fix(scanner): prevent oom crashes by capping file read size

[Xavelyn]

Summary

This PR should fix a Out-Of-Memory problem in the scanner plugins by enforcing a strict memory cap during file reads, preventing unbounded memory allocations when analyzing massive files.

Motivation

Previously, the certificates and secrets plugins utilized unbounded read operations to load files entirely into RAM before parsing. When the scanner encountered large files (e.g. multi-gigabyte Database files) this caused big memory spikes. In our deployment, scanner was running in K8s environment with limited memory usage to scan other container images, this resulted in abrupt crashes of the entire container the scanner was running in.

This was tested with the following image: https://hub.docker.com/r/tenable/securitycenter-install. While the previous code spikes on memory usage near 6 GiB while after the fix it spikes at around 500 MiB.

Features

• Bounded Memory Allocation: Caps all file read operations to a maximum threshold using io.LimitReader.

• Keeping the configurable Limits and Default Limits

Files Modified

provider/plugins/certificates/
└── certificates.go # Replaced ReadAllAndClose with LimitReader + defer
provider/plugins/secrets/
└── secrets.go # Replaced unbounded ReadAll with LimitReader + defer

Testing

$ go test ./scanner/plugins/certificates/... -v
=== RUN   TestIssue140_CombinedPEMFile
=== RUN   TestIssue140_CombinedPEMFile/parsePEMCertificatesFromPath_finds_cert_in_combined_file
=== RUN   TestIssue140_CombinedPEMFile/parsePEMCertificatesFromPath_returns_nil_for_non-PEM_file
=== RUN   TestIssue140_CombinedPEMFile/parsePEMCertificatesFromPath_returns_nil_for_PEM_with_only_keys
--- PASS: TestIssue140_CombinedPEMFile (0.00s)
    --- PASS: TestIssue140_CombinedPEMFile/parsePEMCertificatesFromPath_finds_cert_in_combined_file (0.00s)
    --- PASS: TestIssue140_CombinedPEMFile/parsePEMCertificatesFromPath_returns_nil_for_non-PEM_file (0.00s)
    --- PASS: TestIssue140_CombinedPEMFile/parsePEMCertificatesFromPath_returns_nil_for_PEM_with_only_keys (0.00s)
=== RUN   TestIssue56
=== RUN   TestIssue56/Issue_56
_redacted_
--- PASS: TestIssue56 (0.00s)
    --- PASS: TestIssue56/Issue_56 (0.00s)
PASS
ok      github.com/cbomkit/cbomkit-theia/scanner/plugins/certificates   0.007s

$ go test ./scanner/plugins/secrets/... -v
=== RUN   TestPrivateKey
_redacted_
--- PASS: TestPrivateKey (0.04s)
PASS
ok      github.com/cbomkit/cbomkit-theia/scanner/plugins/secrets        0.049s

Breaking Changes

None.

[san-zrl]

Hi @Xavelyn - Thank you very much for your interest in cbomkit-theia and your contributions. LGTM - this makes a lot of sense!