Merge pull request #239 from microsoft/sfi-code-fix

fix: Suppressed  Code QL issues which does not need fix

Author: Roopan-Microsoft

Services/src/esg-ai-doc-analysis/CFS.SK.Sustainability.AI.Host/DocumentManagerHttpServiceMapper.cs

@@ -53,7 +53,7 @@ public static void UseDocumentManagerEndpoint(this WebApplication app)
                     appContext.SKLoggerFactory.CreateLogger("DocumentManager/RegisterDocument").LogInformation($"Document information to be passed :  {serializedParamJson}");
 
                     //Invoke Process Watcher
-                    var response = await appContext.httpClient.PostAsync(config["DocumentPreprocessing:processwatcherUrl"], content);
+                    var response = await appContext.httpClient.PostAsync(config["DocumentPreprocessing:processwatcherUrl"], content); // CodeQL [SM03781] We are reading this value from appsettings.json, this is not an user input
 
                     return Results.Accepted(locationUrl, result);
                 }

Services/src/esg-ai-doc-analysis/CFS.SK.Sustainability.AI.Host/Program.cs

@@ -153,7 +153,7 @@ void ConfigureMiddleware(WebApplication app)
         app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "ESG AI Document Service API v1"));
     }
 
-    app.UseSwaggerUI();
+    // app.UseSwaggerUI(); Removed as part of Code QL issue (CodeQL [SM04686])
     app.UseSwagger();
     app.UseRouting();
     app.UseESRSEndpoint();

Services/src/esg-ai-doc-analysis/CFS.SK.Sustainability.AI.Storage/Components/CosmosDBEntityBase.cs

@@ -28,24 +28,24 @@ public CosmosDBEntityBase()
         /// </summary>
         public string __partitionkey { get; set; }
 
-        static SHA1 _sha1;
+        static SHA256 _sha256;
 
         static CosmosDBEntityBase()
         {
-            _sha1 = SHA1.Create();
+            _sha256 = SHA256.Create();
         }
 
         /// <summary>
         /// Generate partitionkey for CosmosDB
-        /// using SHA1 hash with id, convert it to uint and divide with number of partitions
+        /// using SHA256 hash with id, convert it to uint and divide with number of partitions
         /// assigned default value as 9999 (9999 partition at this moment)
         /// </summary>
         /// <param name="id"></param>
         /// <param name="numberofPartitions"></param>
         /// <returns></returns>
         public static string GetKey(Guid id, int numberofPartitions)
         {
-            var hasedVal = _sha1.ComputeHash(id.ToByteArray());
+            var hasedVal = _sha256.ComputeHash(id.ToByteArray());
             var intHashedVal = BitConverter.ToUInt32(hasedVal, 0);
 
             var range = numberofPartitions - 1;

Services/src/esg-ai-doc-analysis/CFS.SK.Sustainability.AI/DocumentManager.cs

@@ -159,7 +159,7 @@ await this.memoryWebClient.ImportDocumentAsync(content: fileStream.BaseStream,
             //http client call to Logic App
             var content = new StringContent(JsonSerializer.Serialize(new { DocumentId = doc.DocumentId }),
                                             Encoding.UTF8, "application/json");
-            await this.httpClient.PostAsync(this.config["DocumentPreprocessing:processwatcherUrl"], content);
+            await this.httpClient.PostAsync(this.config["DocumentPreprocessing:processwatcherUrl"], content); // CodeQL [SM03781] We are reading this value from appsettings.json, this is not an user input
 
             var result = await this.docRepo.Register(doc);
 
@@ -222,7 +222,7 @@ await this.memoryWebClient.ImportDocumentAsync(content: downloadedFileMemoryStre
             //http client call to Logic App
             var content = new StringContent(JsonSerializer.Serialize(new { DocumentId = doc.DocumentId }),
                                             Encoding.UTF8, "application/json");
-            await this.httpClient.PostAsync(this.config["DocumentPreprocessing:processwatcherUrl"], content);
+            await this.httpClient.PostAsync(this.config["DocumentPreprocessing:processwatcherUrl"], content); // CodeQL [SM03781] We are reading this value from appsettings.json, this is not an user input
 
             var result = await this.docRepo.Register(doc);
 

Services/src/esg-ai-doc-analysis/CFS.SK.Sustainability.AI/ESRSGapAnalysisManager.cs

@@ -250,7 +250,7 @@ public async Task<GapAnalysisJob> RegisterJob(GapAnalysisServiceRequest jobReque
             else
             {
                 //Delete html file
-                System.IO.File.Delete(htmlFileName);
+                System.IO.File.Delete(htmlFileName); // CodeQL [SM00414] This variable is not based on user input, so no need to handle the Code QL issue.
                 throw new Exception("PDF File is not converted");
             }
 

Services/src/esg-ai-doc-analysis/CFS.SK.Sustainability.AI/Services/Queue/AzureStorageQueueService.cs

