configurable read timeout for image scanning

[janisz]

Fixes #414

Summary

• Added configurable read timeout option to prevent timeouts during large image scans
• Replaced hardcoded 10-minute read timeout with user-configurable value (1-3600 seconds, default 600)
• Added new readTimeoutSeconds field to the Jenkins plugin configuration UI

Changes

• ApiClientFactory: Modified to accept configurable read timeout parameter instead of hardcoded 10-minute timeout
• StackroxBuilder: Added new readTimeoutSeconds field with validation (1-3600 seconds)
• Configuration UI: Added new timeout input field with help text in Jenkins configuration
• Templates: Updated XML templates to include the new timeout parameter
• Tests: Added test coverage for timeout functionality and updated existing tests

Test Plan

• Added functional test that verifies minimal timeout configuration fails as expected
• Updated existing tests to use the new timeout parameter
• Verified UI validation prevents invalid timeout values (must be 1-3600 seconds)

This change allows users to configure appropriate timeout values for their environment, especially when scanning large Docker images
that may take longer than the previous 10-minute hardcoded limit.

🤖 Generated with https://claude.ai/code
Co-Authored-By: Claude [email protected]

[andham]

Will this change make it possible to overrride the default/globally configured timeout in one pipeline?
For example if you have one pipeline where a very large image is built, it would make sense IMHO if it was possible to set a longer timeout just for that scan and not all.

[andham]

I discussed with the team that sees this issue and they say that the analysis times out after 30 seconds. So, based on that, it seems it's not the read timeout (as it's 10 min currently) but rather connect or write timeout that needs to be configurable.

[janisz]

Thank you, @andham! I agree. If the issue were a connect or write timeout, the root cause would likely be something other than slow scanning. A connect timeout typically happens when the server is unreachable or if a man-in-the-middle attack is interfering with the connection. Similarly, a write timeout would be suspicious because the request payload is small—just a JSON object with an image name and some options.

On the other hand, the symptoms you described strongly suggest that large images are taking a long time to scan. Since the scanning process is blocking, the plugin must wait for a response, which is likely what's causing the read timeout while the image is being processed.

Will this change make it possible to overrride the default/globally configured timeout in one pipeline?

Jenkins plugin configuration is per job so there is no global configuration, each job has its own config so you can set higher timeout for a single job.

[andham]

On the other hand, the symptoms you described strongly suggest that large images are taking a long time to scan. Since the scanning process is blocking, the plugin must wait for a response, which is likely what's causing the read timeout while the image is being processed.

But as the read timeout is already 10 minutes but the failure they see is a timeout after 30 seconds it indicates (in their case) that it's the connect or write connect. Based on your explaination it most likely is the connect timeout.
I've asked the team to reproduce the issue and we'll see if the log message could help.

[andham]

This is what the error output looks like in Jenkins:

Fatal error: Failed image scan request. Status code: 0. Error: Message: java.net.SocketTimeoutException: timeout
HTTP response code: 0
HTTP response body: null
HTTP response headers: null. Aborting ...

And it happens after 30 seconds with a large image.

[andham]

I just realized that the 10 minutes read timeout is something new. We're on v1.4.3 and in that release the read timeout is 30 seconds.
So it could very likely be the read timeout that's the issue, as you said. My earlier comments were based on my (incorrect) assumption that the plugin already had a 10 minutes read timeout. My bad.

[andham]

My feedback on this PR would then be that a 600 sec (10 min) default for the read timeout sounds a bit long. Wouldn't it make more sense to have something like 60-120 sec as default, which should be enough in most cases? And if not there needs to be an explicit configured higher value.

[andham]

I just realized that the new property is not mentioned in the stackrox-container-image-scanner/README.md file.