fix: multiple scans using the same scanner instance caused "close of closed channel" panic (#300)

Author: cx-leonardo-fontes

.github/workflows/release.yml

@@ -24,7 +24,7 @@ jobs:
         with:
           go-version: "^1.22"
       - name: Go Linter
-        run: docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.61.0 golangci-lint run -v -E gofmt --timeout=5m
+        run: docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v2.1.5 golangci-lint run --timeout=5m
 
       - name: Unit Tests
         run: go test ./...

engine/rules/rules.go

@@ -70,7 +70,7 @@ const TagPublicSecret = "public-secret"
 const TagSensitiveUrl = "sensitive-url"
 const TagWebhook = "webhook"
 
-func getDefaultRules() *[]Rule {
+func GetDefaultRules() *[]Rule {
 	allRules := &[]Rule{
 		{Rule: *rules.AdafruitAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryIoTPlatform, RuleType: 4}},
 		{Rule: *rules.AdobeClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySaaS, RuleType: 1}},
@@ -293,7 +293,7 @@ func FilterRules(selectedList, ignoreList, specialList []string) *[]Rule {
 		log.Warn().Msgf("Both 'rule' and 'ignoreRule' flags were provided, I will first take all in 'rule' and then remove all in 'ignoreRule' from the list.")
 	}
 
-	selectedRules := getDefaultRules()
+	selectedRules := GetDefaultRules()
 	if len(selectedList) > 0 {
 		selectedRules = selectRules(selectedRules, selectedList)
 	}

engine/rules/rules_test.go

@@ -7,7 +7,7 @@ import (
 )
 
 func TestLoadAllRules(t *testing.T) {
-	rules := getDefaultRules()
+	rules := GetDefaultRules()
 
 	if len(*rules) <= 1 {
 		t.Error("no rules were loaded")
@@ -16,7 +16,7 @@ func TestLoadAllRules(t *testing.T) {
 
 func TestLoadAllRules_DuplicateRuleID(t *testing.T) {
 	ruleIDMap := make(map[string]bool)
-	allRules := getDefaultRules()
+	allRules := GetDefaultRules()
 
 	for _, rule := range *allRules {
 		if _, ok := ruleIDMap[rule.Rule.RuleID]; ok {
@@ -29,7 +29,7 @@ func TestLoadAllRules_DuplicateRuleID(t *testing.T) {
 
 func Test_FilterRules_SelectRules(t *testing.T) {
 	specialRule := HardcodedPassword()
-	allRules := *getDefaultRules()
+	allRules := *GetDefaultRules()
 	rulesCount := len(allRules)
 
 	tests := []struct {

pkg/scan.go

@@ -3,6 +3,8 @@ package scanner
 import (
 	"errors"
 	"fmt"
+	"github.com/checkmarx/2ms/v3/lib/secrets"
+	"github.com/checkmarx/2ms/v3/plugins"
 	"sync"
 
 	"github.com/checkmarx/2ms/v3/lib/reporting"
@@ -23,23 +25,36 @@ func NewScanner() Scanner {
 	return &scanner{}
 }
 
+func resetCmdGlobals() {
+	cmd.Channels = plugins.Channels{
+		Items:     make(chan plugins.ISourceItem),
+		Errors:    make(chan error),
+		WaitGroup: &sync.WaitGroup{},
+	}
+
+	cmd.Report = reporting.Init()
+
+	cmd.SecretsChan = make(chan *secrets.Secret)
+	cmd.SecretsExtrasChan = make(chan *secrets.Secret)
+	cmd.ValidationChan = make(chan *secrets.Secret)
+	cmd.CvssScoreWithoutValidationChan = make(chan *secrets.Secret)
+}
+
 func (s *scanner) Scan(scanItems []ScanItem, scanConfig ScanConfig) (*reporting.Report, error) {
-	itemsCh := cmd.Channels.Items
-	errorsCh := cmd.Channels.Errors
+	resetCmdGlobals()
+
 	bufferedErrors := make(chan error, len(scanItems)+1)
 	wg := &sync.WaitGroup{}
 
