Feature/206 fix issues detected by aquasec scanner (#207)

* #206 - Fix issues detected by Aquasec scanner - CWE-295: Improper Certificate Validation
- Code refactored to different solution.

Author: miroslavpojer

DEVELOPER.md

@@ -176,6 +176,13 @@ export INPUT_VERBOSE="true"
 export GITHUB_REPOSITORY="< owner >/< repo-name >"
 export INPUT_GITHUB_TOKEN=$(printenv <your-env-token-var>)
 
+PROJECT_ROOT="$(pwd)"
+export PYTHONPATH="${PYTHONPATH}:${PROJECT_ROOT}"
+
+# Debugging statements
+echo "PYTHONPATH: ${PYTHONPATH}"
+echo "Current working directory: ${PROJECT_ROOT}"
+
 # Run the Python script
 python3 ./<path-to-action-project-root>/main.py
 ```

release_notes_generator/record/factory/default_record_factory.py

@@ -131,7 +131,9 @@ def _register_pull_and_its_commits_to_issue(
 
         pr_repo = target_repository if target_repository is not None else data.home_repository
 
-        merged_linked_issues: set[str] = self._safe_call(get_issues_for_pr)(pull_number=pull.number) or set()
+        merged_linked_issues: set[str] = (
+            self._safe_call(get_issues_for_pr)(pull_number=pull.number, requester=self._github.requester) or set()
+        )
         merged_linked_issues.update(extract_issue_numbers_from_body(pull, pr_repo))
         pull_issues: list[str] = list(merged_linked_issues)
         attached_any = False

release_notes_generator/utils/pull_request_utils.py

@@ -21,7 +21,8 @@
 import re
 from functools import lru_cache
 
-import requests
+from github import GithubException
+from github.Requester import Requester
 from github.PullRequest import PullRequest
 from github.Repository import Repository
 
@@ -53,9 +54,8 @@ def extract_issue_numbers_from_body(pr: PullRequest, repository: Repository) ->
 
 
 @lru_cache(maxsize=1024)
-def get_issues_for_pr(pull_number: int) -> set[str]:
+def get_issues_for_pr(pull_number: int, requester: Requester) -> set[str]:
     """Fetch closing issue numbers for a PR via GitHub GraphQL and return them as a set."""
-    github_api_url = "https://api.github.com/graphql"
     owner = ActionInputs.get_github_owner()
     name = ActionInputs.get_github_repo_name()
     query = ISSUES_FOR_PRS.format(
@@ -69,13 +69,24 @@ def get_issues_for_pr(pull_number: int) -> set[str]:
         "Content-Type": "application/json",
     }
 
-    response = requests.post(github_api_url, json={"query": query}, headers=headers, verify=False, timeout=10)
-    response.raise_for_status()  # Raise an error for HTTP issues
-    data = response.json()
-    if data.get("errors"):
-        raise RuntimeError(f"GitHub GraphQL errors: {data['errors']}")
+    try:
+        headers, payload = requester.graphql_query(query, headers)
+    except GithubException as e:
+        # e.status (int), e.data (dict/str) often contains useful details
+        raise RuntimeError(f"GitHub HTTP error {getattr(e, 'status', '?')}: {getattr(e, 'data', e)}") from e
+
+    if not isinstance(payload, dict):
+        raise RuntimeError(f"Malformed response payload type: {type(payload)}")
+
+    # GraphQL-level errors come inside a successful HTTP 200
+    if "errors" in payload:
+        messages = "; ".join(err.get("message", str(err)) for err in payload["errors"])
+        raise RuntimeError(f"GitHub GraphQL errors: {messages}")
+
+    if "data" not in payload:
+        raise RuntimeError("Malformed GraphQL response: missing 'data'")
 
     return {
         f"{owner}/{name}#{node['number']}"
-        for node in data["data"]["repository"]["pullRequest"]["closingIssuesReferences"]["nodes"]
+        for node in payload["data"]["repository"]["pullRequest"]["closingIssuesReferences"]["nodes"]
     }

tests/unit/conftest.py

@@ -25,6 +25,7 @@
 from github.PullRequest import PullRequest
 from github.Rate import Rate
 from github.Repository import Repository
+from github.Requester import Requester
 
 from release_notes_generator.model.record.commit_record import CommitRecord
 from release_notes_generator.model.record.hierarchy_issue_record import HierarchyIssueRecord
