add command timeout with context.Cause for better error handling

[eeisegn]

Summary by CodeRabbit

• New Features

  • Added HPSM setup validation that verifies connectivity and disables HPSM on failed validation.
  • Support for configuring an HPSM file-contents API key via environment variable.

• Bug Fixes

  • Improved scanning service error handling to clearly distinguish timeout conditions from other failures in logs and returned errors.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaced timeout handling in the scanning service to use context.WithTimeoutCause allowing distinct timeout errors; added HPSM connectivity validation during server startup and a new config field for HPSM contents API key to support authenticated content requests.

Changes

Cohort / File(s)	Change summary
Scanning timeout handling pkg/service/scanning_service.go	Replaced context.WithTimeout with context.WithTimeoutCause in scanWfp and TestEngine flows; attach explicit timeout error cause and update logs/error returns to inspect context.Cause(ctx) to distinguish timeouts from other failures.
HPSM startup validation pkg/cmd/server.go	Added HPSM setup test executed during RunServer after env setup; runs an external wget-based connectivity check (with optional X-Session header), logs results, and disables HPSM on failure; imports os/exec and go.uber.org/zap.
HPSM config key pkg/config/server_config.go	Added HPSMcontentsAPIkey field wired to SCANOSS_FILE_CONTENTS_APIKEY in ServerConfig.Scanning to support HPSM content API key configuration.

Sequence Diagram(s)

sequenceDiagram
  participant Server as RunServer
  participant Env as Env Setup
  participant TestCmd as testHPSMSetup (exec)
  participant HPSM as HPSM Content Endpoint

  Server->>Env: setupEnvVars()
  Env-->>Server: env vars set (maybe API key)
  Server->>TestCmd: testHPSMSetup(SCANOSS_FILE_CONTENTS_URL, optional key)
  TestCmd->>HPSM: wget request (URL + optional X-Session header)
  HPSM-->>TestCmd: HTTP response (success/failure)
  TestCmd-->>Server: success -> keep HPSM enabled / failure -> disable HPSM and log
  Server->>Server: start REST server (if continued)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I tugged a timeout from the air,
Gave it a cause and made it fair,
The server checks the far-off well,
If HPSM answers, all is well—
If not, I hop and log the tale.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title focuses on adding command timeout with context.Cause, but the changeset also includes HPSM setup validation and a new configuration field, which represent significant portions of the work not reflected in the title.	Revise the title to better reflect all major changes, such as 'add command timeout with context.Cause and HPSM setup validation' or split into multiple focused PRs.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pkg/cmd/server.go`:
- Around line 112-117: The code currently logs the sensitive
cfg.Scanning.HPSMcontentsAPIkey when os.Setenv("SCANOSS_API_KEY", ...) fails;
remove the key from logs and only log a non-sensitive message and the error.
Update the failure branch around os.Setenv in the block that checks
cfg.Scanning.HPSMEnabled to call zlog.S (e.g., Infof/Errorf) with a message like
"Failed to set SCANOSS_API_KEY environment variable" and include only the error
(no key value), so references are to cfg.Scanning.HPSMcontentsAPIkey, os.Setenv
and zlog.S.Infof/Errorf for locating the code to change.

🧹 Nitpick comments (2)

pkg/config/server_config.go (1)

70-70: Field naming inconsistency and truncated comment.

1. The field name HPSMcontentsAPIkey uses inconsistent casing. Following Go conventions for acronyms, consider HPSMContentsAPIKey.
2. The comment appears truncated: "HPSM ser" — it seems to be cut off mid-word.

