fix: set maximum of goroutines

cx-rogerio-dalot · cx-rogerio-dalot · commit 544c49400ae6 · 2025-06-04T13:24:01.000+01:00
diff --git a/cmd/workers.go b/cmd/workers.go
@@ -1,23 +1,24 @@
 package cmd
 
 import (
-	"github.com/checkmarx/2ms/lib/secrets"
-	"sync"
-
 	"github.com/checkmarx/2ms/engine"
 	"github.com/checkmarx/2ms/engine/extra"
+	"golang.org/x/sync/errgroup"
 )
 
 func processItems(engine *engine.Engine, pluginName string) {
 	defer channels.WaitGroup.Done()
 
-	wgItems := &sync.WaitGroup{}
+	g := errgroup.Group{}
+	g.SetLimit(1000)
 	for item := range channels.Items {
 		report.TotalItemsScanned++
-		wgItems.Add(1)
-		go engine.Detect(item, secretsChan, wgItems, pluginName, channels.Errors)
+		g.Go(func() error {
+			engine.Detect(item, secretsChan, pluginName, channels.Errors)
+			return nil
+		})
 	}
-	wgItems.Wait()
+	g.Wait()
 	close(secretsChan)
 }
 
@@ -42,37 +43,43 @@ func processSecrets() {
 func processSecretsExtras() {
 	defer channels.WaitGroup.Done()
 
-	wgExtras := &sync.WaitGroup{}
+	g := errgroup.Group{}
+	g.SetLimit(10)
 	for secret := range secretsExtrasChan {
-		wgExtras.Add(1)
-		go extra.AddExtraToSecret(secret, wgExtras)
+		g.Go(func() error {
+			extra.AddExtraToSecret(secret)
+			return nil
+		})
 	}
-	wgExtras.Wait()
+	g.Wait()
 }
 
 func processValidationAndScoreWithValidation(engine *engine.Engine) {
 	defer channels.WaitGroup.Done()
 
-	wgValidation := &sync.WaitGroup{}
+	g := errgroup.Group{}
+	g.SetLimit(10)
 	for secret := range validationChan {
-		wgValidation.Add(2)
-		go func(secret *secrets.Secret, wg *sync.WaitGroup) {
-			engine.RegisterForValidation(secret, wg)
-			engine.Score(secret, true, wg)
-		}(secret, wgValidation)
+		g.Go(func() error {
+			engine.RegisterForValidation(secret)
+			engine.Score(secret, true)
+			return nil
+		})
 	}
-	wgValidation.Wait()
-
+	g.Wait()
 	engine.Validate()
 }
 
 func processScoreWithoutValidation(engine *engine.Engine) {
 	defer channels.WaitGroup.Done()
 
-	wgScore := &sync.WaitGroup{}
+	g := errgroup.Group{}
+	g.SetLimit(10)
 	for secret := range cvssScoreWithoutValidationChan {
-		wgScore.Add(1)
-		go engine.Score(secret, false, wgScore)
+		g.Go(func() error {
+			engine.Score(secret, false)
+			return nil
+		})
 	}
-	wgScore.Wait()
+	g.Wait()
 }
diff --git a/engine/engine.go b/engine/engine.go
@@ -3,14 +3,14 @@ package engine
 import (
 	"crypto/sha1"
 	"fmt"
-	"github.com/checkmarx/2ms/engine/linecontent"
-	"github.com/checkmarx/2ms/engine/score"
 	"os"
 	"regexp"
 	"strings"
-	"sync"
 	"text/tabwriter"
 
+	"github.com/checkmarx/2ms/engine/linecontent"
+	"github.com/checkmarx/2ms/engine/score"
+
 	"github.com/checkmarx/2ms/engine/rules"
 	"github.com/checkmarx/2ms/engine/validation"
 	"github.com/checkmarx/2ms/lib/secrets"
@@ -78,9 +78,7 @@ func Init(engineConfig EngineConfig) (*Engine, error) {
 	}, nil
 }
 
-func (e *Engine) Detect(item plugins.ISourceItem, secretsChannel chan *secrets.Secret, wg *sync.WaitGroup, pluginName string, errors chan error) {
-	defer wg.Done()
-
+func (e *Engine) Detect(item plugins.ISourceItem, secretsChannel chan *secrets.Secret, pluginName string, errors chan error) {
 	fragment := detect.Fragment{
 		Raw:      *item.GetContent(),
 		FilePath: item.GetSource(),
@@ -137,13 +135,11 @@ func (e *Engine) AddRegexRules(patterns []string) error {
 	return nil
 }
 
-func (s *Engine) RegisterForValidation(secret *secrets.Secret, wg *sync.WaitGroup) {
-	defer wg.Done()
+func (s *Engine) RegisterForValidation(secret *secrets.Secret) {
 	s.validator.RegisterForValidation(secret)
 }
 
