Skip to content

Suppress false-positive CodeQL warning in RemoteOrchestrationServiceClient#1347

Open
AnatoliB wants to merge 3 commits intomainfrom
anatolib/codeql-fix-37181654-2
Open

Suppress false-positive CodeQL warning in RemoteOrchestrationServiceClient#1347
AnatoliB wants to merge 3 commits intomainfrom
anatolib/codeql-fix-37181654-2

Conversation

@AnatoliB
Copy link
Copy Markdown
Collaborator

@AnatoliB AnatoliB commented May 1, 2026

@AnatoliB
Add CodeQL suppressions for serialization security warnings in PutJso…
0ab93cc 
…nAsync method

Co-authored-by: Copilot <copilot@github.com>
Copilot AI review requested due to automatic review settings May 1, 2026 06:04
@AnatoliB AnatoliB marked this pull request as ready for review May 1, 2026 06:05
Copilot AI reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to eliminate a reported false-positive CodeQL warning in the Azure Service Fabric remote orchestration client by adding targeted suppressions and documenting why TypeNameHandling.All is used on the request serialization path.

Changes:

  • Added SuppressMessage attributes for CA2326/CA2327 around PutJsonAsync.
  • Added an inline comment describing why the JsonMediaTypeFormatter uses TypeNameHandling.All and why the finding is considered a false positive.
  • Added System.Diagnostics.CodeAnalysis import to support the suppressions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/DurableTask.AzureServiceFabric/Remote/RemoteOrchestrationServiceClient.cs Outdated
AnatoliB and others added 2 commits May 1, 2026 11:39
@AnatoliB
Fix suppression syntax
6c6ab0b 
Co-authored-by: Copilot <copilot@github.com>
@AnatoliB
Move suppression comment to the correct line
52430cb 
Co-authored-by: Copilot <copilot@github.com>
Copilot AI review requested due to automatic review settings May 1, 2026 19:30
Copilot AI reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/DurableTask.AzureServiceFabric/Remote/RemoteOrchestrationServiceClient.cs
Comment on lines +308 to 310
// CodeQL [SM02211] False positive: serialization (write) path only; no untrusted JSON is deserialized here.
SerializerSettings = new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.All }
};
Copy link

Copilot AI May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment doesn’t appear to use a suppression syntax that GitHub CodeQL recognizes (e.g., lgtm[cs/<query-id>] / codeql[cs/<query-id>] style), so it may not actually suppress the alert that prompted this PR. If the goal is suppression (not just justification), use the repository’s supported CodeQL inline suppression mechanism or adjust the CodeQL configuration/queries to ignore this specific finding, and reference the query id that maps to SM02211.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AnatoliB