Merge pull request #966 from AzureAD/avdunn/codeql-suppressions

Avery-Dunn · web-flow · commit 04130d4564e5 · 2025-06-05T14:54:21.000-07:00
Suppress CodeQL issues
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCertificate.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCertificate.java
@@ -110,7 +110,7 @@ static ClientCertificate create(final PrivateKey key, final X509Certificate publ
     }
 
     private static byte[] getHashSha1(final byte[] inputBytes) throws NoSuchAlgorithmException {
-        final MessageDigest md = MessageDigest.getInstance("SHA-1");
+        final MessageDigest md = MessageDigest.getInstance("SHA-1"); // CodeQL [SM05136] ADFS scenarios require SHA-1 hashing, and we cannot remove our use until ADFS does.
         md.update(inputBytes);
         return md.digest();
     }
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java
@@ -87,7 +87,7 @@ public static void addTrustedCertificateThumbprint(HttpsURLConnection httpsUrlCo
 
         // CodeQL [SM03767] False positive: the TrustManager created later on will only trust a certificate with a specific thumbprint.
         if (httpsUrlConnection.getHostnameVerifier() != ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER) {
-            httpsUrlConnection.setHostnameVerifier(ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER);
+            httpsUrlConnection.setHostnameVerifier(ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER); // CodeQL [SM03767] We expect the connection to work against a specific server side certificate only, so it's safe to disable the host name verification.
         }
 
         // Create a Trust manager that trusts only certificate with specified thumbprint.

Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ static ClientCertificate create(final PrivateKey key, final X509Certificate publ`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`private static byte[] getHashSha1(final byte[] inputBytes) throws NoSuchAlgorithmException {`
`113`		`- final MessageDigest md = MessageDigest.getInstance("SHA-1");`
	`113`	`+ final MessageDigest md = MessageDigest.getInstance("SHA-1"); // CodeQL [SM05136] ADFS scenarios require SHA-1 hashing, and we cannot remove our use until ADFS does.`
`114`	`114`	`md.update(inputBytes);`
`115`	`115`	`return md.digest();`
`116`	`116`	`}`
Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ public static void addTrustedCertificateThumbprint(HttpsURLConnection httpsUrlCo`
`87`	`87`
`88`	`88`	`// CodeQL [SM03767] False positive: the TrustManager created later on will only trust a certificate with a specific thumbprint.`
`89`	`89`	`if (httpsUrlConnection.getHostnameVerifier() != ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER) {`
`90`		`- httpsUrlConnection.setHostnameVerifier(ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER);`
	`90`	`+ httpsUrlConnection.setHostnameVerifier(ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER); // CodeQL [SM03767] We expect the connection to work against a specific server side certificate only, so it's safe to disable the host name verification.`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`// Create a Trust manager that trusts only certificate with specified thumbprint.`