Merge pull request #969 from AzureAD/avdunn/codeql-suppress

Avery-Dunn · web-flow · commit 946a68d0ffdf · 2025-06-10T06:43:44.000-07:00
Suppressed SHA-1 CodeQL flag
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java
@@ -136,7 +136,7 @@ public void checkServerTrusted(X509Certificate[] certificates, String authentica
     private static String extractCertificateThumbprint(Certificate certificate) {
         try {
             StringBuilder thumbprint = new StringBuilder();
-            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
+            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1"); // CodeQL [SM05136] We cannot control what the server uses, and must continue to use SHA-1
 
             byte[] encodedCertificate;
 
