Add comments to suppress codeql alerts (#13406)

rahul0216 · web-flow · commit ecab12841cbd · 2026-01-09T09:45:12.000+05:30
* Add comments to suppress codeql alerts

Added CodeQL comments to suppress alerts for various hash algorithm usages in cryptography package files for compatibility and backwards compatibility purposes. No functional changes were made.
diff --git a/Solutions/CyberArkAudit/Data Connectors/.python_packages/lib/site-packages/cryptography/hazmat/_oid.py b/Solutions/CyberArkAudit/Data Connectors/.python_packages/lib/site-packages/cryptography/hazmat/_oid.py
@@ -124,27 +124,27 @@ class SignatureAlgorithmOID:
 
 _SIG_OIDS_TO_HASH: dict[ObjectIdentifier, hashes.HashAlgorithm | None] = {
     SignatureAlgorithmOID.RSA_WITH_MD5: hashes.MD5(),                   # CodeQL [SM02167] This is for compatibility.
-    SignatureAlgorithmOID.RSA_WITH_SHA1: hashes.SHA1(),
-    SignatureAlgorithmOID._RSA_WITH_SHA1: hashes.SHA1(),
-    SignatureAlgorithmOID.RSA_WITH_SHA224: hashes.SHA224(),
+    SignatureAlgorithmOID.RSA_WITH_SHA1: hashes.SHA1(),                 # CodeQL [SM02167] This is for compatibility.
+    SignatureAlgorithmOID._RSA_WITH_SHA1: hashes.SHA1(),                # CodeQL [SM02167] This is for compatibility.   
+    SignatureAlgorithmOID.RSA_WITH_SHA224: hashes.SHA224(),             # CodeQL [SM02167] This is for compatibility.
     SignatureAlgorithmOID.RSA_WITH_SHA256: hashes.SHA256(),
     SignatureAlgorithmOID.RSA_WITH_SHA384: hashes.SHA384(),
     SignatureAlgorithmOID.RSA_WITH_SHA512: hashes.SHA512(),
-    SignatureAlgorithmOID.RSA_WITH_SHA3_224: hashes.SHA3_224(),
-    SignatureAlgorithmOID.RSA_WITH_SHA3_256: hashes.SHA3_256(),
-    SignatureAlgorithmOID.RSA_WITH_SHA3_384: hashes.SHA3_384(),
-    SignatureAlgorithmOID.RSA_WITH_SHA3_512: hashes.SHA3_512(),
-    SignatureAlgorithmOID.ECDSA_WITH_SHA1: hashes.SHA1(),
+    SignatureAlgorithmOID.RSA_WITH_SHA3_224: hashes.SHA3_224(),         # CodeQL [SM02167] This is for compatibility.
+    SignatureAlgorithmOID.RSA_WITH_SHA3_256: hashes.SHA3_256(),         # CodeQL [SM02167] This is for compatibility.
+    SignatureAlgorithmOID.RSA_WITH_SHA3_384: hashes.SHA3_384(),         # CodeQL [SM02167] This is for compatibility.
+    SignatureAlgorithmOID.RSA_WITH_SHA3_512: hashes.SHA3_512(),         # CodeQL [SM02167] This is for compatibility.
+    SignatureAlgorithmOID.ECDSA_WITH_SHA1: hashes.SHA1(),               # CodeQL [SM02167] This is for compatibility.
     SignatureAlgorithmOID.ECDSA_WITH_SHA224: hashes.SHA224(),           # CodeQL [SM02167] This is for compatibility.
     SignatureAlgorithmOID.ECDSA_WITH_SHA256: hashes.SHA256(),
-    SignatureAlgorithmOID.ECDSA_WITH_SHA384: hashes.SHA384(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA384: hashes.SHA384(),           # CodeQL [SM02167] This is for compatibility.
     SignatureAlgorithmOID.ECDSA_WITH_SHA512: hashes.SHA512(),
-    SignatureAlgorithmOID.ECDSA_WITH_SHA3_224: hashes.SHA3_224(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA3_224: hashes.SHA3_224(),       # CodeQL [SM02167] This is for compatibility.
     SignatureAlgorithmOID.ECDSA_WITH_SHA3_256: hashes.SHA3_256(),       # CodeQL [SM02167] This is for compatibility.
-    SignatureAlgorithmOID.ECDSA_WITH_SHA3_384: hashes.SHA3_384(),
+    SignatureAlgorithmOID.ECDSA_WITH_SHA3_384: hashes.SHA3_384(),       # CodeQL [SM02167] This is for compatibility.
     SignatureAlgorithmOID.ECDSA_WITH_SHA3_512: hashes.SHA3_512(),       # CodeQL [SM02167] This is for compatibility.
-    SignatureAlgorithmOID.DSA_WITH_SHA1: hashes.SHA1(),
-    SignatureAlgorithmOID.DSA_WITH_SHA224: hashes.SHA224(),
+    SignatureAlgorithmOID.DSA_WITH_SHA1: hashes.SHA1(),                 # CodeQL [SM02167] This is for compatibility.
+    SignatureAlgorithmOID.DSA_WITH_SHA224: hashes.SHA224(),             # CodeQL [SM02167] This is for compatibility.
     SignatureAlgorithmOID.DSA_WITH_SHA256: hashes.SHA256(),
     SignatureAlgorithmOID.ED25519: None,
     SignatureAlgorithmOID.ED448: None,
diff --git a/Solutions/CyberArkAudit/Data Connectors/.python_packages/lib/site-packages/cryptography/hazmat/backends/openssl/backend.py b/Solutions/CyberArkAudit/Data Connectors/.python_packages/lib/site-packages/cryptography/hazmat/backends/openssl/backend.py
@@ -97,18 +97,18 @@ class Backend:
     # Sometimes SHA1 is still permissible. That logic is contained
     # within the various *_supported methods.
     _fips_hashes = (
-        hashes.SHA224,
+        hashes.SHA224,          # CodeQL [SM02167] This is for backwards compatibility.
         hashes.SHA256,
         hashes.SHA384,
         hashes.SHA512,
-        hashes.SHA512_224,
-        hashes.SHA512_256,
+        hashes.SHA512_224,      # CodeQL [SM02167] This is for backwards compatibility.
+        hashes.SHA512_256,      # CodeQL [SM02167] This is for backwards compatibility.
         hashes.SHA3_224,        # CodeQL [SM02167] This is for backwards compatibility.
-        hashes.SHA3_256,
-        hashes.SHA3_384,
-        hashes.SHA3_512,
+        hashes.SHA3_256,        # CodeQL [SM02167] This is for backwards compatibility.
+        hashes.SHA3_384,        # CodeQL [SM02167] This is for backwards compatibility.
+        hashes.SHA3_512,        # CodeQL [SM02167] This is for backwards compatibility.
         hashes.SHAKE128,        # CodeQL [SM02167] This is for backwards compatibility.
-        hashes.SHAKE256,
+        hashes.SHAKE256,        # CodeQL [SM02167] This is for backwards compatibility.
     )
     _fips_ecdh_curves = (
         ec.SECP224R1,
@@ -197,7 +197,7 @@ def signature_hash_supported(
     ) -> bool:
         # Dedicated check for hashing algorithm use in message digest for
         # signatures, e.g. RSA PKCS#1 v1.5 SHA1 (sha1WithRSAEncryption).
-        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
+        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):       # CodeQL [SM02167] This is for backwards compatibility.
             return False
         return self.hash_supported(algorithm)
 
