Add CodeQL suppression for DefaultAzureCredential use in Production (#3542)

* Task 37261: [S360] [SM05137] DefaultAzureCredential use in Production

- Adjusted CodeQL suppression to meet the strict requirements of where it may appear relative to the flagged code.

* Task 37261: [S360] [SM05137] DefaultAzureCredential use in Production

- Adding catch for macOS socket error to log and ignore.

Author: paulmedynski

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ActiveDirectoryAuthenticationProvider.cs

@@ -587,14 +587,23 @@ private static TokenCredentialData CreateTokenCredentialInstance(TokenCredential
                 // specify 'Authentication = Active Directory Default' in
                 // connection string.
                 //
-                // CodeQL Suppression - do not modify this comment:
-                //
-                // CodeQL [SM05137] Default Azure Credential is instantiated by
-                // the calling application when using "Active Directory Default"
+                // Default Azure Credential is instantiated by the calling
+                // application when using "Active Directory Default"
                 // authentication code to connect to Azure SQL instance.
                 // SqlClient is a library, doesn't instantiate the credential
                 // without running application instructions.
-                return new TokenCredentialData(new DefaultAzureCredential(defaultAzureCredentialOptions), GetHash(secret));
+                //
+                // Note that CodeQL suppression support can only detect
+                // suppression comments that appear immediately above the
+                // flagged statement, or appended to the end of the statement.
+                // Multi-line justifications are not supported.
+                //
+                // https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/codeql-semmle#guidance-on-suppressions
+                //
+                // CodeQL [SM05137] See above for justification.
+                DefaultAzureCredential cred = new(defaultAzureCredentialOptions);
+
+                return new TokenCredentialData(cred, GetHash(secret));
             }
 
             TokenCredentialOptions tokenCredentialOptions = new() { AuthorityHost = new Uri(tokenCredentialKey._authority) };

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/ManagedSni/SniTcpHandle.netcore.cs

@@ -953,9 +953,30 @@ public override uint Receive(out SniPacket packet, int timeoutInMilliseconds)
                 }
                 finally
                 {
-                    // Reset the socket timeout to Timeout.Infinite after the receive operation is done
-                    // to avoid blocking the thread in case of a timeout error.
-                    _socket.ReceiveTimeout = Timeout.Infinite;
+                    const int resetTimeout = Timeout.Infinite;
+
+                    try
+                    {
+                        // Reset the socket timeout to Timeout.Infinite after
+                        // the receive operation is done to avoid blocking the
+                        // thread in case of a timeout error.
+                        _socket.ReceiveTimeout = resetTimeout;
+
+                    }
+                    catch (SocketException ex)
+                    {
+                        // We sometimes see setting the ReceiveTimeout fail
+                        // on macOS. There's isn't much we can do about it
+                        // though, so just log and move on.
+                        SqlClientEventSource.Log.TrySNITraceEvent(
+                            nameof(SniTcpHandle),
+                            EventType.ERR,
+                            "Connection Id {0}, Failed to reset socket " +
+                            "receive timeout to {1}: {2}",
+                            _connectionId,
+                            resetTimeout,
+                            ex.Message);
+                    }
                 }
             }
         }