CodeQL suppressions (#924)

microsoft · Dec 3, 2024 · 41d5111 · 41d5111
1 parent 0f372c8
commit 41d5111
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -12,6 +12,7 @@ _textdb/
 .chromaenv
 .chromadb
 *.patch
+.codeql
 
 ## Ignore Visual Studio temporary files, build results, and
 ## files generated by popular Visual Studio add-ons.

diff --git a/KernelMemory.sln.DotSettings b/KernelMemory.sln.DotSettings
@@ -112,6 +112,7 @@
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=MQTT/@EntryIndexedValue">MQTT</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=MS/@EntryIndexedValue">MS</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=MSAL/@EntryIndexedValue">MSAL</s:String>
+	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=NLF/@EntryIndexedValue">NLF</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=OCR/@EntryIndexedValue">OCR</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=OID/@EntryIndexedValue">OID</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=OK/@EntryIndexedValue">OK</s:String>

diff --git a/service/Core/Diagnostics/CodeQL.cs b/service/Core/Diagnostics/CodeQL.cs
@@ -0,0 +1,20 @@
+// Copyright (c) Microsoft. All rights reserved.
+
+using System;
+
+namespace Microsoft.KernelMemory.Diagnostics;
+
+public static class CodeQL
+{
+    /// <summary>
+    /// See https://codeql.github.com/codeql-query-help/csharp/cs-log-forging/
+    /// </summary>
+    public static string? NLF(this string? text)
+    {
+        if (text == null) { return text; }
+
+        return text
+            .Replace("\n", "[char(10)]", StringComparison.Ordinal)
+            .Replace("\r", "[char(13)]", StringComparison.Ordinal);
+    }
+}
diff --git a/service/Service.AspNetCore/WebAPIEndpoints.cs b/service/Service.AspNetCore/WebAPIEndpoints.cs
@@ -16,6 +16,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.KernelMemory.Configuration;
 using Microsoft.KernelMemory.Context;
+using Microsoft.KernelMemory.Diagnostics;
 using Microsoft.KernelMemory.DocumentStorage;
 using Microsoft.KernelMemory.HTTP;
 using Microsoft.KernelMemory.Service.AspNetCore.Models;
@@ -72,7 +73,7 @@ public static RouteHandlerBuilder AddPostUploadEndpoint(
                 // Allow internal classes to access custom arguments via IContextProvider
                 contextProvider.InitContextArgs(input.ContextArguments);
 
-                log.LogTrace("Index '{IndexName}'", input.Index);
+                log.LogTrace("Index '{IndexName}'", input.Index.NLF()); //lgtm[cs/log-forging]
 
                 if (!isValid)
                 {
@@ -87,7 +88,7 @@ public static RouteHandlerBuilder AddPostUploadEndpoint(
                         .ImportDocumentAsync(input.ToDocumentUploadRequest(), contextProvider.GetContext(), cancellationToken)
                         .ConfigureAwait(false);
 
-                    log.LogTrace("Doc Id '{DocumentId}'", documentId);
+                    log.LogTrace("Doc Id '{DocumentId}'", documentId.NLF()); //lgtm[cs/log-forging]
 
                     var url = Constants.HttpUploadStatusEndpointWithParams
                         .Replace(Constants.HttpIndexPlaceholder, input.Index, StringComparison.Ordinal)
@@ -167,7 +168,7 @@ async Task<IResult> (
                     ILogger<KernelMemoryWebAPI> log,
                     CancellationToken cancellationToken) =>
                 {
-                    log.LogTrace("New delete document HTTP request, index '{IndexName}'", index);
+                    log.LogTrace("New delete document HTTP request, index '{IndexName}'", index.NLF()); //lgtm[cs/log-forging]
                     await service.DeleteIndexAsync(index: index, cancellationToken)
                         .ConfigureAwait(false);
                     // There's no API to check the index deletion progress, so the URL is empty
@@ -205,7 +206,7 @@ async Task<IResult> (
                     ILogger<KernelMemoryWebAPI> log,
                     CancellationToken cancellationToken) =>
                 {
-                    log.LogTrace("New delete document HTTP request, index '{IndexName}'", index);
+                    log.LogTrace("New delete document HTTP request, index '{IndexName}'", index.NLF()); //lgtm[cs/log-forging]
                     await service.DeleteDocumentAsync(documentId: documentId, index: index, cancellationToken)
                         .ConfigureAwait(false);
                     var url = Constants.HttpUploadStatusEndpointWithParams
@@ -247,7 +248,8 @@ async Task (
                     // Allow internal classes to access custom arguments via IContextProvider
                     contextProvider.InitContextArgs(query.ContextArguments);
 
