Fix RADAR issues: enhanced diagnostics, PR metadata display, and link behavior

abadawi591 · abadawi591 · commit d75717699ef9 · 2025-10-23T12:05:00.000-07:00
1. GitHub PAT Authentication (401 Bad Credentials):
   - Added detailed logging in function_app.py to show token length, prefix, and source
   - Enhanced diagnostics in API response with bot_token_length and bot_token_prefix
   - Function restarted to ensure Key Vault reference resolution
   - Next HTML will show exact token status for debugging

2. PR Metadata Display:
   - Modified generate_html_report() to accept optional pr_metadata parameter
   - Added PR information card showing: PR number, title, author, branches, commit SHA
   - Card displays after main title with dark theme styling
   - Metadata passed from generate_multi_spec_report()

3. HTML Link Opening in New Tab:
   - Changed from &lt;a href=...target='_blank'&gt; (unsupported in GitHub Markdown)
   - Now uses standard Markdown link with user instructions
   - Added tip: 'Right-click and Open link in new tab' or Ctrl+Click

All changes deployed to Azure Function and ready for next pipeline run.
diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/LABEL-WORKFLOW-SETUP.md b/.pipelines/prchecks/CveSpecFilePRCheck/LABEL-WORKFLOW-SETUP.md
@@ -0,0 +1,159 @@
+# RADAR Label Workflow - Setup Instructions
+
+## ✅ Completed Changes
+
+### 1. Code Updates (Committed & Deployed)
+- **GitHubClient.py**: Added `add_label()` method for consistent label management
+- **CveSpecFilePRCheck.py**: Pipeline now adds `radar-issues-detected` label when posting PR check comments
+- **function_app.py**: Azure Function now uses `GITHUB_TOKEN` (bot PAT) and adds `radar-acknowledged` label
+
+### 2. Authentication Pattern
+Following the same pattern as `GitHubClient`:
+```python
+# Both pipeline and Azure Function use GITHUB_TOKEN
+GITHUB_TOKEN = os.environ.get("GITHUB_TOKEN", "")
+
+# Use 'token' format for GitHub PATs (not 'Bearer')
+headers = {
+    "Authorization": f"token {GITHUB_TOKEN}",
+    "Accept": "application/vnd.github.v3+json"
+}
+```
+
+### 3. Deployment Status
+- ✅ Azure Function deployed successfully (radarfunc-labels.zip)
+- ✅ Code committed to `abadawi/multi-spec-radar` branch
+- ⏸️ Pending: Configure `GITHUB_TOKEN` environment variable
+
+---
+
+## 🔧 Required Configuration
+
+### Step 1: Add GITHUB_TOKEN to Azure Function
+
+The Azure Function needs the same bot PAT that the pipeline uses (`githubPrPat`).
+
+**Option A: If you know the PAT value:**
+```bash
+az functionapp config appsettings set \
+  --name radarfunc \
+  --resource-group Radar-Storage-RG \
+  --settings "GITHUB_TOKEN=<your_github_pat_here>"
+```
+
+**Option B: Retrieve from Azure DevOps Key Vault:**
+The pipeline gets this from `$(githubPrPat)` variable. You may need to:
+1. Check Azure DevOps variable groups for the PAT value
+2. Or regenerate a new PAT from the CBL Mariner bot GitHub account
+
+### Step 2: Create GitHub Labels
+
+Create these 2 labels in the `microsoft/azurelinux` repository:
+
+**Label 1: radar-issues-detected**
+- Name: `radar-issues-detected`
+- Description: `RADAR detected potential issues in this PR`
+- Color: `#D73A4A` (red)
+
+**Label 2: radar-acknowledged**
+- Name: `radar-acknowledged`
+- Description: `Feedback submitted for RADAR findings`
+- Color: `#0E8A16` (green)
+
+**How to create labels:**
+1. Go to https://github.com/microsoft/azurelinux/labels
+2. Click "New label"
+3. Enter name, description, and color
+4. Click "Create label"