-func (s *Engine) Score(secret *secrets.Secret, validateFlag bool, wg *sync.WaitGroup) {
-	defer wg.Done()
+func (s *Engine) Score(secret *secrets.Secret, validateFlag bool) {
 	validationStatus := secrets.UnknownResult // default validity
 	if validateFlag {
 		validationStatus = secret.ValidationStatus
diff --git a/engine/engine_test.go b/engine/engine_test.go
@@ -2,10 +2,10 @@ package engine
 
 import (
 	"fmt"
-	"github.com/stretchr/testify/assert"
-	"sync"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
 	"github.com/checkmarx/2ms/engine/rules"
 	"github.com/checkmarx/2ms/lib/secrets"
 	"github.com/checkmarx/2ms/plugins"
@@ -79,9 +79,7 @@ func TestDetector(t *testing.T) {
 
 		secretsChan := make(chan *secrets.Secret, 1)
 		errorsChan := make(chan error, 1)
-		wg := &sync.WaitGroup{}
-		wg.Add(1)
-		detector.Detect(i, secretsChan, wg, fsPlugin.GetName(), errorsChan)
+		detector.Detect(i, secretsChan, fsPlugin.GetName(), errorsChan)
 		close(secretsChan)
 
 		s := <-secretsChan
@@ -155,9 +153,7 @@ func TestSecrets(t *testing.T) {
 			fmt.Printf("Start test %s", name)
 			secretsChan := make(chan *secrets.Secret, 1)
 			errorsChan := make(chan error, 1)
-			wg := &sync.WaitGroup{}
-			wg.Add(1)
-			detector.Detect(item{content: &secret.Content}, secretsChan, wg, fsPlugin.GetName(), errorsChan)
+			detector.Detect(item{content: &secret.Content}, secretsChan, fsPlugin.GetName(), errorsChan)
 			close(secretsChan)
 			close(errorsChan)
 
diff --git a/engine/extra/extra.go b/engine/extra/extra.go
@@ -5,7 +5,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"strings"
-	"sync"
 
 	"github.com/checkmarx/2ms/lib/secrets"
 )
@@ -16,8 +15,7 @@ var ruleIDToFunction = map[string]addExtraFunc{
 	"jwt": addExtraJWT,
 }
 
-func AddExtraToSecret(secret *secrets.Secret, wg *sync.WaitGroup) {
-	defer wg.Done()
+func AddExtraToSecret(secret *secrets.Secret) {
 	if addExtra, ok := ruleIDToFunction[secret.RuleID]; ok {
 		extraData := addExtra(secret)
 		if extraData != nil && extraData != "" {
diff --git a/engine/extra/extra_test.go b/engine/extra/extra_test.go
@@ -3,10 +3,10 @@ package extra
 import (
 	"encoding/base64"
 	"fmt"
+	"testing"
+
 	"github.com/checkmarx/2ms/lib/secrets"
 	"github.com/stretchr/testify/assert"
-	"sync"
-	"testing"
 )
 
 func TestAddExtraToSecret(t *testing.T) {
@@ -50,10 +50,7 @@ func TestAddExtraToSecret(t *testing.T) {
 				ExtraDetails: make(map[string]interface{}),
 			}
 
-			var wg sync.WaitGroup
-			wg.Add(1)
-			AddExtraToSecret(secret, &wg)
-			wg.Wait()
+			AddExtraToSecret(secret)
 
 			assert.Equal(t, tt.expectedOutput, secret.ExtraDetails["secretDetails"])
 		})
diff --git a/engine/score/score_test.go b/engine/score/score_test.go
@@ -1,14 +1,15 @@
 package score_test
 
 import (
+	"sync"
+	"testing"
+
 	. "github.com/checkmarx/2ms/engine"
 	"github.com/checkmarx/2ms/engine/rules"
 	"github.com/checkmarx/2ms/engine/score"
 	"github.com/checkmarx/2ms/lib/secrets"
 	"github.com/stretchr/testify/assert"
 	ruleConfig "github.com/zricethezav/gitleaks/v8/cmd/generate/config/rules"
-	"sync"
-	"testing"
 )
 
 func TestScore(t *testing.T) {
@@ -216,9 +217,9 @@ func TestScore(t *testing.T) {
 		expectedRuleScores := expectedCvssScores[secret.RuleID]
 		validityIndex := getValidityIndex(secret.ValidationStatus)
 		unknownIndex := getValidityIndex(secrets.UnknownResult)
-		engine.Score(secret, true, &wg)
+		engine.Score(secret, true)
 		assert.Equal(t, expectedRuleScores[validityIndex], secret.CvssScore, "rule: %s", secret.RuleID)
-		engine.Score(secret, false, &wg)
+		engine.Score(secret, false)
 		assert.Equal(t, expectedRuleScores[unknownIndex], secret.CvssScore, "rule: %s", secret.RuleID)
 	}
 }
diff --git a/engine/validation/pairs.go b/engine/validation/pairs.go
@@ -1,8 +1,6 @@
 package validation
 
 import (
-	"sync"
-
 	"github.com/checkmarx/2ms/lib/secrets"
 )
 
@@ -38,8 +36,7 @@ func (p *pairsCollector) addIfNeeded(secret *secrets.Secret) bool {
 	return true
 }
 
