CodeQL Suppressions for Unactionable Issues (#3332)

benrr101 · web-flow · commit 2d6e2145806e · 2025-05-07T10:55:47.000-05:00
* Suppress RSA padding algorithm warning.

* Add suppression for audience claim validation
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/AzureAttestationBasedEnclaveProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/AzureAttestationBasedEnclaveProvider.cs
@@ -401,7 +401,7 @@ private bool VerifyTokenSignature(string attestationToken, string tokenIssuerUrl
                     RequireExpirationTime = true,
                     ValidateLifetime = true,
                     ValidateIssuer = true,
-                    ValidateAudience = false,
+                    ValidateAudience = false, // CodeQL [SM04387] Required for an external standard: Microsoft Azure Attestation does not support the audience claim.
                     RequireSignedTokens = true,
                     ValidIssuers = GenerateListOfIssuers(tokenIssuerUrl),
                     IssuerSigningKeys = issuerSigningKeys
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionCertificateStoreProvider.Windows.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionCertificateStoreProvider.Windows.cs
@@ -474,6 +474,8 @@ private byte[] RSAEncrypt(byte[] plainText, X509Certificate2 certificate)
             Debug.Assert(certificate.HasPrivateKey, "Attempting to encrypt with cert without privatekey");
 
             RSA rsa = certificate.GetRSAPublicKey();
+            
+            // CodeQL [SM03796] Required for an external standard: Always Encrypted only supports encrypting column encryption keys with RSA_OAEP(SHA1) (https://learn.microsoft.com/en-us/sql/t-sql/statements/create-column-encryption-key-transact-sql?view=sql-server-ver16)
             return rsa.Encrypt(plainText, RSAEncryptionPadding.OaepSHA1);
         }
 
@@ -490,6 +492,8 @@ private byte[] RSADecrypt(byte[] cipherText, X509Certificate2 certificate)
             Debug.Assert(certificate.HasPrivateKey, "Attempting to decrypt with cert without privatekey");
 
             RSA rsa = certificate.GetRSAPrivateKey();
+            
+            // CodeQL [SM03796] Required for an external standard: Always Encrypted only supports encrypting column encryption keys with RSA_OAEP(SHA1) (https://learn.microsoft.com/en-us/sql/t-sql/statements/create-column-encryption-key-transact-sql?view=sql-server-ver16)
             return rsa.Decrypt(cipherText, RSAEncryptionPadding.OaepSHA1);
         }
 

Original file line number	Diff line number	Diff line change
`@@ -474,6 +474,8 @@ private byte[] RSAEncrypt(byte[] plainText, X509Certificate2 certificate)`
`474`	`474`	`Debug.Assert(certificate.HasPrivateKey, "Attempting to encrypt with cert without privatekey");`
`475`	`475`
`476`	`476`	`RSA rsa = certificate.GetRSAPublicKey();`
	`477`	`+`
	`478`	`+ // CodeQL [SM03796] Required for an external standard: Always Encrypted only supports encrypting column encryption keys with RSA_OAEP(SHA1) (https://learn.microsoft.com/en-us/sql/t-sql/statements/create-column-encryption-key-transact-sql?view=sql-server-ver16)`
`477`	`479`	`return rsa.Encrypt(plainText, RSAEncryptionPadding.OaepSHA1);`
`478`	`480`	`}`
`479`	`481`
`@@ -490,6 +492,8 @@ private byte[] RSADecrypt(byte[] cipherText, X509Certificate2 certificate)`
`490`	`492`	`Debug.Assert(certificate.HasPrivateKey, "Attempting to decrypt with cert without privatekey");`
`491`	`493`
`492`	`494`	`RSA rsa = certificate.GetRSAPrivateKey();`
	`495`	`+`
	`496`	`+ // CodeQL [SM03796] Required for an external standard: Always Encrypted only supports encrypting column encryption keys with RSA_OAEP(SHA1) (https://learn.microsoft.com/en-us/sql/t-sql/statements/create-column-encryption-key-transact-sql?view=sql-server-ver16)`
`493`	`497`	`return rsa.Decrypt(cipherText, RSAEncryptionPadding.OaepSHA1);`
`494`	`498`	`}`
`495`	`499`