+5. Repeat for the second label
+
+---
+
+## 📋 Complete Workflow
+
+### When Pipeline Detects Issues:
+1. ✅ Pipeline runs CVE spec file check
+2. ✅ If issues found (severity >= WARNING):
+   - Posts comment to PR with findings
+   - **Adds `radar-issues-detected` label**
+3. ✅ Comment includes link to interactive HTML report (blob storage)
+
+### When User Submits Challenge:
+1. ✅ User opens HTML report, clicks "Challenge" button
+2. ✅ User authenticates with GitHub OAuth
+3. ✅ User fills out challenge form (False Alarm/Needs Context/Acknowledged)
+4. ✅ Azure Function receives challenge:
+   - Saves to analytics.json in blob storage
+   - Posts comment to PR (using bot account with user attribution)
+   - **Adds `radar-acknowledged` label**
+
+### Label Benefits:
+- **Filtering**: Easily find PRs with RADAR issues or feedback
+- **Dashboards**: Track how many PRs have issues vs. acknowledged
+- **Automation**: Could trigger additional workflows based on labels
+- **Visibility**: Labels appear prominently in PR list and on the PR page
+
+---
+
+## 🧪 Testing Plan
+
+### Test 1: Pipeline Label Addition
+1. Push changes to `test/basic-antipatterns` branch
+2. Pipeline should run and detect issues
+3. Verify PR #14904 has:
+   - Comment posted by CBL Mariner bot
+   - `radar-issues-detected` label added
+
+### Test 2: Challenge Label Addition
+1. Open latest HTML report from blob storage
+2. Submit a challenge for any finding
+3. Verify PR #14904 has:
+   - New comment posted by CBL Mariner bot (showing user attribution)
+   - `radar-acknowledged` label added
+
+### Test 3: End-to-End Workflow
+1. Create fresh test PR with spec file changes
+2. Pipeline runs → comment + `radar-issues-detected` label
+3. Submit challenge → comment + `radar-acknowledged` label
+4. Both labels visible on PR
+
+---
+
+## 📝 Next Steps
+
+### Immediate (Required):
+1. **Add GITHUB_TOKEN to Azure Function** (see Step 1 above)
+2. **Create the 2 labels** in GitHub repository (see Step 2 above)
+3. **Test the workflow** on PR #14904
+
+### Future Enhancements:
+- Add PR metadata to HTML reports (title, author, branches)
+- Create dashboard to track challenge statistics
+- Add webhook to notify team when challenges submitted
+- Implement auto-close for PRs with all findings acknowledged
+
+---
+
+## 🔍 Troubleshooting
+
+### If labels not added:
+- Check function logs: `az functionapp logs tail --name radarfunc --resource-group Radar-Storage-RG`
+- Verify `GITHUB_TOKEN` is configured: `az functionapp config appsettings list --name radarfunc --resource-group Radar-Storage-RG`
+- Ensure labels exist in GitHub repository
+- Check that bot PAT has `repo` scope permissions
+
+### If comments not posted:
+- Verify `GITHUB_TOKEN` has correct permissions
+- Check bot account has write access to repository
+- Review function logs for detailed error messages
+
+---
+
+## 📚 Files Changed
+
+- `.pipelines/prchecks/CveSpecFilePRCheck/GitHubClient.py`
+- `.pipelines/prchecks/CveSpecFilePRCheck/CveSpecFilePRCheck.py`
+- `.pipelines/prchecks/CveSpecFilePRCheck/azure-function/function_app.py`
+
+**Commit**: `d5ad71165` on `abadawi/multi-spec-radar` branch
+**Deployment**: Successfully deployed to `radarfunc` Azure Function
diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/ResultAnalyzer.py b/.pipelines/prchecks/CveSpecFilePRCheck/ResultAnalyzer.py
@@ -482,12 +482,13 @@ def _get_severity_emoji(self, severity: Severity) -> str:
         }
         return emoji_map.get(severity, "ℹ️")
     
