Skip to content

[SECURITY] Fix CodeQL SM02196: suppress weak-hash warnings in negative test#204

Merged
elantiguamsft merged 1 commit into
mainfrom
user/shawnzhang/codeql-sm02196-legacy-hash-test-suppress
Jun 22, 2026
Merged

[SECURITY] Fix CodeQL SM02196: suppress weak-hash warnings in negative test#204
elantiguamsft merged 1 commit into
mainfrom
user/shawnzhang/codeql-sm02196-legacy-hash-test-suppress

Conversation

@NN2000X

@NN2000X NN2000X commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Issue

Two CodeQL SM02196 ("Weak cryptography", SDL sdl-required, important severity) findings flag the same line in CoseIndirectSignature.Tests/CoseHashEnvelopeTests.cs:145:

using HashAlgorithm legacyHasher = hashSuffix == "md5" ? MD5.Create() : SHA1.Create();

Why suppression, not replacement

The test is named SignatureMatchesRejectsLegacyDigestAlgorithms and is parameterized on [TestCase("md5")] [TestCase("sha1")]. Its explicit purpose is to verify the library rejects MD5 and SHA1 as payload digest algorithms. Replacing them with SHA2 would defeat the test entirely — SignatureMatches would return true instead of false and the assertion would invert.

Change

One line, suppression-only:

- using HashAlgorithm legacyHasher = hashSuffix == "md5" ? MD5.Create() : SHA1.Create();
+ using HashAlgorithm legacyHasher = hashSuffix == "md5" ? MD5.Create() : SHA1.Create(); // CodeQL [SM02196] Negative test: MD5/SHA1 are intentional inputs verifying the library rejects legacy digest algorithms.

The trailing // CodeQL [SM02196] ... format matches the repo's existing convention (see CoseSignTool/SignCommand.cs:1265 and L1307).

Validation

  • No behavioural change — comment-only edit.
  • Subsequent CodeQL scan should clear both SM02196 findings on this line.

Documentation

…e test

CodeQL flagged MD5.Create() and SHA1.Create() on line 145 of CoseHashEnvelopeTests.cs (cs/weak-crypto, SDL sdl-required).

The test SignatureMatchesRejectsLegacyDigestAlgorithms deliberately uses MD5 and SHA1 as inputs to verify the library rejects legacy digest algorithms -- replacing them with SHA2 would defeat the purpose of the test.

Added a trailing // CodeQL [SM02196] suppression matching the repo convention (see CoseSignTool/SignCommand.cs:1265 and 1307).
@elantiguamsft elantiguamsft merged commit f5eb37a into main Jun 22, 2026
12 checks passed
@elantiguamsft elantiguamsft deleted the user/shawnzhang/codeql-sm02196-legacy-hash-test-suppress branch June 22, 2026 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants