Suppress various CodeQL items (#457)

andystaples · sophiatev · web-flow · commit 1d3dac57d22f · 2025-08-05T12:31:59.000-07:00
Co-authored-by: sophiatev &lt;38052607+sophiatev@users.noreply.github.com&gt;
diff --git a/src/Client/AzureManaged/DurableTaskSchedulerClientOptions.cs b/src/Client/AzureManaged/DurableTaskSchedulerClientOptions.cs
@@ -173,7 +173,7 @@ this.Credential is not null
         switch (authType.ToLowerInvariant())
         {
             case "defaultazure":
-                return new DefaultAzureCredential();
+                return new DefaultAzureCredential(); // CodeQL [SM05137] Use DefaultAzureCredential explicitly for local development and is decided by the user
             case "managedidentity":
                 return new ManagedIdentityCredential(connectionString.ClientId);
             case "workloadidentity":
diff --git a/src/Worker/AzureManaged/DurableTaskSchedulerWorkerOptions.cs b/src/Worker/AzureManaged/DurableTaskSchedulerWorkerOptions.cs
@@ -135,7 +135,7 @@ this.Credential is not null
         switch (authType.ToLowerInvariant())
         {
             case "defaultazure":
-                return new DefaultAzureCredential();
+                return new DefaultAzureCredential(); // CodeQL [SM05137] Use DefaultAzureCredential explicitly for local development and is decided by the user
             case "managedidentity":
                 return new ManagedIdentityCredential(connectionString.ClientId);
             case "workloadidentity":
diff --git a/src/Worker/Core/Shims/TaskOrchestrationContextWrapper.cs b/src/Worker/Core/Shims/TaskOrchestrationContextWrapper.cs
@@ -379,7 +379,9 @@ static void SwapByteArrayElements(byte[] byteArray, int left, int right)
 
         byte[] hashByteArray;
 #pragma warning disable CA5350 // Do Not Use Weak Cryptographic Algorithms -- not for cryptography
-        using (HashAlgorithm hashAlgorithm = SHA1.Create())
+        using (HashAlgorithm hashAlgorithm = SHA1.Create()) /* CodeQL [SM02196] Suppressed: SHA1 is not used for cryptographic purposes here. The information being hashed is not sensitive,
+                                                               and the goal is to generate a deterministic Guid. We cannot update to SHA2-based algorithms without breaking
+                                                               customers' inflight orchestrations. */
         {
             hashAlgorithm.TransformBlock(namespaceValueByteArray, 0, namespaceValueByteArray.Length, null, 0);
             hashAlgorithm.TransformFinalBlock(nameByteArray, 0, nameByteArray.Length);

Original file line number	Diff line number	Diff line change
`@@ -173,7 +173,7 @@ this.Credential is not null`
`173`	`173`	`switch (authType.ToLowerInvariant())`
`174`	`174`	`{`
`175`	`175`	`case "defaultazure":`
`176`		`- return new DefaultAzureCredential();`
	`176`	`+ return new DefaultAzureCredential(); // CodeQL [SM05137] Use DefaultAzureCredential explicitly for local development and is decided by the user`
`177`	`177`	`case "managedidentity":`
`178`	`178`	`return new ManagedIdentityCredential(connectionString.ClientId);`
`179`	`179`	`case "workloadidentity":`
Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,7 @@ this.Credential is not null`
`135`	`135`	`switch (authType.ToLowerInvariant())`
`136`	`136`	`{`
`137`	`137`	`case "defaultazure":`
`138`		`- return new DefaultAzureCredential();`
	`138`	`+ return new DefaultAzureCredential(); // CodeQL [SM05137] Use DefaultAzureCredential explicitly for local development and is decided by the user`
`139`	`139`	`case "managedidentity":`
`140`	`140`	`return new ManagedIdentityCredential(connectionString.ClientId);`
`141`	`141`	`case "workloadidentity":`