Fix Docker scan hang: bound container removal, surface timeout telemetry

Fix 1: Add 30s timeout to RemoveContainerAsync in the finally block of
CreateAndRunContainerAsync. Previously used CancellationToken.None which
could hang indefinitely if the Docker daemon is slow removing a stuck
container, blocking the entire detector and pipeline.

Fix 2: Re-throw OperationCanceledException (when the token is cancelled)
before the generic catch(Exception) in ResolveImageAsync,
ScanDockerImageAsync, and ScanLocalImageAsync. This lets the OCE
propagate to ExecuteDetectorAsync where LinuxContainerDetectorTimeout
telemetry is emitted, enabling root-cause analysis of stuck scans.

Fix 3: Replace JsonSerializer.Serialize(e) with e.ToString() in
LinuxScanner.RunSyftAsync. Serializing exceptions with System.Text.Json
throws NotSupportedException on MethodBase properties.

Fix 4: Add safety-net catch(Exception) in ExecuteDetectorAsync after the
OCE catch. Ensures unexpected errors never escape the detector and crash
the harness or lose other detectors' results.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Aayush Maini

src/Microsoft.ComponentDetection.Common/DockerService.cs

@@ -216,8 +216,21 @@ public async Task<ContainerDetails> InspectImageAsync(string image, Cancellation
         }
         finally
         {
-            // Best-effort container cleanup; RemoveContainerAsync already handles not-found.
-            await RemoveContainerAsync(container.ID, CancellationToken.None);
+            // Best-effort container cleanup with a bounded timeout.
+            // RemoveContainerAsync already handles not-found, but we must guard against
+            // the Docker daemon hanging on container removal (e.g. when the container
+            // process is stuck), which would block the detector indefinitely.
+            using var removeCts = new CancellationTokenSource(TimeSpan.FromSeconds(30));
+            try
+            {
+                await RemoveContainerAsync(container.ID, removeCts.Token);
+            }
+            catch (Exception ex) when (ex is OperationCanceledException or TimeoutException)
+            {
+                this.logger.LogWarning(
+                    "Timed out removing container {ContainerId} after 30s; abandoning cleanup",
+                    container.ID);
+            }
         }
     }
 

src/Microsoft.ComponentDetection.Detectors/linux/LinuxContainerDetector.cs

@@ -127,6 +127,10 @@ public async Task<IndividualDetectorScanResult> ExecuteDetectorAsync(
                 GetTimeout(request.DetectorArgs)
             );
         }
+        catch (Exception e)
+        {
+            this.logger.LogError(e, "Unexpected error during Linux container image scanning");
+        }
 
         return new IndividualDetectorScanResult
         {
@@ -285,6 +289,10 @@ private async Task ResolveImageAsync(
                     );
             }
         }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            throw;
+        }
         catch (Exception e)
         {
             this.logger.LogWarning(e, "Processing of image {ContainerImage} (kind {ImageType}) failed", imageRef.OriginalInput, imageRef.Kind);
@@ -388,6 +396,10 @@ private async Task<ImageScanningResult> ScanDockerImageAsync(
 
             return this.RecordComponents(containerDetails, layers, componentRecorder);
         }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            throw;
+        }
         catch (Exception e)
         {
             this.logger.LogWarning(e, "Scanning of image {ImageId} failed", containerDetails.ImageId);
@@ -525,6 +537,10 @@ private async Task<ImageScanningResult> ScanLocalImageAsync(
 
             return this.RecordComponents(containerDetails, layers, componentRecorder);
         }
+        catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
+        {
+            throw;
+        }
         catch (Exception e)
         {
             this.logger.LogWarning(

src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs

@@ -296,7 +296,7 @@ private async Task<string> RunSyftAsync(
                 }
                 catch (Exception e)
                 {
-                    syftTelemetryRecord.Exception = JsonSerializer.Serialize(e);
+                    syftTelemetryRecord.Exception = e.ToString();
                     this.logger.LogError(e, "Failed to run syft");
                     throw;
                 }

