Implemented Graphql requests for Github PR's, Issues and comments scanning

[kashifkhan0771]

Description:

This Pull request replaces the HTTP API requests for Github source PR's, Issues and their comments with GraphQL requests.

Scan Results with no verification:

Note: While results may vary slightly between runs, GraphQL consistently outperforms REST in scan duration.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

[rosecodym]

I was initially skeptical of putting the new code in graphql.go, but I think I see why you did it and I can't think of a better option.

However, I did have some trouble following the rate limiting code - in particular, how it interacts with the rest of the GitHub rate limiting code. Specifically, it's doing a lot of its own stuff before it begins to use the rest of the rate limiting code, and I don't understand why it needs to do that beforehand. (Also, mentioned inline, 5 minutes is a huge interval, and Prometheus gets skipped in many cases.)

Can you try another pass over the rate limiting code to see if things can be clarified a bit?

[rosecodym]

This early return (and all of the later ones) happen before we report rate limiting to Prometheus, which means that we won't have much visibility when it happens. Relatedly, I find it a bit hard to follow this new rate limiting code - I suspect the difficulty was with integrating it with the existing rate limiting code. (For example: Why does this initial request have a 3x 5minute retry step before getting into the global rate limiting code?) You might be able to resolve both issues at once with another refactoring pass at this function.

[kashifkhan0771]

I overlooked the reporting to Prometheus. Thanks for pointing out!

The reason I initially set the request interval to 5 minutes was because the GraphQL API sometimes returns a rate limit error before the remaining value reaches 0. When this happens, the response includes no rate limit info, so we can't rely on the usual rate limit object and the resetAt value defaults to zero, which can cause incorrect handling.

To deal with this, I first handled the error case directly, then move on to process the rate limit if available.

Your comment gave me a new perspective, so I adjusted the approach a bit and now:

1. We first check if the global rate limit is already set.

   • If it's set, we use that value and delay accordingly.

2. If it's not set, and we receive an error:

   • We check if it's a rate limit issue.
   • In that case, we set the global rate limit (so other requests know to wait) and continue reporting to Prometheus.

3. If there's no error, we check the actual rate limit object:

   • If remaining < 3, we wait until the resetAt time.
   • Why 3? Because some GraphQL queries can cost more than one point, depending on complexity.

[rosecodym]

This is a huge retry interval. Does GitHub prescribe it?

[kashifkhan0771]

Answered in the above comment.

[camgunz]

Broadly looks good, just had a couple notes. We should add tests for this--probably the integration tests should cover this (maybe a unit test or two for chunkIDs), so if we just run the integration tests w/ UseGithubGraphqlAPI both false and true, that'd give us even more confidence we're not breaking anything.

[camgunz]

Let's start this off as false so it's not automatically turned on for EE customers (we can/should make it true for OSS after we get the flag in EE)

[camgunz]

Also, regretfully I think the initialism is GraphQL--if we're gonna do it for REST we should probably do it here too

[kashifkhan0771]

Sure, I'll temporarily turn it off. I didn't quite understand your second comment - just to clarify, we don’t use any initialism for REST.

[camgunz]

Oh I was just saying the "QL" is capitalized; Graphql -> GraphQL

[kashifkhan0771]

Done

[camgunz]

I'm an 80 columns person because I have a bunch of buffers open side-by-side, but I accept I'm a relic from an earlier time. This one (and at least one more below) are > 150 though--can we wrap somewhere between 90 and 120?

[camgunz]

(No need to do anything here, just musing)

Hrm, w/ the old code passing cutoffTime just the once was kind of 🤷🏻 , but now that we're carrying it around everywhere, it makes me think it'd be nice if we processed s.commentsTimeframeDays up top in Init, that way we don't need to drill it down everywhere.

[kashifkhan0771]

Sound's good we can do it in a separate optimization PR.

[camgunz]

😂

[kashifkhan0771]

We should add tests for this--probably the integration tests should cover this (maybe a unit test or two for chunkIDs), so if we just run the integration tests w/ UseGithubGraphqlAPI both false and true, that'd give us even more confidence we're not breaking anything.

I added the test but even the existing integration tests are not working for me 😿

[martinlocklear]

Left a couple of comments about rate limiting, and a strong opinion about tabular tests. (I've been drawing folks attention to testify's testsuite functionality to serve similar purposes but be more maintainable).

In general I think PRs this size are too large to effectively review - nothing stands out to me as a problem though.

[martinlocklear]

Suggested change

	if s.handleGraphqlRateLimitWithChunkReporter(ctx, reporter, &query.RateLimit, err) {
	if s.handleGraphqlRateLimitWithChunkReporter(ctx, reporter, &commentsQuery.RateLimit, err) {

Not sure if this is what you want or not.

[kashifkhan0771]

Good catch 👀

[martinlocklear]

Suggested change

	if s.handleGraphqlRateLimitWithChunkReporter(ctx, reporter, &query.RateLimit, err) {
	if s.handleGraphqlRateLimitWithChunkReporter(ctx, reporter, &commentQuery.RateLimit, err) {

Similar to another comment I made. It's not obvious to me from looking here which rate limit we should be respecting. Some inline comments might help.

If we aren't interested in respecting separate rate limits for each query object separately, I don't understand why the rate limit object is attached to the query object. (maybe out of scope for this?).

[kashifkhan0771]

We want to make sure we're respecting the rate limits for single-query objects, like the comments on a single PR. I mistakenly used the wrong rate limit in this case thanks for catching that. While it's rare to hit the rate limit on these individual queries, it's still important to get it right.

[martinlocklear]

Does this need to be rate limited as well?

[martinlocklear]

I think this comment is out of date now.

[martinlocklear]

Please avoid using tabular tests like this. They end up being hard to understand and even harder to maintain. Breaking these out into individual test functions (or even a new test suite) will make our lives easier in the future. imo, it's just as easy to copypasta a test function as it is to copypasta an item in a list of tests, but it's harder to manage as code paths diverge when they're not broken out.

[kashifkhan0771]

The github_integration_test.go file uses tabular test cases throughout. If we want to update the test case structure, we should apply the change consistently across all test cases. It might be better to create a separate ticket or PR for that cleanup.

[kashifkhan0771]

Done