@@ -17,6 +17,7 @@
 using CFS.SK.Sustainability.AI.Services.Queue.Interfaces;
 using Timer = System.Timers.Timer;
 using Azure.Identity;
+using CFS.SK.Sustainability.AI.Utils;
 
 namespace CFS.SK.Sustainability.AI.Services.Queue
 {
@@ -84,7 +85,7 @@ public static Uri GetQueueUriFromConnectionString(string connectionString, strin
 
         public AzureStorageQueueService(Uri storageQueueUri, ILogger<AzureStorageQueueService> log)
         {
-            DefaultAzureCredential credential = new(DefaultAzureCredential.DefaultEnvironmentVariableName); // CodeQL [SM05137] Environment variable is set in Docker File
+            var credential = TokenCredentialProvider.GetCredential(logger: this._log);
             this._clientBuilder = queueName => new QueueClient(storageQueueUri, credential);
             this._log = log;
         }

Services/src/esg-ai-doc-analysis/CFS.SK.Sustainability.AI/Utils/StorageAccessUtil.cs

@@ -16,7 +16,7 @@ static public BlobServiceClient GetBlobClientFromConnectionString(string Connect
             var DefaultEndpointSuffix = "core.windows.net";
             var storageAccountName = ConnectionString.Split(';').FirstOrDefault(x => x.Contains("AccountName")).Split('=')[1];
             var storageAccountUri = new Uri($"https://{storageAccountName}.blob.{DefaultEndpointSuffix}");
-            DefaultAzureCredential credential = new(DefaultAzureCredential.DefaultEnvironmentVariableName); // CodeQL [SM05137] Environment variable is set in Docker File
+            var credential = TokenCredentialProvider.GetCredential();
             return new BlobServiceClient(storageAccountUri, credential);
         }
 

Services/src/esg-ai-doc-analysis/CFS.SK.Sustainability.AI/Utils/TokenCredentialProvider.cs

@@ -0,0 +1,57 @@
+using Azure.Core;
+using Azure.Identity;
+using Microsoft.Extensions.Logging;
+
+namespace CFS.SK.Sustainability.AI.Utils;
+
+/// <summary>
+/// Provides token credentials for Azure services using either Azure CLI or Managed Identity
+/// </summary>
+public static class TokenCredentialProvider
+{
+    /// <summary>
+    /// Gets an appropriate TokenCredential based on the runtime environment (production vs development)
+    /// </summary>
+    /// <param name="clientId">Optional client ID for user-assigned managed identity</param>
+    /// <param name="logger">Optional logger for diagnostic information</param>
+    /// <returns>A TokenCredential instance</returns>
+    public static TokenCredential GetCredential(ILogger? logger = null)
+    {
+        TokenCredential credential;
+        
+        // Detect environment - Production uses Managed Identity, Development uses Azure CLI
+        bool isProduction = IsProductionEnvironment();
+        
+        logger?.LogInformation("Detected environment: {Environment}", isProduction ? "Production" : "Development");
+
+        if (isProduction)
+        {
+            logger?.LogInformation("Using ManagedIdentityCredential for production authentication");
+            credential = new ManagedIdentityCredential();
+        }
+        else
+        {
+            logger?.LogInformation("Using AzureCliCredential for development authentication");
+            credential = new AzureCliCredential();
+        }
+
+        return credential;
+    }
+
+    /// <summary>
+    /// Determines if the current environment is production based on environment variables and settings
+    /// </summary>
+    /// <returns>True if running in production, false if in development</returns>
+    private static bool IsProductionEnvironment()
+    {
+        // Check AZURE_TOKEN_CREDENTIALS
+        string? environment = Environment.GetEnvironmentVariable("AZURE_TOKEN_CREDENTIALS");
+        
+        if (!string.IsNullOrEmpty(environment))
+        {
+            return environment.Equals("ManagedIdentityCredential", StringComparison.OrdinalIgnoreCase);
+        }
+        
+        return false;
+    }
+}

Services/src/kernel-memory/Dockerfile

@@ -23,6 +23,7 @@ RUN dotnet restore "./service/Service/./Service.csproj"
 COPY ["extensions", "extensions"]
 COPY ["tools", "tools"]
 COPY ["service", "service"]
+COPY ["utils", "utils"]
 WORKDIR "/src/service/Service"
 RUN dotnet build "./Service.csproj" -c $BUILD_CONFIGURATION -o /app/build
 

Services/src/kernel-memory/extensions/AzureAIDocIntel/AzureAIDocIntel.csproj

@@ -10,6 +10,7 @@
 
     <ItemGroup>
         <ProjectReference Include="..\..\service\Abstractions\Abstractions.csproj" />
+        <ProjectReference Include="..\..\utils\TokenGenerator\TokenGenerator.csproj" />
     </ItemGroup>
 
     <ItemGroup>