Merged PR 6427: FIX: Disable BinSkim for Ubuntu and macOS

#### AI description  (iteration 2)
#### PR Classification
This pull request fixes pipeline configuration issues by disabling BinSkim for Ubuntu and macOS builds.

#### PR Summary
The changes update pipeline YAML files to disable the BinSkim security tool where it is not applicable, adjust variable declaration formats, and refine configuration comments.
- **`OneBranchPipelines/stages/build-linux-single-stage.yml`**: Reformats variable definitions and adds a template context to disable BinSkim for Linux with a clear justification.
- **`OneBranchPipelines/stages/build-macos-single-stage.yml`**: Revises variable declarations and inserts a template context to disable BinSkim for macOS with an appropriate explanation.
- **`OneBranchPipelines/build-release-package-pipeline.yml`**: Updates the APIScan section with modified comments and adds a justification for its disablement.
- **`tests/test_006_exceptions.py`**: Contains merge conflict markers, indicating unresolved conflict sections that require attention.
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->

Related work items: #40398

Author: bewithgaurav

OneBranchPipelines/build-release-package-pipeline.yml

@@ -152,9 +152,10 @@ extends:
         suppressionSet: default
 
       # ApiScan - Scans APIs for security vulnerabilities
-      # Disabled: Requires specific binary paths and symbols not applicable to Python wheels
+      # Disabled: Not applicable to Python wheel distribution model
       apiscan:
         enabled: false
+        justificationForDisabling: 'APIScan requires PDB symbols for native Windows DLLs. Python wheels primarily contain .pyd files and Python code, better covered by BinSkim. JDBC team also has APIScan disabled for similar reasons.'
 
       # Armory - Security scanning for binaries
       armory:

OneBranchPipelines/jobs/consolidate-artifacts-job.yml

@@ -19,7 +19,11 @@ jobs:
       vmImage: 'ubuntu-latest'
 
     variables:
-      ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
+      # Disable BinSkim - consolidation job only downloads artifacts, no binary builds
+      - name: ob_sdl_binskim_enabled
+        value: false
+      - name: ob_outputDirectory
+        value: '$(Build.ArtifactStagingDirectory)'
 
     steps:
       - checkout: none  # No source code needed for consolidation

OneBranchPipelines/stages/build-linux-single-stage.yml

@@ -29,6 +29,7 @@ stages:
     jobs:
       - job: ${{ parameters.jobName }}
         displayName: 'Build Wheels - ${{ parameters.linuxTag }} ${{ parameters.arch }}'
+        
         pool:
           type: linux
           isCustom: true
@@ -38,11 +39,19 @@ stages:
         timeoutInMinutes: 120
 
         variables:
-          ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
-          LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest'
-          LINUX_TAG: ${{ parameters.linuxTag }}
-          ARCH: ${{ parameters.arch }}
-          DOCKER_PLATFORM: ${{ parameters.dockerPlatform }}
+          # Disable BinSkim for Linux - requires ICU libraries not available in containers
+          - name: ob_sdl_binskim_enabled
+            value: false
+          - name: ob_outputDirectory
+            value: '$(Build.ArtifactStagingDirectory)'
+          - name: LinuxContainerImage
+            value: 'onebranch.azurecr.io/linux/ubuntu-2204:latest'
+          - name: LINUX_TAG
+            value: ${{ parameters.linuxTag }}
+          - name: ARCH
+            value: ${{ parameters.arch }}
+          - name: DOCKER_PLATFORM
+            value: ${{ parameters.dockerPlatform }}
 
         steps:
           - checkout: self
@@ -200,7 +209,7 @@ stages:
           # ESRP Malware scanning (Official builds only)
           - ${{ if and(eq(parameters.signingEnabled, true), eq(parameters.oneBranchType, 'Official')) }}:
               - task: EsrpMalwareScanning@5
-                displayName: 'ESRP MalwareScanning - Python Wheels'
+                displayName: 'ESRP MalwareScanning - Python Wheels (Official)'
                 inputs:
                   ConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
                   AppRegistrationClientId: '$(SigningAppRegistrationClientId)'
@@ -209,6 +218,7 @@ stages:
                   UseMSIAuthentication: true
                   FolderPath: '$(ob_outputDirectory)/wheels'
                   Pattern: '*.whl'
+                  SessionTimeout: 60
                   CleanupTempStorage: 1
                   VerboseLogin: 1
 
@@ -224,6 +234,7 @@ stages:
                   UseMSIAuthentication: true
                   FolderPath: '$(ob_outputDirectory)/wheels'
                   Pattern: '*.whl'
+                  SessionTimeout: 60
                   CleanupTempStorage: 1
                   VerboseLogin: 1
 

OneBranchPipelines/stages/build-macos-single-stage.yml

@@ -26,6 +26,7 @@ stages:
     jobs:
       - job: ${{ parameters.jobName }}
         displayName: 'Build Wheel - Python ${{ parameters.pythonVersion }} universal2'
+        
         pool:
           type: linux
           isCustom: true
@@ -34,10 +35,17 @@ stages:
         timeoutInMinutes: 120
 
         variables:
-          ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
-          LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest'
-          pythonVersion: ${{ parameters.pythonVersion }}
-          shortPyVer: ${{ parameters.shortPyVer }}
+          # Disable BinSkim for macOS - primarily designed for Windows binaries
+          - name: ob_sdl_binskim_enabled
+            value: false
+          - name: ob_outputDirectory
+            value: '$(Build.ArtifactStagingDirectory)'
+          - name: LinuxContainerImage
+            value: 'onebranch.azurecr.io/linux/ubuntu-2204:latest'
+          - name: pythonVersion
+            value: ${{ parameters.pythonVersion }}
+          - name: shortPyVer
+            value: ${{ parameters.shortPyVer }}
 
         steps:
           - checkout: self
@@ -142,7 +150,7 @@ stages:
           # ESRP Malware scanning (Official builds only)
           - ${{ if and(eq(parameters.signingEnabled, true), eq(parameters.oneBranchType, 'Official')) }}:
               - task: EsrpMalwareScanning@5
-                displayName: 'ESRP MalwareScanning - Python Wheels'
+                displayName: 'ESRP MalwareScanning - Python Wheels (Official)'
                 inputs:
                   ConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
                   AppRegistrationClientId: '$(SigningAppRegistrationClientId)'
@@ -151,6 +159,7 @@ stages:
                   UseMSIAuthentication: true
                   FolderPath: '$(ob_outputDirectory)/wheels'
                   Pattern: '*.whl'
+                  SessionTimeout: 60
                   CleanupTempStorage: 1
                   VerboseLogin: 1
 
@@ -166,6 +175,7 @@ stages:
                   UseMSIAuthentication: true
                   FolderPath: '$(ob_outputDirectory)/wheels'
                   Pattern: '*.whl'
+                  SessionTimeout: 60
                   CleanupTempStorage: 1
                   VerboseLogin: 1
 

OneBranchPipelines/stages/build-windows-single-stage.yml

@@ -200,6 +200,7 @@ stages:
                   UseMSIAuthentication: true
                   FolderPath: '$(ob_outputDirectory)/wheels'
                   Pattern: '*.whl'
+                  SessionTimeout: 60
                   CleanupTempStorage: 1
                   VerboseLogin: 1
 

tests/test_006_exceptions.py

@@ -18,7 +18,6 @@
 from mssql_python import ConnectionStringParseError
 
 
-
 def drop_table_if_exists(cursor, table_name):
     """Drop the table if it exists"""
     try: