Suppress unapplicable CodeQL AAD issues (#10701)

jviau · web-flow · commit a3d13385925e · 2025-01-22T08:29:25.000-08:00
diff --git a/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs b/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs
@@ -135,6 +135,9 @@ private static IEnumerable<string> GetValidAudiences()
         public static TokenValidationParameters CreateTokenValidationParameters()
         {
             var signingKeys = SecretsUtility.GetTokenIssuerSigningKeys();
+
+            // There are two separate CodeQL alerts for the same issue. The double comment on same line is intentional.
+            // CodeQL [SM04555] this handler does not verify AAD tokens. It verifies tokens issued by the platform. // CodeQL [SM04554] this handler does not verify AAD tokens. It verifies tokens issued by the platform.
             var result = new TokenValidationParameters();
             if (signingKeys.Length > 0)
             {

Original file line number	Diff line number	Diff line change
`@@ -135,6 +135,9 @@ private static IEnumerable<string> GetValidAudiences()`
`135`	`135`	`public static TokenValidationParameters CreateTokenValidationParameters()`
`136`	`136`	`{`
`137`	`137`	`var signingKeys = SecretsUtility.GetTokenIssuerSigningKeys();`
	`138`	`+`
	`139`	`+ // There are two separate CodeQL alerts for the same issue. The double comment on same line is intentional.`
	`140`	`+ // CodeQL [SM04555] this handler does not verify AAD tokens. It verifies tokens issued by the platform. // CodeQL [SM04554] this handler does not verify AAD tokens. It verifies tokens issued by the platform.`
`138`	`141`	`var result = new TokenValidationParameters();`
`139`	`142`	`if (signingKeys.Length > 0)`
`140`	`143`	`{`