add max-os-threads flag

[dogancanbakir]

Proposed changes

Closes #5605

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• Chores

  • Updated dependency versions for improved stability and performance.
  • Added a retraction notice for a previously released version due to issues.

• Refactor

  • Introduced an import statement to enhance functionality without altering existing features.

[Mzack9999]

What do you think if we make this automatic to a reasonable larger amount than the estimated maximum parallelism, for example something like the result of 3 x (concurrency x bulk-size x payload-concurrency + js-concurrency + probe-concurrency)

[dogancanbakir]

We can do that, but I believe overriding it should be an option.

[Mzack9999]

Since this is something valid for all the tools I think we should consider overidding the setting via environment variable and move this logic to the utils package that will evaluate within an init() function in any existing package providing similar functionalities, or eventually creating a new one named global, for example:

$ OS_THREADS=xxx nuclei

What do you think?

[tarunKoyalwar]

if possible i think we should skip adding this flag, don't exactly have a link to quote at the moment but i did read in golang repo or google form that if max threads threshold is being breached either something went wrong at go level (cgo or something else) or a usecase that might not be suitable for go , but almost all cases this setting would not be required to tweak ( even db's do not start 10k threads if i am not wrong )

also recently a contributor reported same issue when i asked if he was able to repro this on different machine it turned out the bug was in the machine / setup and not nuclei ( see: https://github.com/orgs/projectdiscovery/discussions/4767 )

[dogancanbakir]

@Mzack9999 makes sense.

@tarunKoyalwar We focus only on maximizing limits. If we allow users to configure this, they will have the flexibility to increase the maximum limit and set it to a lower value if desired.

[coderabbitai]

Walkthrough

The pull request includes updates to the go.mod file, reflecting changes in dependency versions for two packages and adding a retraction notice for a specific version. Additionally, an import statement has been added to the pkg/protocols/common/protocolinit/init.go file, although the existing functionality of the Init and Close functions remains unchanged.

Changes

File	Change Summary
go.mod	Updated dependency versions: hmap from v0.0.67 to v0.0.68, utils from v0.2.19 to v0.2.21; added retraction for v3.2.0.
pkg/protocols/common/protocolinit/init.go	Added import statement for github.com/projectdiscovery/utils/global; no changes to function logic or signatures.

Assessment against linked issues

Objective	Addressed	Explanation
Should start the scan without any error (#5605)	❌	The changes do not address the thread exhaustion issue.

Poem

In the code where rabbits play,
Dependencies hop and sway.
With versions fresh, they leap anew,
A retraction here, a change or two.
So let us scan without a care,
For smoother runs are in the air! 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 90bc1c3 and 189bb69.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod (2 hunks)
• pkg/protocols/common/protocolinit/init.go (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• go.mod
• pkg/protocols/common/protocolinit/init.go

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[dogancanbakir]

depends on projectdiscovery/utils#572

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (4)

pkg/types/types.go (3)

306-307: Enhance the field documentation with more details.

The current comment should provide more context about the purpose, impact, and recommended values for this setting.

-	// MaxOSThreads is the maximum number of OS threads to use
+	// MaxOSThreads is the maximum number of operating system threads to use.
+	// This setting helps prevent thread exhaustion when scanning with large numbers
+	// of templates. The default is 10000. Setting this too low may impact performance,
+	// while setting it too high may cause system resource issues.

---

Line range hint 590-603: Add default value for MaxOSThreads in DefaultOptions.

The MaxOSThreads field should have a sensible default value to prevent potential issues when not explicitly set.

 func DefaultOptions() *Options {
 	return &Options{
 		RateLimit:               150,
 		RateLimitDuration:       time.Second,
 		BulkSize:                25,
 		TemplateThreads:         25,
 		HeadlessBulkSize:        10,
 		PayloadConcurrency:      25,
 		HeadlessTemplateThreads: 10,
 		ProbeConcurrency:        50,
+		MaxOSThreads:            10000,
 		Timeout:                 5,
 		Retries:                 1,
 		MaxHostError:            30,
 		ResponseReadSize:        10 * unitutils.Mega,
 		ResponseSaveSize:        unitutils.Mega,
 	}
 }

---

306-307: Consider adding value validation for MaxOSThreads.

To prevent potential system issues, it would be beneficial to add validation for the MaxOSThreads value to ensure it stays within reasonable bounds.

Consider:

1. Adding a minimum value check (e.g., >= 100) to ensure basic functionality
2. Adding a maximum value check based on system capabilities
3. Implementing this in a new validation method or extending existing validation logic

Example validation approach:

// ValidateThreads validates the MaxOSThreads configuration
func (options *Options) ValidateThreads() error {
    if options.MaxOSThreads < 100 {
        return fmt.Errorf("max-os-threads must be >= 100")
    }
    // Consider system-specific maximum based on available resources
    if options.MaxOSThreads > 100000 {
        return fmt.Errorf("max-os-threads must be <= 100000")
    }
    return nil
}

cmd/nuclei/main.go (1)

405-405: LGTM: Well-structured flag definition

The max-os-threads flag is appropriately placed in the optimization group with a clear description and sensible default value.

Consider adding documentation about:

• The implications of adjusting this value
• Recommended ranges based on system capabilities
• Potential impact on performance and stability

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between b2d4efe and 90bc1c3.

📒 Files selected for processing (2)

• cmd/nuclei/main.go (3 hunks)
• pkg/types/types.go (1 hunks)

🔇 Additional comments (1)

cmd/nuclei/main.go (1)

21-21: LGTM: Clean import addition

The sysutil import is correctly placed and necessary for the new thread management functionality.