@@ -56,7 +57,7 @@ def wrapper(fn):
     return wrapper
 
 
-def mock_get_issues_for_pr(pull_number: int) -> set[int]:
+def mock_get_issues_for_pr(pull_number: int, requester: Requester) -> set[int]:
     # if pull_number == 150:
     #     return [451]
     return set()

tests/unit/release_notes_generator/record/factory/test_default_record_factory.py

@@ -21,6 +21,7 @@
 from github.Commit import Commit
 from github.Issue import Issue
 from github.PullRequest import PullRequest
+from github.Requester import Requester
 
 from release_notes_generator.model.record.commit_record import CommitRecord
 from release_notes_generator.model.record.hierarchy_issue_record import HierarchyIssueRecord
@@ -337,7 +338,7 @@ def wrapper(fn):
         return fn
     return wrapper
 
-def mock_get_issues_for_pr_no_issues(pull_number: int) -> list[str]:
+def mock_get_issues_for_pr_no_issues(pull_number: int, requester: Requester) -> list[str]:
     return []
 
 

tests/unit/release_notes_generator/utils/test_pull_request_utils.py

@@ -97,11 +97,17 @@ def test_get_issues_for_pr_success(monkeypatch):
     _patch_action_inputs(monkeypatch)
     _patch_issues_template(monkeypatch)
 
-    captured = {}
-    class Resp:
-        def raise_for_status(self): pass
-        def json(self):
-            return {
+    class MockRequester:
+        def __init__(self):
+            self.called = False
+            self.last_query = None
+            self.last_headers = None
+        def graphql_query(self, query, headers):
+            self.called = True
+            self.last_query = query
+            self.last_headers = headers
+            # Return (headers, payload) as expected by the new implementation
+            return headers, {
                 "data": {
                     "repository": {
                         "pullRequest": {
@@ -113,34 +119,21 @@ def json(self):
                 }
             }
 
-    def fake_post(url, json=None, headers=None, verify=None, timeout=None):
-        captured["url"] = url
-        captured["json"] = json
-        captured["headers"] = headers
-        captured["verify"] = verify
-        captured["timeout"] = timeout
-        return Resp()
-
-    monkeypatch.setattr(pru.requests, "post", fake_post)
-
-    result = pru.get_issues_for_pr(123)
+    requester = MockRequester()
+    result = pru.get_issues_for_pr(123, requester)
     assert result == {'OWN/REPO#11', 'OWN/REPO#22'}
-    assert captured["url"] == "https://api.github.com/graphql"
-    # Query string correctly formatted
-    assert captured["json"]["query"] == "Q 123 OWN REPO 10"
-    # Headers include token
-    assert captured["headers"]["Authorization"] == "Bearer TOK"
-    assert captured["verify"] is False
-    assert captured["timeout"] == 10
+    assert requester.called
+    assert requester.last_query == "Q 123 OWN REPO 10"
+    assert requester.last_headers["Authorization"] == "Bearer TOK"
+    assert requester.last_headers["Content-Type"] == "application/json"
 
 def test_get_issues_for_pr_empty_nodes(monkeypatch):
     _patch_action_inputs(monkeypatch)
     _patch_issues_template(monkeypatch)
 
-    class Resp:
-        def raise_for_status(self): pass
-        def json(self):
-            return {
+    class MockRequester:
+        def graphql_query(self, query, headers):
+            return headers, {
                 "data": {
                     "repository": {
                         "pullRequest": {
@@ -150,48 +143,49 @@ def json(self):
                 }
             }
 
-    monkeypatch.setattr(pru.requests, "post", lambda *a, **k: Resp())
-    assert pru.get_issues_for_pr(5) == set()
+    requester = MockRequester()
+    assert pru.get_issues_for_pr(5, requester) == set()
 
 def test_get_issues_for_pr_http_error(monkeypatch):
     _patch_action_inputs(monkeypatch)
     _patch_issues_template(monkeypatch)
 
-    class Resp:
-        def raise_for_status(self):
-            raise requests.HTTPError("Boom")
-        def json(self):
-            return {}
