Latest docker tag results in thread exhaustion

Question

Latest docker tag results in thread exhaustion

darkspirit510 opened this issue 2 years ago · 1 comments

What happened:

Running latest horuszup/horusec-cli fails with thread exhaustion (both amd64 and arm64 platform)

time="2022-06-23T09:35:32Z" level=warning msg="{HORUSEC_CLI} Config file not found"
time="2022-06-23T09:36:12Z" level=warning msg="{HORUSEC_CLI} When starting the analysis WE SKIP A TOTAL OF 34023 FILES that are not considered to be analyzed. To see more details use flag --log-level=debug"

time="2022-06-23T09:42:33Z" level=warning msg="Horusec will return a timeout after 3600 seconds. This time can be customized in the cli settings."

time="2022-06-23T09:42:33Z" level=warning msg="{HORUSEC_CLI} PLEASE DON'T REMOVE \".horusec\" FOLDER BEFORE THE ANALYSIS FINISH! Don’t worry, we’ll remove it after the analysis ends automatically! Project sent to folder in location: [/src/.horusec/9c06d4e8-87f3-466f-85fd-78480afe3536]"

runtime: program exceeds 10000-thread limit
fatal error: thread exhaustion
[...]

What you expected to happen:

Just work 😅

How to reproduce it (as minimally and precisely as possible):

See script https://github.com/OWASP-Benchmark/BenchmarkJava/blob/master/scripts/runHorusec.sh

Anything else we need to know?:

Don't think so (if in doubt, ask!)

Environment:

Horusec version (use horusec version): 2.8.0
Operating System: MacOS 12.4 + Docker 20.10.14
Network plugin / Tool and version (if this is a network-related / tool bug): -/-
Others: -/-

Answer 1 · 2023-09-19T16:51:48.000Z

I have the same error on Windows 10, no docker:

time="2023-09-19T17:39:09+02:00" level=warning msg="{HORUSEC_CLI} Config file not found"
time="2023-09-19T17:39:37+02:00" level=warning msg="{HORUSEC_CLI} When starting the analysis WE SKIP A TOTAL OF 35952 FILES that are not considered to be analyzed. To see more details use flag --log-level=debug"

time="2023-09-19T17:45:31+02:00" level=warning msg="Horusec will return a timeout after 600000 seconds. This time can be customized in the cli settings."

⣷ Scanning code ...runtime: program exceeds 10000-thread limit
fatal error: thread exhaustion

runtime stack:
runtime.throw({0xaa0f9a, 0xffffffffffffff38})
	/opt/hostedtoolcache/go/1.17.10/x64/src/runtime/panic.go:1198 +0x76

[...]

10000 thread is the default max limit of Golang: https://pkg.go.dev/runtime/debug#SetMaxThreads

10k threads is a lot of threads. It could also freeze your machine, and indeed when I run it, the system was unresponsive.

Can't this be limited, or use a thread pool?