@@ -370,16 +370,16 @@ def _read_mem_bio(self, bio) -> bytes:
         return bio_data
 
     def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
-        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
+        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):       # CodeQL [SM02167] This is for backwards compatibility.
             return False
 
         return isinstance(
             algorithm,
             (
-                hashes.SHA1,
-                hashes.SHA224,
+                hashes.SHA1,            # CodeQL [SM02167] This is for backwards compatibility.
+                hashes.SHA224,          # CodeQL [SM02167] This is for backwards compatibility.
                 hashes.SHA256,
-                hashes.SHA384,
+                hashes.SHA384,          # CodeQL [SM02167] This is for backwards compatibility.
                 hashes.SHA512,
             ),
         )
diff --git a/Solutions/CyberArkAudit/Data Connectors/.python_packages/lib/site-packages/cryptography/x509/base.py b/Solutions/CyberArkAudit/Data Connectors/.python_packages/lib/site-packages/cryptography/x509/base.py
@@ -46,7 +46,7 @@
     hashes.SHA256,
     hashes.SHA384,
     hashes.SHA512,
-    hashes.SHA3_224,
+    hashes.SHA3_224,            # CodeQL [SM02167] This is for comtatibility.
     hashes.SHA3_256,            # CodeQL [SM02167] This is for comtatibility.
     hashes.SHA3_384,            # CodeQL [SM02167] This is for comtatibility.
     hashes.SHA3_512,            # CodeQL [SM02167] This is for comtatibility.