+    from github import GithubException
+    class MockGithubException(GithubException):
+        def __init__(self, status, data):
+            super().__init__(status, data)
+            # Do not set self.status or self.data directly
 
-    monkeypatch.setattr(pru.requests, "post", lambda *a, **k: Resp())
+    class MockRequester:
+        def graphql_query(self, query, headers):
+            raise MockGithubException(500, "Boom")
 
-    with pytest.raises(requests.HTTPError):
-        pru.get_issues_for_pr(77)
+    requester = MockRequester()
+    with pytest.raises(RuntimeError) as excinfo:
+        pru.get_issues_for_pr(77, requester)
+    assert "GitHub HTTP error 500" in str(excinfo.value)
 
 def test_get_issues_for_pr_malformed_response(monkeypatch):
     _patch_action_inputs(monkeypatch)
     _patch_issues_template(monkeypatch)
 
-    class Resp:
-        def raise_for_status(self): pass
-        def json(self):
-            # Missing the expected nested keys -> triggers KeyError
-            return {"data": {}}
-
-    monkeypatch.setattr(pru.requests, "post", lambda *a, **k: Resp())
+    class MockRequester:
+        def graphql_query(self, query, headers):
+            return headers, {"data": {}}  # Missing nested keys
 
+    requester = MockRequester()
     with pytest.raises(KeyError):
-        pru.get_issues_for_pr(42)
+        pru.get_issues_for_pr(42, requester)
 
 def test_get_issues_for_pr_caching(monkeypatch):
     _patch_action_inputs(monkeypatch)
     _patch_issues_template(monkeypatch)
 
     calls = {"count": 0}
-    class Resp:
-        def raise_for_status(self): pass
-        def json(self):
-            return {
+    class MockRequester:
+        def graphql_query(self, query, headers):
+            calls["count"] += 1
+            return headers, {
                 "data": {
                     "repository": {
                         "pullRequest": {
@@ -201,14 +195,9 @@ def json(self):
                 }
             }
 
-    def fake_post(*a, **k):
-        calls["count"] += 1
-        return Resp()
-
-    monkeypatch.setattr(pru.requests, "post", fake_post)
-
-    first = pru.get_issues_for_pr(900)
-    second = pru.get_issues_for_pr(900)  # should use cache
+    requester = MockRequester()
+    first = pru.get_issues_for_pr(900, requester)
+    second = pru.get_issues_for_pr(900, requester)  # should use cache
     assert first == {'OWN/REPO#9'} and second == {'OWN/REPO#9'}
     assert calls["count"] == 1  # only one network call
 
@@ -217,30 +206,24 @@ def test_get_issues_for_pr_different_numbers_not_cached(monkeypatch):
     _patch_issues_template(monkeypatch)
 
     calls = {"nums": []}
-    class Resp:
-        def __init__(self, n): self.n = n
-        def raise_for_status(self): pass
-        def json(self):
-            return {
+    class MockRequester:
+        def graphql_query(self, query, headers):
+            # Extract pull number back from formatted query tail
+            pull_num = int(query.split()[1])
+            calls["nums"].append(pull_num)
+            return headers, {
                 "data": {
                     "repository": {
                         "pullRequest": {
-                            "closingIssuesReferences": {"nodes": [{"number": self.n}]}
+                            "closingIssuesReferences": {"nodes": [{"number": pull_num}]}
                         }
                     }
                 }
             }
 
-    def fake_post(url, json=None, **k):
-        # Extract pull number back from formatted query tail
-        pull_num = int(json["query"].split()[1])
-        calls["nums"].append(pull_num)
-        return Resp(pull_num)
-
-    monkeypatch.setattr(pru.requests, "post", fake_post)
-
-    r1 = pru.get_issues_for_pr(1)
-    r2 = pru.get_issues_for_pr(2)
+    requester = MockRequester()
+    r1 = pru.get_issues_for_pr(1, requester)
+    r2 = pru.get_issues_for_pr(2, requester)
     assert r1 == {'OWN/REPO#1'}
     assert r2 == {'OWN/REPO#2'}
     assert calls["nums"] == [1, 2]