From 940e684b179ebbd840ccfa3a2e483c244f06a7eb Mon Sep 17 00:00:00 2001 From: Shawn Zhang Date: Tue, 9 Jun 2026 12:23:42 -0700 Subject: [PATCH] [SECURITY] Fix CodeQL SM02196: suppress weak-hash warnings in negative test CodeQL flagged MD5.Create() and SHA1.Create() on line 145 of CoseHashEnvelopeTests.cs (cs/weak-crypto, SDL sdl-required). The test SignatureMatchesRejectsLegacyDigestAlgorithms deliberately uses MD5 and SHA1 as inputs to verify the library rejects legacy digest algorithms -- replacing them with SHA2 would defeat the purpose of the test. Added a trailing // CodeQL [SM02196] suppression matching the repo convention (see CoseSignTool/SignCommand.cs:1265 and 1307). --- CoseIndirectSignature.Tests/CoseHashEnvelopeTests.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CoseIndirectSignature.Tests/CoseHashEnvelopeTests.cs b/CoseIndirectSignature.Tests/CoseHashEnvelopeTests.cs index 08539752..8ff9ed00 100644 --- a/CoseIndirectSignature.Tests/CoseHashEnvelopeTests.cs +++ b/CoseIndirectSignature.Tests/CoseHashEnvelopeTests.cs @@ -142,7 +142,7 @@ public void SignatureMatchesRejectsLegacyDigestAlgorithms(string hashSuffix) CoseSign1MessageFactory factory = new(); byte[] payload = Encoding.UTF8.GetBytes("payload-to-verify"); - using HashAlgorithm legacyHasher = hashSuffix == "md5" ? MD5.Create() : SHA1.Create(); + using HashAlgorithm legacyHasher = hashSuffix == "md5" ? MD5.Create() : SHA1.Create(); // CodeQL [SM02196] Negative test: MD5/SHA1 are intentional inputs verifying the library rejects legacy digest algorithms. byte[] payloadHash = legacyHasher.ComputeHash(payload); CoseSign1Message message = factory.CreateCoseSign1Message(