Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[lgtm] Fix LGTM-reported issues (#1074)
Remember CodeQL (acfc1ef)? CodeQL basically runs [GitHub LGTM][0] on source code, looking for possible security issues. Now that CodeQL is running, we can begin addressing reported issues. Add a `.lgtm.yml` file to exclude `cs/campaign/constantine`; this is a campaign asking for contact regarding certain constructs, and is just noise in the LGTM reporting page. Problems found include: * HttpClient created with CheckCertificateRevocationList disabled * Wrong type of arguments to formatting function * Weak cryptography * Possible information leakage from uninitialized padding bytes * ML Training and Serialization Files Referenced ~~ HttpClient created with CheckCertificateRevocationList disabled ~~ Apparently the `HttpClient` default constructor is "bad"; we should instead use the [`HttpClient(HttpMessageHandler)` constructor][1], provide our own `HttpClientHandler`, and ensure that [`HttpClientHandler.CheckCertificateRevocationList`][2] is True. ~~ Wrong type of arguments to formatting function ~~ Apparently LGTM doesn't realize that in C++ `long int` is synonymous with `long`, and thus warns that they're not the same. 🤦 Remove a cast to `long int`. ~~ Weak cryptography ~~ This is in `AuthDigestSession.cs`. Unfortunately, RFC2617 requires MD5, so we kinda need to use MD5. Add a `// lgtm [cs/weak-crypto]` comment to disable the warning. ~~ Possible information leakage from uninitialized padding bytes ~~ This is in `cpp-util.hh`, and it seems that LGTM doesn't appreciate our use of template metaprogramming to construct a `char_array<Len+1>` wherein `Len` is computed at compile time with no wasted padding. ~~ ML Training and Serialization Files Referenced ~~ LGTM apparently assumes that mentions of `.pb` are mentions of ML data training files. In our case, these were part of error messages from `aapt2` that we were attempting to translate. Add a `//lgtm [csharp/responsible-ai/ml-training-and-serialization-files-referenced]` comment to disable this warning. Co-authored-by: Alex Hsu <csigs@users.noreply.github.com> [0]: https://github.com/marketplace/lgtm [1]: https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclient.-ctor?view=netstandard-2.0#system-net-http-httpclient-ctor(system-net-http-httpmessagehandler) [2]: https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclienthandler.checkcertificaterevocationlist?view=net-7.0
- Loading branch information