Abhishekmishra2808 opened a new pull request, #595:
URL: https://github.com/apache/tooling-trusted-releases/pull/595
## Pull request summary **Meaningful subject (required):**
Hardens TLS security by centralizing HTTP session management and enforcing
TLS 1.2+ (#548)
**Description:**
This PR addresses security issue #548 by moving the codebase away from
"invisible" system defaults for HTTP connections and enforcing strict,
code-level security standards.
### Key Changes:
* **Centralized Security Utility**: Created `create_secure_ssl_context()`
and `create_secure_session()` in `atr/util.py` to act as a single point of
enforcement for all external requests.
* **Protocol Enforcement**: Hardcodes `minimum_version =
ssl.TLSVersion.TLSv1_2` to ensure compliance with modern security standards
(TLS 1.2 and above).
* **ASVS Compliance**:
* **ASVS 9.1.1**: Explicitly enables `check_hostname = True`.
* **ASVS 9.1.2**: Mandates `verify_mode = ssl.CERT_REQUIRED`.
* **Project-wide Refactor**: Replaced 15 instances of
`aiohttp.ClientSession()` with the new secure session factory across 9 core
files, including `apache.py`, `osv.py`, `jwtoken.py`, and `distributions.py`.
* **Security Test Suite**: Added `tests/test_util_security.py` with 11 unit
tests verifying that the SSL context and session configuration strictly adhere
to these requirements without requiring network access.
---
## Required acknowledgements
Please replace each `[ ]` with `[x]` to confirm.
* [x] I have read and followed **CONTRIBUTING.md**
* [x] I have read **DEVELOPMENT.md**
* [x] I have run the required tests and checks locally
* [x] All required checks are currently passing
* [x] This branch is **rebased on the current `main` branch**
---
## Draft requirement
Convert to a ready PR only after all acknowledgements above can be confirmed.
---
## Rebase confirmation details (optional but encouraged)
```
bash
git fetch origin
git rebase origin/main
```
## Additional notes
### Verification & `make check` Results:
* **Linter/Formatter**: `ruff check . --exclude typestubs/` passes with **0
errors**.
* **Unit Tests**: All 11 new security configuration tests passed
successfully. These tests verify the `SSLContext` configuration (Protocol
771/TLS 1.2, Verify Mode 2/CERT_REQUIRED) to ensure we are not drifting back to
insecure defaults.
* **Security Proof**: Verified that the application now explicitly rejects
untrusted connections (e.g., self-signed certificates), ensuring consistent
behavior across different deployment environments regardless of OS-level CA
store variations.
* **Environment Note**: A pre-existing `Pyright` failure was noted in
`playwright/test.py` due to missing dependencies and an expired Yarn GPG key in
the Codespace environment. This is unrelated to the `atr/` backend refactor.
### Proof of Passing Checks:
**Ruff Check Results**
<img width="927" height="196" alt="image"
src="https://github.com/user-attachments/assets/06f924b0-b762-4ec8-9a9e-e8dc75f20e24";
/>
**Pytest Results**
<img width="1109" height="557" alt="image"
src="https://github.com/user-attachments/assets/84e84a55-0c58-45bd-a7d8-ca6219f1e4ad";
/>
**Make Check Results**
<img width="732" height="647" alt="image"
src="https://github.com/user-attachments/assets/290c01b9-3461-4a44-9b80-9de2fbc121e2";
/>
**Environment Note**: A pre-existing `Pyright` failure was noted in
`playwright/test.py` due to missing dependencies and an expired Yarn GPG key in
the Codespace environment. This is unrelated to the `atr/` backend refactor.
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
