Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added CodeQL suppression justification comments for HTTP response building code path #10657

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

kshyju
Copy link
Member

@kshyju kshyju commented Nov 26, 2024

Added CodeQL suppression justification comments for out of process layer response handling code path.

Pull request checklist

IMPORTANT: Currently, changes must be backported to the in-proc branch to be included in Core Tools and non-Flex deployments.

  • Backporting to the in-proc branch is not required
    • Otherwise: Link to backporting PR
  • My changes do not require documentation changes
    • Otherwise: Documentation issue linked to PR
  • My changes should not be added to the release notes for the next release
    • Otherwise: I've added my notes to release_notes.md
  • My changes do not need to be backported to a previous version
    • Otherwise: Backport tracked by issue/PR #issue_or_pr
  • My changes do not require diagnostic events changes
    • Otherwise: I have added/updated all related diagnostic events and their documentation (Documentation issue linked to PR)
  • I have added all required tests (Unit tests, E2E tests)

@kshyju kshyju requested a review from a team as a code owner November 26, 2024 21:54
@surgupta-msft
Copy link
Contributor

surgupta-msft commented Dec 2, 2024

Thanks Shyju. We need approval from Anirudh on similar PRs. Example PR with his approval and comment - Azure/azure-functions-dotnet-worker#2811 (review). Please also share codeql guidance link along with your PR. We can also update the title of PR similar to the one I linked here or this - link.

@@ -79,10 +79,12 @@ public async Task ExecuteResultAsync(ActionContext context)
{
if (cookie.Item3 != null)
{
// CodeQL [SM02373] This code path constructs the cookie collection based on what the out-of-process function app (where customers can set these cookies) sends to the host. Marking these cookies as "Secure" would introduce a breaking change for those customers.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can probably replace Marking these cookies as "Secure" with Overriding this behavior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants