Make probe items limit configurable

jan-cerny · jan-cerny · commit f2461c749882 · 2023-11-21T16:57:03.000+01:00
Users can limit the amount of items collected by setting the
`OSCAP_PROBE_MAX_COLLECTED_ITEMS` environment variable.
By default, the amount of items is unlimited.
diff --git a/docs/manual/manual.adoc b/docs/manual/manual.adoc
@@ -1618,6 +1618,7 @@ not considered local by the scanner:
 * `SEXP_VALIDATE_DISABLE` - If set, `oscap` will not validate SEXP expressions during its execution.
 * `SOURCE_DATE_EPOCH` - Timestamp in seconds since epoch. This timestamp will be used instead of the current time to populate `timestamp` attributes in SCAP source data streams created by `oscap ds sds-compose` sub-module. This is used for reproducible builds of data streams.
 * `OSCAP_PROBE_MEMORY_USAGE_RATIO` - maximum memory usage ratio (used/total) for OpenSCAP probes, default: 0.1
+* `OSCAP_PROBE_MAX_COLLECTED_ITEMS` - maximal count of collected items by OpenSCAP probe for a single OVAL object evaluation
 
 Also, OpenSCAP uses `libcurl` library which also can be configured using environment variables. See https://curl.se/libcurl/c/libcurl-env.html[the list of libcurl environment variables].
 
diff --git a/src/OVAL/probes/probe/icache.c b/src/OVAL/probes/probe/icache.c
@@ -45,8 +45,6 @@
 #include "icache.h"
 #include "_sexp-ID.h"
 
-#define PROBE_ITEM_COLLECT_MAX 1000
-
 static volatile uint32_t next_ID = 0;
 
 #if !defined(HAVE_ATOMIC_FUNCTIONS)
@@ -585,8 +583,8 @@ int probe_item_collect(struct probe_ctx *ctx, SEXP_t *item)
 	cobj_itemcnt = SEXP_list_length(cobj_content);
 	SEXP_free(cobj_content);
 
-	if (cobj_itemcnt >= PROBE_ITEM_COLLECT_MAX) {
-		char *message = oscap_sprintf("Object is incomplete because the object matches more than %d items.", PROBE_ITEM_COLLECT_MAX);
+	if (ctx->max_collected_items != OSCAP_PROBE_COLLECT_UNLIMITED && cobj_itemcnt >= ctx->max_collected_items) {
+		char *message = oscap_sprintf("Object is incomplete because the object matches more than %ld items.", ctx->max_collected_items);
 		if (_mark_collected_object_as_incomplete(ctx, message) != 0) {
 			free(message);
 			return -1;
diff --git a/src/OVAL/probes/probe/probe.h b/src/OVAL/probes/probe/probe.h
@@ -43,6 +43,11 @@
 #include "common/util.h"
 #include "common/compat_pthread_barrier.h"
 
+/* default max. memory usage ratio - used/total */
+/* can be overridden by environment variable OSCAP_PROBE_MEMORY_USAGE_RATIO */
+#define OSCAP_PROBE_MEMORY_USAGE_RATIO_DEFAULT 0.33
+#define OSCAP_PROBE_COLLECT_UNLIMITED 0
+
 typedef struct {
 	pthread_rwlock_t rwlock;
 	uint32_t         flags;
@@ -84,6 +89,7 @@ struct probe_ctx {
         probe_icache_t *icache;    /**< item cache */
 	int offline_mode;
 	double max_mem_ratio;
+	size_t max_collected_items;
 };
 
 typedef enum {
diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
@@ -52,10 +52,6 @@ extern int chroot(const char *);
 #include "probe-table.h"
 #include "probe.h"
 
-/* default max. memory usage ratio - used/total */
-/* can be overridden by environment variable OSCAP_PROBE_MEMORY_USAGE_RATIO */
-#define OSCAP_PROBE_MEMORY_USAGE_RATIO_DEFAULT 0.33
-
 extern bool  OSCAP_GSYM(varref_handling);
 extern void *OSCAP_GSYM(probe_arg);
 
@@ -1078,6 +1074,14 @@ SEXP_t *probe_worker(probe_t *probe, SEAP_msg_t *msg_in, int *ret)
 			if (max_ratio > 0)
 				pctx.max_mem_ratio = max_ratio;
 		}
+		pctx.max_collected_items = OSCAP_PROBE_COLLECT_UNLIMITED;
+		char *max_collected_items_str = getenv("OSCAP_PROBE_MAX_COLLECTED_ITEMS");
+		if (max_collected_items_str != NULL) {
+			int max_collected_items = strtol(max_collected_items_str, NULL, 0);
+			if (max_collected_items > 0) {
+				pctx.max_collected_items = max_collected_items;
+			}
+		}
 
 		/* simple object */
                 pctx.icache  = probe->icache;
diff --git a/tests/memory/collect_limit.sh b/tests/memory/collect_limit.sh
@@ -4,15 +4,15 @@ set -e -o pipefail
 
 . $builddir/tests/test_common.sh
 
-# PROBE_ITEM_COLLECT_MAX limit is 1000
-seq 1010 > /tmp/longfile
+export OSCAP_PROBE_MAX_COLLECTED_ITEMS=100
+seq 110 > /tmp/longfile
 result=$(mktemp)
 $OSCAP oval eval --results "$result" $srcdir/collect_limit.oval.xml
 assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object'
 assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object[@flag="incomplete"]'
 assert_exists 1 '/oval_results/results/system/oval_system_characteristics/collected_objects/object/message[@level="warning"]'
-text="Object is incomplete because the object matches more than 1000 items."
+text="Object is incomplete because the object matches more than 100 items."
 assert_exists 1 "/oval_results/results/system/oval_system_characteristics/collected_objects/object/message[text()=\"$text\"]"
-assert_exists 1000 '/oval_results/results/system/oval_system_characteristics/system_data/ind-sys:textfilecontent_item'
+assert_exists 100 '/oval_results/results/system/oval_system_characteristics/system_data/ind-sys:textfilecontent_item'
 rm -f /tmp/longfile
 rm -f "$result"
