(ctx context.Context, hint driver.Fingerprint) (io.ReadCl
 	}
 
 	if processArchive {
-		rctx, cancel := context.WithTimeout(ctx, compressedFileTimeout)
+		rctx, cancel := context.WithTimeout(ctx, u.compressedFileTimeout)
 		defer cancel()
 
 		if compressedURL == nil {
diff --git a/rhel/vex/updater.go b/rhel/vex/updater.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/quay/zlog"
 
+	"github.com/quay/claircore"
 	"github.com/quay/claircore/libvuln/driver"
 )
 
@@ -28,28 +29,31 @@ const (
 	//doc:url updater
 	BaseURL = "https://security.access.redhat.com/data/csaf/v2/vex/"
 
-	latestFile     = "archive_latest.txt"
-	changesFile    = "changes.csv"
-	deletionsFile  = "deletions.csv"
-	lookBackToYear = 2014
-	repoKey        = "rhel-cpe-repository"
-	updaterVersion = "4"
+	defaultCompressedFileTimeout = 2 * time.Minute
+	latestFile                   = "archive_latest.txt"
+	changesFile                  = "changes.csv"
+	deletionsFile                = "deletions.csv"
+	lookBackToYear               = 2014
+	repoKey                      = "rhel-cpe-repository"
+	updaterVersion               = "4"
 )
 
 // Factory creates an Updater to process all of the Red Hat VEX data.
 //
 // [Configure] must be called before [UpdaterSet].
 type Factory struct {
-	c    *http.Client
-	base *url.URL
+	c                     *http.Client
+	base                  *url.URL
+	compressedFileTimeout time.Duration
 }
 
 // UpdaterSet constructs one Updater
 func (f *Factory) UpdaterSet(_ context.Context) (driver.UpdaterSet, error) {
 	us := driver.NewUpdaterSet()
 	u := &Updater{
-		url:    f.base,
-		client: f.c,
+		url:                   f.base,
+		client:                f.c,
+		compressedFileTimeout: f.compressedFileTimeout,
 	}
 	err := us.Add(u)
 	if err != nil {
@@ -67,6 +71,8 @@ type FactoryConfig struct {
 	//
 	// Must include the trailing slash.
 	URL string `json:"url" yaml:"url"`
+	// CompressedFileTimeout sets the timeout for downloading the compressed VEX file.
+	CompressedFileTimeout claircore.Duration `json:"compressed_file_timeout" yaml:"compressed_file_timeout"`
 }
 
 // Configure implements driver.Configurable
@@ -88,14 +94,20 @@ func (f *Factory) Configure(ctx context.Context, cf driver.ConfigUnmarshaler, c
 	if err != nil {
 		return err
 	}
+
+	f.compressedFileTimeout = defaultCompressedFileTimeout
+	if cfg.CompressedFileTimeout != 0 {
+		f.compressedFileTimeout = time.Duration(cfg.CompressedFileTimeout)
+	}
 	return nil
 }
 
 // Updater is responsible from reading VEX data served at the URL
 // and creating vulnerabilities.
 type Updater struct {
-	url    *url.URL
-	client *http.Client
+	url                   *url.URL
+	client                *http.Client
+	compressedFileTimeout time.Duration
 }
 
 // fingerprint is used to track the state of the changes.csv and deletions.csv endpoints.

Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,8 @@ import (`
`27`	`27`	`)`
`28`	`28`
`29`	`29`	`var (`
`30`		`- compressedFileTimeout = 2 * time.Minute`
`31`		- deletedTemplate = `{"document":{"tracking":{"id":"%s","status":"deleted"}}}`
`32`		- cvePathRegex = regexp.MustCompile(`^\d{4}/(cve-\d{4}-\d{4,}).json$`)
	`30`	+ deletedTemplate = `{"document":{"tracking":{"id":"%s","status":"deleted"}}}`
	`31`	+ cvePathRegex = regexp.MustCompile(`^\d{4}/(cve-\d{4}-\d{4,}).json$`)
`33`	`32`	`)`
`34`	`33`
`35`	`34`	`// Fetch pulls data down from the Red Hat VEX endpoints. The order of operations is:`
`@@ -107,7 +106,7 @@ func (u *Updater) Fetch(ctx context.Context, hint driver.Fingerprint) (io.ReadCl`
`107`	`106`	`}`
`108`	`107`
`109`	`108`	`if processArchive {`
`110`		`- rctx, cancel := context.WithTimeout(ctx, compressedFileTimeout)`
	`109`	`+ rctx, cancel := context.WithTimeout(ctx, u.compressedFileTimeout)`
`111`	`110`	`defer cancel()`
`112`	`111`
`113`	`112`	`if compressedURL == nil {`