Ensure SSL_CERT_DIR messages are always shown and check for existing value#35
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Author
|
/agentic_review |
Code Review by Qodo
1. SSL_CERT_DIR path mismatch
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+994
to
+1006
| private sealed class NssDb | ||
| { | ||
| public string Path => path; | ||
| public bool IsFirefox => isFirefox; | ||
| private readonly string _path; | ||
| private readonly bool _isFirefox; | ||
|
|
||
| public NssDb(string path, bool isFirefox) | ||
| { | ||
| _path = path; | ||
| _isFirefox = isFirefox; | ||
| } | ||
|
|
||
| public string Path => _path; | ||
| public bool IsFirefox => _isFirefox; |
There was a problem hiding this comment.
1. Nssdb missing primary constructor 📘 Rule violation ✓ Correctness
The NssDb type was changed from a C# 12 primary constructor to a traditional constructor with backing fields, despite being a simple parameter-to-member assignment pattern. This violates the repository convention to prefer primary constructors for this scenario and adds unnecessary boilerplate.
Agent Prompt
## Issue description
`NssDb` is a simple value-carrying type but was converted from a primary constructor to a traditional constructor with backing fields, adding boilerplate and violating the primary-constructor convention.
## Issue Context
This rule expects simple parameter-to-member assignment patterns to use C# 12 primary constructors.
## Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[994-1006]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
355
to
+376
| ? Path.Combine("$HOME", certDir[homeDirectoryWithSlash.Length..]) | ||
| : certDir; | ||
|
|
||
| if (TryGetOpenSslDirectory(out var openSslDir)) | ||
| var hasValidSslCertDir = false; | ||
|
|
||
| // Check if SSL_CERT_DIR is already set and if certDir is already included | ||
| var existingSslCertDir = Environment.GetEnvironmentVariable(OpenSslCertificateDirectoryVariableName); | ||
| if (!string.IsNullOrEmpty(existingSslCertDir)) | ||
| { | ||
| var existingDirs = existingSslCertDir.Split(Path.PathSeparator); | ||
| var certDirFullPath = Path.GetFullPath(prettyCertDir); | ||
| var isCertDirIncluded = existingDirs.Any(dir => | ||
| { | ||
| if (string.IsNullOrWhiteSpace(dir)) | ||
| { | ||
| return false; | ||
| } | ||
|
|
||
| try | ||
| { | ||
| return string.Equals(Path.GetFullPath(dir), certDirFullPath, StringComparison.OrdinalIgnoreCase); | ||
| } |
There was a problem hiding this comment.
2. Ssl_cert_dir path mismatch 🐞 Bug ✓ Correctness
UnixCertificateManager compares SSL_CERT_DIR entries against Path.GetFullPath(prettyCertDir), but prettyCertDir may contain the literal "$HOME", so a correctly-configured SSL_CERT_DIR using an absolute path won’t match and trust is incorrectly treated as partial/failing. It also uses OrdinalIgnoreCase on Unix paths, which can wrongly treat different directories as the same on case-sensitive filesystems.
Agent Prompt
### Issue description
Unix SSL_CERT_DIR detection uses a display-only path (prettyCertDir, which may include the literal `$HOME`) for Path.GetFullPath comparisons and uses OrdinalIgnoreCase on Unix, causing false negatives/positives when deciding whether SSL_CERT_DIR already includes the cert directory.
### Issue Context
This logic controls whether the tool reports trust as partial vs full and what guidance it prints.
### Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[354-390]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+408
to
409
| sawTrustFailure = !hasValidSslCertDir; | ||
| } |
There was a problem hiding this comment.
3. Trust failures overwritten 🐞 Bug ✓ Correctness
TrustCertificateCore overwrites sawTrustFailure with !hasValidSslCertDir, which can clear earlier failures (e.g., NSS DB trust failures) and incorrectly return TrustLevel.Full. This makes the tool report success even when some trust steps already failed.
Agent Prompt
### Issue description
The new SSL_CERT_DIR validation overwrites `sawTrustFailure`, masking failures from earlier trust steps and allowing an incorrect `TrustLevel.Full`.
### Issue Context
`sawTrustFailure` aggregates failures from dotnet store trust, OpenSSL rehash, and NSS DB trust operations.
### Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[333-344]
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[408-413]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+127
to
+135
| var listener = new ReporterEventListener(reporter); | ||
| if (verbose.HasValue()) | ||
| { | ||
| var listener = new ReporterEventListener(reporter); | ||
| listener.EnableEvents(CertificateManager.Log, System.Diagnostics.Tracing.EventLevel.Verbose); | ||
| } | ||
| else | ||
| { | ||
| listener.EnableEvents(CertificateManager.Log, System.Diagnostics.Tracing.EventLevel.LogAlways); | ||
| } |
There was a problem hiding this comment.
4. Event format-string crash 🐞 Bug ⛯ Reliability
CertificateManagerEventSource event 111’s message uses placeholder {2} but only two payload
arguments are supplied, and ReporterEventListener always calls string.Format on the message. With
this PR enabling the listener at LogAlways in non-verbose runs, emitting event 111 will throw a
FormatException and can crash dotnet-dev-certs.
Agent Prompt
### Issue description
Event 111’s format string references `{2}` but only two arguments are passed to `WriteEvent`, and the console event listener always calls `string.Format`, which will throw and can terminate the tool.
### Issue Context
This PR enables the listener even when not verbose (LogAlways), making this crash user-visible.
### Fix Focus Areas
- src/Shared/CertificateGeneration/CertificateManager.cs[1307-1309]
- src/Tools/dotnet-dev-certs/src/ReporterEventListener.cs[21-35]
- src/Tools/dotnet-dev-certs/src/Program.cs[123-135]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Benchmark PR from agentic-review-benchmarks#3