-	// Error listener
 	go func() {
-		for err := range errorsCh {
+		for err := range cmd.Channels.Errors {
 			if err != nil {
 				bufferedErrors <- err
 			}
 		}
 		close(bufferedErrors)
 	}()
 
-	// Initialize engine
 	engineConfig := engine.EngineConfig{
 		IgnoredIds: scanConfig.IgnoreResultIds,
 		IgnoreList: scanConfig.IgnoreRules,
@@ -49,25 +64,21 @@ func (s *scanner) Scan(scanItems []ScanItem, scanConfig ScanConfig) (*reporting.
 		return &reporting.Report{}, fmt.Errorf("error initializing engine: %w", err)
 	}
 
-	// Start processing pipeline
 	startPipeline(engineInstance, scanConfig.WithValidation)
 
-	// Send scan items
 	for _, item := range scanItems {
 		wg.Add(1)
 		go func(si ScanItem) {
 			defer wg.Done()
-			itemsCh <- si
+			cmd.Channels.Items <- si
 		}(item)
 	}
 	wg.Wait()
-	close(itemsCh)
+	close(cmd.Channels.Items)
 
-	// Wait for all processing
 	cmd.Channels.WaitGroup.Wait()
-	close(errorsCh)
+	close(cmd.Channels.Errors)
 
-	// Collect errors
 	var errs []error
 	for err = range bufferedErrors {
 		errs = append(errs, err)
@@ -96,46 +107,34 @@ func startPipeline(engineInstance engine.IEngine, withValidation bool) {
 }
 
 func (s *scanner) ScanDynamic(itemsIn <-chan ScanItem, scanConfig ScanConfig) (*reporting.Report, error) {
-	itemsCh := cmd.Channels.Items
-	errorsCh := cmd.Channels.Errors
+	resetCmdGlobals()
 
-	// Initialize engine configuration.
-	engineConfig := engine.EngineConfig{IgnoredIds: scanConfig.IgnoreResultIds, IgnoreList: scanConfig.IgnoreRules}
+	engineConfig := engine.EngineConfig{
+		IgnoredIds: scanConfig.IgnoreResultIds,
+		IgnoreList: scanConfig.IgnoreRules,
+	}
 	engineInstance, err := engine.Init(engineConfig)
 	if err != nil {
 		return &reporting.Report{}, fmt.Errorf("error initializing engine: %w", err)
 	}
 
-	// Start processing routines.
-	cmd.Channels.WaitGroup.Add(1)
-	go cmd.ProcessItems(engineInstance, "custom")
-
-	cmd.Channels.WaitGroup.Add(1)
-	go cmd.ProcessSecrets()
-
-	cmd.Channels.WaitGroup.Add(1)
-	go cmd.ProcessSecretsExtras()
-
-	cmd.Channels.WaitGroup.Add(1)
-	go cmd.ProcessScoreWithoutValidation(engineInstance)
+	startPipeline(engineInstance, false)
 
-	for item := range itemsIn {
-		itemsCh <- item
-	}
-	close(itemsCh)
+	go func() {
+		for item := range itemsIn {
+			cmd.Channels.Items <- item
+		}
+		close(cmd.Channels.Items)
+	}()
 
-	// Wait for all processing routines.
 	cmd.Channels.WaitGroup.Wait()
-	close(errorsCh)
+	close(cmd.Channels.Errors)
 
-	// Check if any error occurred.
-	for err := range errorsCh {
+	for err := range cmd.Channels.Errors {
 		if err != nil {
 			return &reporting.Report{}, fmt.Errorf("error processing scan items: %w", err)
 		}
 	}
 
-	// Finalize and generate report.
-	report := cmd.Report
-	return report, nil
+	return cmd.Report, nil
 }