-                    log.LogTrace("New ask request, index '{IndexName}', minRelevance {MinRelevance}", query.Index, query.MinRelevance);
+                    log.LogTrace("New ask request, index '{IndexName}', minRelevance {MinRelevance}",
+                        query.Index.NLF(), query.MinRelevance); //lgtm[cs/log-forging]
 
                     IAsyncEnumerable<MemoryAnswer> answerStream = service.AskStreamingAsync(
                         question: query.Question,
@@ -341,7 +343,8 @@ async Task<IResult> (
                     // Allow internal classes to access custom arguments via IContextProvider
                     contextProvider.InitContextArgs(query.ContextArguments);
 
-                    log.LogTrace("New search HTTP request, index '{IndexName}', minRelevance {MinRelevance}", query.Index, query.MinRelevance);
+                    log.LogTrace("New search HTTP request, index '{IndexName}', minRelevance {MinRelevance}",
+                        query.Index.NLF(), query.MinRelevance); //lgtm[cs/log-forging]
                     SearchResult answer = await service.SearchAsync(
                             query: query.Query,
                             index: query.Index,
@@ -437,7 +440,8 @@ public static RouteHandlerBuilder AddGetDownloadEndpoint(
                     string.IsNullOrWhiteSpace(filename));
                 var errMsg = "Missing required parameter";
 
-                log.LogTrace("New download file HTTP request, index {IndexName}, documentId {DocumentId}, fileName {FileName}", index, documentId, filename);
+                log.LogTrace("New download file HTTP request, index {IndexName}, documentId {DocumentId}, fileName {FileName}",
+                    index.NLF(), documentId.NLF(), filename.NLF()); //lgtm[cs/log-forging]
 
                 if (!isValid)
                 {
@@ -461,7 +465,8 @@ public static RouteHandlerBuilder AddGetDownloadEndpoint(
                         return Results.Problem(title: "File not found", statusCode: 404);
                     }
 
-                    log.LogTrace("Downloading file '{FileName}', size '{FileSize}', type '{FileType}'", filename, file.FileSize, file.FileType);
+                    log.LogTrace("Downloading file '{FileName}', size '{FileSize}', type '{FileType}'",
+                        filename.NLF(), file.FileSize, file.FileType.NLF()); //lgtm[cs/log-forging]
                     Stream resultingFileStream = await file.GetStreamAsync().WaitAsync(cancellationToken).ConfigureAwait(false);
                     var response = Results.Stream(
                         resultingFileStream,

diff --git a/tools/dev/codeql.sh b/tools/dev/codeql.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -e
+
+REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" && cd ../.. && pwd)"
+CODEQL_DB=${REPO_DIR}/.codeql/db
+CODEQL_REPORT=${REPO_DIR}/.codeql/results.sarif
+
+cd $REPO_DIR
+
+echo -e "\033[1;32m- Repository:\033[0m ${REPO_DIR}"
+echo -e "\033[1;32m- Report    :\033[0m ${CODEQL_REPORT}.sarif\n"
+read -p "Press Enter to DELETE the existing CodeQL results and RUN A NEW analysis."
+
+mkdir -p ${REPO_DIR}/.codeql
+rm -f ${CODEQL_REPORT}
+
+echo -e "\033[1;32m\n### Install CodeQL C# queries ###\033[0m"
+codeql pack download "codeql/csharp-queries"
+
+echo -e "\033[1;32m\n### Perform CodeQL Analysis ###\033[0m"
+rm -fR ${CODEQL_DB}
+codeql database create ${CODEQL_DB} --source-root=${REPO_DIR} --language=csharp --build-mode=autobuild
+codeql database print-baseline ${CODEQL_DB}
+
+echo -e "\033[1;32m\n### Export CodeQL results ###\033[0m"
+codeql database analyze ${CODEQL_DB} --format=sarif-latest --output=${CODEQL_REPORT}
+
+echo -e "\033[1;32m\n### Done ###\033[0m"
+echo -e "\033[1;32m- Report:\033[0m ${CODEQL_REPORT}"