OSV Vulnerability Scanner Lacks HTTP Timeout, Risking Worker Process Hangs

A critical flaw in the OSV vulnerability scanning system leaves it vulnerable to indefinite hangs. The scanner makes external HTTP requests to the `api.osv.dev` service without configuring any timeout parameters. This omission means that if the external API becomes slow or unresponsive, the worker processes executing the scans can stall indefinitely, leading to worker starvation and cascading task failures across the system. While coarse-grained safeguards like worker isolation and a manager-level 300-second timeout exist, they are insufficient to prevent resource exhaustion from unresponsive network calls.

The vulnerability is rooted in the `atr/sbom/osv.py` module, specifically within the `scan_bundle()`, `_fetch_vulnerabilities_for_batch()`, and `_fetch_vulnerability_details()` functions. These functions initiate HTTP sessions using a utility function, `create_secure_session()`, which supports an optional `timeout` parameter. However, the OSV scanner's implementation fails to pass any timeout value, leaving the requests open-ended. The codebase already has the necessary infrastructure for secure, time-bound sessions, but the scanner does not utilize it.

This oversight creates a direct operational risk for any deployment relying on automated OSV scans. In an environment with high scan volume, a single degraded or malicious external endpoint could trigger a domino effect, stalling multiple workers and degrading overall system reliability. The recommended fix is straightforward: apply a defined timeout, such as `aiohttp.ClientTimeout(total=60, connect=10)`, to the session creation within the affected functions. Until this is implemented, the scanning service remains exposed to unpredictable performance degradation and failure from external dependency issues.