Suggested fix

-		HPSMcontentsAPIkey string `env:"SCANOSS_FILE_CONTENTS_APIKEY"` // API key used to access the file contents from SCANOSS_FILE_CONTENTS_URL with HPSM ser
+		HPSMContentsAPIKey string `env:"SCANOSS_FILE_CONTENTS_APIKEY"` // API key used to access the file contents from SCANOSS_FILE_CONTENTS_URL with HPSM service

Note: If you rename the field, update all usages in pkg/cmd/server.go (e.g., cfg.Scanning.HPSMcontentsAPIkey → cfg.Scanning.HPSMContentsAPIKey).

pkg/cmd/server.go (1)

175-218: Replace wget dependency with Go's net/http client for better portability and to fix ineffective stderr capture.

While wget is available on Alpine Linux by default, using an external command introduces portability risks for Windows, macOS, minimal containers, and other environments without wget pre-installed. Additionally, the -q flag suppresses wget's diagnostic output (including errors sent to stderr), making the stderr capture on lines 207–212 ineffective.

The hardcoded MD5 8109a183e06165144dc8d97b791c130f on line 184 should include a comment explaining what file it represents.

Using Go's net/http package eliminates the external dependency, improves cross-platform compatibility, and simplifies error handling:

Proposed refactor using net/http

func testHPSMSetup(s *zap.SugaredLogger) error {
	url := os.Getenv("SCANOSS_FILE_CONTENTS_URL")
	if url == "" {
		return fmt.Errorf("SCANOSS_FILE_CONTENTS_URL is not set")
	}
	if !strings.HasSuffix(url, "/") {
		url += "/"
	}
	// Known test file MD5 (e.g., from a commonly available open-source file)
	url += "8109a183e06165144dc8d97b791c130f"

	req, err := http.NewRequest(http.MethodGet, url, nil)
	if err != nil {
		return fmt.Errorf("failed to create request: %w", err)
	}

	apiKey := os.Getenv("SCANOSS_API_KEY")
	if apiKey != "" {
		req.Header.Set("X-Session", apiKey)
	} else {
		s.Debug("No SCANOSS_API_KEY set; proceeding without authentication header.")
	}

	client := &http.Client{Timeout: 10 * time.Second}
	s.Debugf("HPSM test request: GET %s", url)

	resp, err := client.Do(req)
	if err != nil {
		s.Debugf("HPSM connection test failed for URL %s: %v", url, err)
		return err
	}
	defer resp.Body.Close()

	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
		s.Debugf("HPSM connection test failed for URL %s: HTTP %d", url, resp.StatusCode)
		return fmt.Errorf("HTTP %d", resp.StatusCode)
	}

	s.Infof("HPSM setup test successful for URL: %s", url)
	return nil
}

This requires adding "net/http" and "time" imports.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security: Avoid logging sensitive API key values.

The API key is logged if os.Setenv fails. Secrets should not appear in logs as they may be persisted and exposed.

Proposed fix

 	if cfg.Scanning.HPSMEnabled && len(cfg.Scanning.HPSMcontentsAPIkey) > 0 {
 		err := os.Setenv("SCANOSS_API_KEY", cfg.Scanning.HPSMcontentsAPIkey)
 		if err != nil {
-			zlog.S.Infof("Failed to set SCANOSS_API_KEY value to %v: %v", cfg.Scanning.HPSMcontentsAPIkey, err)
+			zlog.S.Infof("Failed to set SCANOSS_API_KEY: %v", err)
 		}
 	}

🤖 Prompt for AI Agents

In `@pkg/cmd/server.go` around lines 112 - 117, The code currently logs the
sensitive cfg.Scanning.HPSMcontentsAPIkey when os.Setenv("SCANOSS_API_KEY", ...)
fails; remove the key from logs and only log a non-sensitive message and the
error. Update the failure branch around os.Setenv in the block that checks
cfg.Scanning.HPSMEnabled to call zlog.S (e.g., Infof/Errorf) with a message like
"Failed to set SCANOSS_API_KEY environment variable" and include only the error
(no key value), so references are to cfg.Scanning.HPSMcontentsAPIkey, os.Setenv
and zlog.S.Infof/Errorf for locating the code to change.