Those options refer to server-side resources identified by their URL, in your case it's the DOM that's creating an infinite amount of states based on URL fragments, which affect the client side of things.
Try using the nightlies and setting the --scope-dom-event-limit option. It doesn't give you as much control as the other options but it's a start, so give it a shot and let me know how it goes.
Thanks for the response, but that did not seem to help. I used the nightly build and tried several different values for --scope-dom-event-limit, including 5, 1, and 0, but all resulted in an infinite crawl. I also tried using --scope-dom-depth-limit and even a vector feed trained from the proxy usage, but they all exhibited the same unlimited crawl over the time parameter. I've considered passing a specific set of paths to scan if I have to, but that is obviously not ideal since it would have to be updated as the app changes and it would be nice to have the better coverage of an actual crawl. I would appreciate any other ideas of what I can try to do a crawl but avoid this issue.
Would it possibly help to use the audit options to avoid this issue? I'm trying to test them out, but I'm not clear on how they work in the CLI. As in, if --audit-ui-forms and --audit-ui-inputs are enabled by default, would passing them then disable them since they don't take any parameter like false? I'm also not clear on what should be passed into the --audit-exclude-vector option, like is it the name of inputs within my app or just a shortcut for listing out Arachni's audit options by name.
All audit options are enabled by default, but if you start setting your own then all others will be disabled.
From what I understand though no existing option will help your situation, I'll need to add some new ones.
Any chance I can be given access to that site in order to see the cause of the issue and also use it as a test-case?
I appreciate the help if you want to take a look at the site. We need to know the IP address/range you would be coming from though in order to enable access to the dev version of our site since we would prefer not to put excess load on our prod/beta version. I also have a rb login script with test credentials I can send you that should cover the authentication portion of the test. What would be the best way to exchange that information? Should I start a private discussion?