-    def generate_html_report(self, analysis_result: 'MultiSpecAnalysisResult') -> str:
+    def generate_html_report(self, analysis_result: 'MultiSpecAnalysisResult', pr_metadata: Optional[dict] = None) -> str:
         """
         Generate an interactive HTML report with dark theme and expandable sections.
         
         Args:
             analysis_result: MultiSpecAnalysisResult with all spec data
+            pr_metadata: Optional dict with PR metadata (pr_number, pr_title, pr_author, etc.)
             
         Returns:
             HTML string with embedded CSS and JavaScript for interactivity
@@ -506,7 +507,40 @@ def generate_html_report(self, analysis_result: 'MultiSpecAnalysisResult') -> st
             Generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S UTC')}
         </p>
     </div>
-    
+"""
+        
+        # Add PR metadata section if provided
+        if pr_metadata:
+            pr_number = pr_metadata.get('pr_number', 'Unknown')
+            pr_title = html_module.escape(pr_metadata.get('pr_title', 'Unknown'))
+            pr_author = html_module.escape(pr_metadata.get('pr_author', 'Unknown'))
+            source_branch = html_module.escape(pr_metadata.get('source_branch', 'unknown'))
+            target_branch = html_module.escape(pr_metadata.get('target_branch', 'main'))
+            source_commit = pr_metadata.get('source_commit_sha', '')[:8]
+            
+            html += f"""
+    <div style="background: #161b22; border: 1px solid #30363d; border-radius: 6px; padding: 16px; margin-bottom: 20px;">
+        <h3 style="margin: 0 0 12px 0; color: #58a6ff; font-size: 16px;">📋 Pull Request Information</h3>
+        <div style="display: grid; grid-template-columns: auto 1fr; gap: 8px 16px; font-size: 13px;">
+            <span style="color: #8b949e;">PR Number:</span>
+            <span style="color: #c9d1d9; font-weight: 600;">#{pr_number}</span>
+            
+            <span style="color: #8b949e;">Title:</span>
+            <span style="color: #c9d1d9;">{pr_title}</span>
+            
+            <span style="color: #8b949e;">Author:</span>
+            <span style="color: #c9d1d9;">@{pr_author}</span>
+            
+            <span style="color: #8b949e;">Branches:</span>
+            <span style="color: #c9d1d9;"><code style="background: #0d1117; padding: 2px 6px; border-radius: 3px; font-size: 12px;">{source_branch}</code> → <code style="background: #0d1117; padding: 2px 6px; border-radius: 3px; font-size: 12px;">{target_branch}</code></span>
+            
+            <span style="color: #8b949e;">Commit:</span>
+            <span style="color: #c9d1d9;"><code style="background: #0d1117; padding: 2px 6px; border-radius: 3px; font-size: 12px;">{source_commit}</code></span>
+        </div>
+    </div>
+"""
+        
+        html += f"""
     <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 10px; margin-bottom: 20px;">
         <div style="background: #161b22; padding: 15px; border-radius: 6px; text-align: center; border: 1px solid #30363d;">
             <div style="font-size: 24px; font-weight: bold; color: #58a6ff;">{stats['total_specs']}</div>
@@ -661,7 +695,7 @@ def generate_multi_spec_report(self, analysis_result: 'MultiSpecAnalysisResult',
         # Add HTML report - try blob storage first, fall back to Gist
         # Note: Blob storage preferred for production, Gist as fallback
         if include_html and (blob_storage_client or github_client):
-            html_report = self.generate_html_report(analysis_result)
+            html_report = self.generate_html_report(analysis_result, pr_metadata=pr_metadata)
             
             # Create a self-contained HTML page with authentication
             html_page = f"""<!DOCTYPE html>
@@ -1201,6 +1235,9 @@ def generate_multi_spec_report(self, analysis_result: 'MultiSpecAnalysisResult',
                     console.log('   GitHub label added:', result.github_label_added);
                     if (result.diagnostics) {{
                         console.log('   Diagnostics:', result.diagnostics);
+                        console.log('   Bot token loaded:', result.diagnostics.using_bot_token);
+                        console.log('   Bot token length:', result.diagnostics.bot_token_length);
+                        console.log('   Bot token prefix:', result.diagnostics.bot_token_prefix);
                     }}
                     
                     let message = '✅ Challenge submitted successfully!\\n\\n';
@@ -1351,16 +1388,14 @@ def generate_multi_spec_report(self, analysis_result: 'MultiSpecAnalysisResult',
             