test/Microsoft.ComponentDetection.Detectors.Tests/LinuxContainerDetectorTests.cs

@@ -1290,4 +1290,181 @@ public async Task TestLinuxContainerDetector_ImageParseFailure_ContinuesScanning
             Times.Once
         );
     }
+
+    [TestMethod]
+    public async Task ExecuteDetectorAsync_ScannerThrowsOce_ReturnsSuccessWithEmptyResults()
+    {
+        // Verifies Fix 2 + OCE catch: when the scanning timeout fires,
+        // the OCE propagates out of the scan methods and is caught by
+        // ExecuteDetectorAsync, which returns Success with no components.
+        var componentRecorder = new ComponentRecorder();
+        var detectorArgs = new Dictionary<string, string> { { "Linux.ScanningTimeoutSec", "600" } };
+
+        var scanRequest = new ScanRequest(
+            new DirectoryInfo(Path.GetTempPath()),
+            (_, __) => false,
+            this.mockLogger.Object,
+            detectorArgs,
+            [NodeLatestImage],
+            componentRecorder
+        );
+
+        this.mockSyftLinuxScanner.Setup(scanner =>
+                scanner.ScanLinuxAsync(
+                    It.IsAny<string>(),
+                    It.IsAny<IEnumerable<DockerLayer>>(),
+                    It.IsAny<int>(),
+                    It.IsAny<ISet<ComponentType>>(),
+                    It.IsAny<LinuxScannerScope>(),
+                    It.IsAny<CancellationToken>()
+                )
+            )
+            .ThrowsAsync(new OperationCanceledException());
+
+        var detector = new LinuxContainerDetector(
+            this.mockSyftLinuxScanner.Object,
+            this.mockDockerService.Object,
+            this.mockLinuxContainerDetectorLogger.Object
+        );
+
+        var result = await detector.ExecuteDetectorAsync(scanRequest);
+
+        result.ResultCode.Should().Be(ProcessingResultCode.Success);
+        result.ContainerDetails.Should().BeEmpty();
+        componentRecorder.GetDetectedComponents().Should().BeEmpty();
+    }
+
+    [TestMethod]
+    public async Task ExecuteDetectorAsync_ScannerThrowsUnexpectedException_ReturnsSuccessDoesNotCrash()
+    {
+        // Verifies Fix 4 safety net: an unexpected exception from the
+        // scanner must never escape the detector. It should be caught,
+        // and the detector should return Success with empty results.
+        var componentRecorder = new ComponentRecorder();
+
+        var scanRequest = new ScanRequest(
+            new DirectoryInfo(Path.GetTempPath()),
+            (_, __) => false,
+            this.mockLogger.Object,
+            null,
+            [NodeLatestImage],
+            componentRecorder
+        );
+
+        this.mockSyftLinuxScanner.Setup(scanner =>
+                scanner.ScanLinuxAsync(
+                    It.IsAny<string>(),
+                    It.IsAny<IEnumerable<DockerLayer>>(),
+                    It.IsAny<int>(),
+                    It.IsAny<ISet<ComponentType>>(),
+                    It.IsAny<LinuxScannerScope>(),
+                    It.IsAny<CancellationToken>()
+                )
+            )
+            .ThrowsAsync(new InvalidOperationException("Unexpected Docker failure"));
+
+        var detector = new LinuxContainerDetector(
+            this.mockSyftLinuxScanner.Object,
+            this.mockDockerService.Object,
+            this.mockLinuxContainerDetectorLogger.Object
+        );
+
+        // The critical assertion: the detector must NOT throw.
+        var result = await detector.ExecuteDetectorAsync(scanRequest);
+
+        result.ResultCode.Should().Be(ProcessingResultCode.Success);
+        result.ContainerDetails.Should().BeEmpty();
+        componentRecorder.GetDetectedComponents().Should().BeEmpty();
+    }
+
+    [TestMethod]
+    public async Task ExecuteDetectorAsync_ImageResolveThrowsOce_ReturnsSuccessWithEmptyResults()
+    {
+        // Verifies Fix 2 in the resolve phase: if the timeout fires
+        // during image pull/inspect, the OCE is re-thrown from
+        // ResolveImageAsync and caught by ExecuteDetectorAsync.
+        var componentRecorder = new ComponentRecorder();
+        var detectorArgs = new Dictionary<string, string> { { "Linux.ScanningTimeoutSec", "600" } };
+
+        var scanRequest = new ScanRequest(
+            new DirectoryInfo(Path.GetTempPath()),
+            (_, __) => false,
+            this.mockLogger.Object,
+            detectorArgs,
+            [NodeLatestImage],
+            componentRecorder
+        );
+
+        this.mockDockerService.Setup(service =>
+                service.ImageExistsLocallyAsync(It.IsAny<string>(), It.IsAny<CancellationToken>())
+            )
+            .ThrowsAsync(new OperationCanceledException());
+
+        var detector = new LinuxContainerDetector(
+            this.mockSyftLinuxScanner.Object,
+            this.mockDockerService.Object,
+            this.mockLinuxContainerDetectorLogger.Object
+        );
+
+        var result = await detector.ExecuteDetectorAsync(scanRequest);
+
+        result.ResultCode.Should().Be(ProcessingResultCode.Success);
+        result.ContainerDetails.Should().BeEmpty();
+        componentRecorder.GetDetectedComponents().Should().BeEmpty();
+    }
+
+    [TestMethod]
+    public async Task ExecuteDetectorAsync_ScanThrowsOce_OtherImageStillScanned()
+    {
+        // When scanning multiple images and one times out, the entire
+        // detector should still return Success (not crash).
+        var componentRecorder = new ComponentRecorder();
+        const string secondImage = "alpine:latest";
+        const string secondImageId = "alpine123";
+
+        this.mockDockerService.Setup(service =>
+                service.InspectImageAsync(secondImage, It.IsAny<CancellationToken>())
+            )
+            .ReturnsAsync(
+                new ContainerDetails
+                {
+                    Id = 2,
+                    ImageId = secondImageId,
+                    Layers = [],
+                }
+            );
+
+        // First image scans fine, second throws OCE
+        this.mockSyftLinuxScanner.Setup(scanner =>
+                scanner.ScanLinuxAsync(
+                    secondImageId,
+                    It.IsAny<IEnumerable<DockerLayer>>(),
+                    It.IsAny<int>(),
+                    It.IsAny<ISet<ComponentType>>(),
+                    It.IsAny<LinuxScannerScope>(),
+                    It.IsAny<CancellationToken>()
+                )
+            )
+            .ThrowsAsync(new OperationCanceledException());
+
+        var scanRequest = new ScanRequest(
+            new DirectoryInfo(Path.GetTempPath()),
+            (_, __) => false,
+            this.mockLogger.Object,
+            null,
+            [NodeLatestImage, secondImage],
+            componentRecorder
+        );
+
+        var detector = new LinuxContainerDetector(
+            this.mockSyftLinuxScanner.Object,
+            this.mockDockerService.Object,
+            this.mockLinuxContainerDetectorLogger.Object
+        );
+
+        var result = await detector.ExecuteDetectorAsync(scanRequest);
+
+        // Must not crash, must return Success
+        result.ResultCode.Should().Be(ProcessingResultCode.Success);
+    }
 }