-func (p *pairsCollector) validate(generalKey string, rulesById pairsByRuleId, wg *sync.WaitGroup) {
-	defer wg.Done()
+func (p *pairsCollector) validate(generalKey string, rulesById pairsByRuleId) {
 	generalKeyToValidation[generalKey](rulesById)
 }
 
diff --git a/engine/validation/validator.go b/engine/validation/validator.go
@@ -1,8 +1,6 @@
 package validation
 
 import (
-	"sync"
-
 	"github.com/checkmarx/2ms/engine/extra"
 	"github.com/checkmarx/2ms/lib/secrets"
 )
@@ -35,14 +33,11 @@ func (v *Validator) RegisterForValidation(secret *secrets.Secret) {
 }
 
 func (v *Validator) Validate() {
-	wg := &sync.WaitGroup{}
 	for generalKey, bySource := range v.pairsCollector.pairs {
 		for _, byRule := range bySource {
-			wg.Add(1)
-			v.pairsCollector.validate(generalKey, byRule, wg)
+			v.pairsCollector.validate(generalKey, byRule)
 		}
 	}
-	wg.Wait()
 }
 
 func IsCanValidateRule(ruleID string) bool {
diff --git a/go.mod b/go.mod
@@ -12,6 +12,7 @@ require (
 	github.com/spf13/viper v1.18.2-0.20240419203757-d539b7a2462e
 	github.com/stretchr/testify v1.9.0
 	github.com/zricethezav/gitleaks/v8 v8.18.2
+	golang.org/x/sync v0.10.0
 	golang.org/x/time v0.5.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -48,7 +49,6 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
-	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
diff --git a/plugins/filesystem.go b/plugins/filesystem.go
@@ -4,11 +4,11 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"sync"
 	"time"
 
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"golang.org/x/sync/errgroup"
 )
 
 const (
@@ -38,9 +38,7 @@ func (p *FileSystemPlugin) DefineCommand(items chan ISourceItem, errors chan err
 		Run: func(cmd *cobra.Command, args []string) {
 			log.Info().Msg("Folder plugin started")
 
-			wg := &sync.WaitGroup{}
-			p.getFiles(items, errors, wg)
-			wg.Wait()
+			p.getFiles(items, errors)
 			close(items)
 		},
 	}
@@ -60,7 +58,7 @@ func (p *FileSystemPlugin) DefineCommand(items chan ISourceItem, errors chan err
 	return cmd, nil
 }
 
-func (p *FileSystemPlugin) getFiles(items chan ISourceItem, errs chan error, wg *sync.WaitGroup) {
+func (p *FileSystemPlugin) getFiles(items chan ISourceItem, errs chan error) {
 	fileList := make([]string, 0)
 	err := filepath.Walk(p.Path, func(path string, fInfo os.FileInfo, err error) error {
 		if err != nil {
@@ -98,23 +96,25 @@ func (p *FileSystemPlugin) getFiles(items chan ISourceItem, errs chan error, wg
 		return
 	}
 
-	p.getItems(items, errs, wg, fileList)
+	p.getItems(items, errs, fileList)
 }
 
-func (p *FileSystemPlugin) getItems(items chan ISourceItem, errs chan error, wg *sync.WaitGroup, fileList []string) {
+func (p *FileSystemPlugin) getItems(items chan ISourceItem, errs chan error, fileList []string) {
+	g := errgroup.Group{}
+	g.SetLimit(1000)
 	for _, filePath := range fileList {
-		wg.Add(1)
-		go func(filePath string) {
-			defer wg.Done()
+		g.Go(func() error {
 			actualFile, err := p.getItem(filePath)
 			if err != nil {
 				errs <- err
 				time.Sleep(time.Second) // Temporary fix for incorrect non-error exits; needs a better solution.
-				return
+				return nil
 			}
 			items <- *actualFile
-		}(filePath)
+			return nil
+		})
 	}
+	g.Wait()
 }
 
 func (p *FileSystemPlugin) getItem(filePath string) (*item, error) {
diff --git a/plugins/filesystem_test.go b/plugins/filesystem_test.go

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,6 @@`
`1`	`1`	`package validation`
`2`	`2`
`3`	`3`	`import (`
`4`		`- "sync"`
`5`		`-`
`6`	`4`	`"github.com/checkmarx/2ms/lib/secrets"`
`7`	`5`	`)`
`8`	`6`
`@@ -38,8 +36,7 @@ func (p pairsCollector) addIfNeeded(secret secrets.Secret) bool {`
`38`	`36`	`return true`
`39`	`37`	`}`
`40`	`38`
`41`		`-func (p pairsCollector) validate(generalKey string, rulesById pairsByRuleId, wg sync.WaitGroup) {`
`42`		`- defer wg.Done()`
	`39`	`+func (p *pairsCollector) validate(generalKey string, rulesById pairsByRuleId) {`
`43`	`40`	`generalKeyToValidation[generalKey](rulesById)`
`44`	`41`	`}`
`45`	`42`