             if html_url:
                 # Add prominent HTML report link section
-                # Note: GitHub Markdown doesn't support target="_blank" in <a> tags
-                # Use HTML anchor tag to open in new tab
                 report_lines.append("")
                 report_lines.append("---")
                 report_lines.append("")
                 report_lines.append("## 📊 Interactive HTML Report")
                 report_lines.append("")
-                report_lines.append(f"### 🔗 <a href=\"{html_url}\" target=\"_blank\"><strong>CLICK HERE to open the Interactive HTML Report</strong></a>")
+                report_lines.append(f"### 🔗 **[CLICK HERE to open the Interactive HTML Report]({html_url})**")
                 report_lines.append("")
-                report_lines.append("*The report will open in a new tab automatically*")
+                report_lines.append("💡 **Tip:** Right-click the link above and select 'Open link in new tab' (or Ctrl+Click on Windows/Linux, Cmd+Click on Mac)")
                 report_lines.append("")
                 report_lines.append("**Features:**")
                 report_lines.append("- 🎯 Interactive anti-pattern detection results")
diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/azure-function/KEYVAULT-ACCESS-REQUEST.md b/.pipelines/prchecks/CveSpecFilePRCheck/azure-function/KEYVAULT-ACCESS-REQUEST.md
@@ -0,0 +1,64 @@
+# Key Vault Access Request for Azure Function
+
+## Summary
+The `radarfunc` Azure Function needs to read the GitHub PAT from Key Vault to post PR comments securely.
+
+## Current Configuration
+✅ **Azure Function**: `radarfunc` (Radar-Storage-RG)
+✅ **User-Assigned Managed Identity**: `cblmargh-identity` 
+   - Client ID: `7bf2e2c3-009a-460e-90d4-eff987a8d71d`
+   - Principal ID: `4cb669bf-1ae6-463a-801a-2d491da37b9d`
+✅ **Key Vault Reference Configured**: 
+   ```
+   GITHUB_TOKEN=@Microsoft.KeyVault(SecretUri=https://mariner-pipelines-kv.vault.azure.net/secrets/cblmarghGithubPRPat/)
+   ```
+
+## Required Action
+⏳ **Grant RBAC Permission** to allow the UMI to read secrets from Key Vault.
+
+### Command to Run:
+```bash
+az role assignment create \
+  --assignee 7bf2e2c3-009a-460e-90d4-eff987a8d71d \
+  --role "Key Vault Secrets User" \
+  --scope "/subscriptions/0012ca50-c773-43b2-80e2-f24b6377145c/resourceGroups/MarinerPipelines_RG/providers/Microsoft.KeyVault/vaults/mariner-pipelines-kv"
+```
+
+### Who Can Run This:
+- User with **Owner** or **User Access Administrator** role on:
+  - The `mariner-pipelines-kv` Key Vault, OR
+  - The `MarinerPipelines_RG` resource group, OR
+  - The subscription
+
+### Why This Is Needed:
+1. The Azure Function posts GitHub comments when users submit challenge feedback
+2. It needs the GitHub PAT to authenticate with GitHub API
+3. Storing PAT in Key Vault (vs app settings) is more secure:
+   - No plaintext secrets in configuration
+   - Automatic rotation support
+   - Centralized secret management
+   - Audit trail of secret access
+
+### Verification After Granting Access:
+Check if the permission was granted:
+```bash
+az role assignment list \
+  --assignee 7bf2e2c3-009a-460e-90d4-eff987a8d71d \
+  --scope "/subscriptions/0012ca50-c773-43b2-80e2-f24b6377145c/resourceGroups/MarinerPipelines_RG/providers/Microsoft.KeyVault/vaults/mariner-pipelines-kv"
+```
+
+Test if the function can resolve the Key Vault reference:
+```bash
+# Restart the function to pick up the permission
+az functionapp restart --name radarfunc --resource-group Radar-Storage-RG
+
+# Check function logs for any Key Vault access errors
+az functionapp log tail --name radarfunc --resource-group Radar-Storage-RG
+```
+
+---
+
+## Context
+- **Pipeline**: Already uses this same UMI and Key Vault secret successfully
+- **Function**: Shares the same infrastructure pattern for consistency
+- **Security**: Follows Azure best practices for secret management
diff --git a/.pipelines/prchecks/CveSpecFilePRCheck/azure-function/function_app.py b/.pipelines/prchecks/CveSpecFilePRCheck/azure-function/function_app.py
@@ -313,9 +313,14 @@ def submit_challenge(req: func.HttpRequest) -> func.HttpResponse:
             # Use GITHUB_TOKEN (bot PAT) for reliable comment posting
             # This is the same CBL Mariner bot that posts PR check comments
             bot_token = GITHUB_TOKEN
+            logger.info(f"🔑 GITHUB_TOKEN loaded: {'Yes' if GITHUB_TOKEN else 'No (empty)'}")
+            logger.info(f"🔑 Bot token length: {len(bot_token) if bot_token else 0} chars")
+            logger.info(f"🔑 Bot token starts with: {bot_token[:10] if bot_token else 'N/A'}...")
+            
             if not bot_token:
                 logger.warning("⚠️  GITHUB_TOKEN not configured, falling back to user token")
                 bot_token = github_token
+                logger.info(f"🔑 Using user token instead (length: {len(bot_token) if bot_token else 0})")
             
             comment_headers = {
                 "Authorization": f"token {bot_token}",  # Use 'token' not 'Bearer' for GitHub PATs
@@ -337,7 +342,8 @@ def submit_challenge(req: func.HttpRequest) -> func.HttpResponse:
                 logger.error(f"❌ Failed to post GitHub comment:")
                 logger.error(f"   Status: {comment_response.status_code}")
                 logger.error(f"   Response: {comment_response.text}")
-                logger.error(f"   GitHub Token (first 10 chars): {github_token[:10] if github_token else 'None'}...")
+                logger.error(f"   Bot Token (first 10 chars): {bot_token[:10] if bot_token else 'None'}...")
+                logger.error(f"   Token source: {'GITHUB_TOKEN env var' if GITHUB_TOKEN else 'User JWT token'}")
                 logger.error(f"   Comment URL: {comment_url}")
             
             # Add simple label to indicate PR has been acknowledged/reviewed
@@ -382,6 +388,8 @@ def submit_challenge(req: func.HttpRequest) -> func.HttpResponse:
                 'message': label_response.text[:200]
             }
         diagnostic_info['using_bot_token'] = bool(GITHUB_TOKEN)
+        diagnostic_info['bot_token_length'] = len(GITHUB_TOKEN) if GITHUB_TOKEN else 0
+        diagnostic_info['bot_token_prefix'] = GITHUB_TOKEN[:10] if GITHUB_TOKEN else 'empty'
         
         return func.HttpResponse(
             json.dumps({
