Add CodeQL suppressions for false positives

Avery-Dunn · Avery-Dunn · commit ede1b34e7655 · 2025-02-05T08:19:22.000-08:00
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByInteractiveFlowSupplier.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByInteractiveFlowSupplier.java
@@ -163,6 +163,7 @@ private static void openDefaultSystemBrowserInWindows(URL url){
     private static void openDefaultSystemBrowserInMac(URL url){
         Runtime runtime = Runtime.getRuntime();
         try {
+            // CodeQL [SM00680] False positive: this URL is validated earlier in the interactive flow
             runtime.exec("open " + url);
         } catch (IOException e) {
             throw new RuntimeException(e);
@@ -182,6 +183,7 @@ private static void openDefaultSystemBrowserInLinux(URL url){
             if (openToolPath != null) {
                 Runtime runtime = Runtime.getRuntime();
                 try {
+                    // CodeQL [SM00680] False positive: this URL is validated earlier in the interactive flow
                     runtime.exec(openTool + " " + url);
                 } catch (IOException e) {
                     throw new RuntimeException(e);
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java
@@ -29,6 +29,7 @@
  */
 class DefaultHttpClientManagedIdentity extends DefaultHttpClient {
 
+    // CodeQL [SM03767] False positive: in addTrustedCertificateThumbprint() we create a TrustManager that only trusts a certificate with specified thumbprint.
     public static final HostnameVerifier ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER;
 
     static {
diff --git a/msal4j-sdk/src/samples/msal-b2c-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java b/msal4j-sdk/src/samples/msal-b2c-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java
@@ -32,6 +32,7 @@ static void removeStateNonceCookies(HttpServletResponse httpResponse){
         Cookie stateCookie = new Cookie(MSAL_WEB_APP_STATE_COOKIE, "");
         stateCookie.setMaxAge(0);
 
+        // CodeQL [java/insecure-cookie]: Suppressing CodeQL warning since this is just a sample
         httpResponse.addCookie(stateCookie);
 
         Cookie nonceCookie = new Cookie(MSAL_WEB_APP_NONCE_COOKIE, "");
diff --git a/msal4j-sdk/src/samples/msal-obo-sample/src/main/java/com/microsoft/azure/msalobosample/ApiController.java b/msal4j-sdk/src/samples/msal-obo-sample/src/main/java/com/microsoft/azure/msalobosample/ApiController.java
@@ -25,6 +25,7 @@ public String graphMeApi() throws MalformedURLException {
 
         String oboAccessToken = msalAuthHelper.getOboToken("https://graph.microsoft.com/.default");
 
+        // CodeQL [java/xss]: Suppressing CodeQL warning since this is just a sample
         return callMicrosoftGraphMeEndpoint(oboAccessToken);
     }
 
diff --git a/msal4j-sdk/src/samples/msal-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java b/msal4j-sdk/src/samples/msal-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java
@@ -32,6 +32,7 @@ static void removeStateNonceCookies(HttpServletResponse httpResponse){
         Cookie stateCookie = new Cookie(MSAL_WEB_APP_STATE_COOKIE, "");
         stateCookie.setMaxAge(0);
 
+        // CodeQL [java/insecure-cookie]: Suppressing CodeQL warning since this is just a sample
         httpResponse.addCookie(stateCookie);
 
         Cookie nonceCookie = new Cookie(MSAL_WEB_APP_NONCE_COOKIE, "");

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ public String graphMeApi() throws MalformedURLException {`
`25`	`25`
`26`	`26`	`String oboAccessToken = msalAuthHelper.getOboToken("https://graph.microsoft.com/.default");`
`27`	`27`
	`28`	`+ // CodeQL [java/xss]: Suppressing CodeQL warning since this is just a sample`
`28`	`29`	`return callMicrosoftGraphMeEndpoint(oboAccessToken);`
`29`	`30`	`}`
`30`	`31`