Remember CodeQL (acfc1efe)? CodeQL basically runs [GitHub LGTM][0]
on source code, looking for possible security issues.
Now that CodeQL is running, we can begin addressing reported issues.
Add a `.lgtm.yml` file to exclude `cs/campaign/constantine`; this is
a campaign asking for contact regarding certain constructs, and is
just noise in the LGTM reporting page.
Problems found include:
* HttpClient created with CheckCertificateRevocationList disabled
* Wrong type of arguments to formatting function
* Weak cryptography
* Possible information leakage from uninitialized padding bytes
* ML Training and Serialization Files Referenced
~~ HttpClient created with CheckCertificateRevocationList disabled ~~
Apparently the `HttpClient` default constructor is "bad"; we should
instead use the [`HttpClient(HttpMessageHandler)` constructor][1],
provide our own `HttpClientHandler`, and ensure that
[`HttpClientHandler.CheckCertificateRevocationList`][2] is True.
~~ Wrong type of arguments to formatting function ~~
Apparently LGTM doesn't realize that in C++ `long int` is synonymous
with `long`, and thus warns that they're not the same. 🤦
Remove a cast to `long int`.
~~ Weak cryptography ~~
This is in `AuthDigestSession.cs`. Unfortunately, RFC2617 requires
MD5, so we kinda need to use MD5. Add a `// lgtm [cs/weak-crypto]`
comment to disable the warning.
~~ Possible information leakage from uninitialized padding bytes ~~
This is in `cpp-util.hh`, and it seems that LGTM doesn't appreciate
our use of template metaprogramming to construct a `char_array<Len+1>`
wherein `Len` is computed at compile time with no wasted padding.
~~ ML Training and Serialization Files Referenced ~~
LGTM apparently assumes that mentions of `.pb` are mentions of ML
data training files. In our case, these were part of error messages
from `aapt2` that we were attempting to translate.
Add a `//lgtm [csharp/responsible-ai/ml-training-and-serialization-files-referenced]`
comment to disable this warning.
Co-authored-by: Alex Hsu <csigs@users.noreply.github.com>
[0]: https://github.com/marketplace/lgtm
[1]: https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclient.-ctor?view=netstandard-2.0#system-net-http-httpclient-ctor(system-net-http-httpmessagehandler)
[2]: https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclienthandler.checkcertificaterevocationlist?view=net-7.0
aa54ed3d57