Merge pull request microsoft#1876 from microsoft/suppress-codeql-false-positive

dscho · web-flow · commit 4751b2f00c2f · 2025-10-01T12:59:49.000Z
Suppress false positives about Git's usage of SHA-1
diff --git a/GVFS/GVFS.Common/Git/HashingStream.cs b/GVFS/GVFS.Common/Git/HashingStream.cs
@@ -17,7 +17,7 @@ public HashingStream(Stream stream)
         {
             this.stream = stream;
 
-            this.hash = SHA1.Create();
+            this.hash = SHA1.Create(); // CodeQL [SM02196] SHA-1 is acceptable here because this is Git's hashing algorithm, not used for cryptographic purposes
             this.hashResult = null;
             this.hash.Initialize();
             this.closed = false;
diff --git a/GVFS/GVFS.Common/SHA1Util.cs b/GVFS/GVFS.Common/SHA1Util.cs
@@ -21,7 +21,7 @@ public static byte[] SHA1ForUTF8String(string s)
         {
             byte[] bytes = Encoding.UTF8.GetBytes(s);
 
-            using (SHA1 sha1 = SHA1.Create())
+            using (SHA1 sha1 = SHA1.Create()) // CodeQL [SM02196] SHA-1 is acceptable here because this is Git's hashing algorithm, not used for cryptographic purposes
             {
                 return sha1.ComputeHash(bytes);
             }
diff --git a/GVFS/GVFS.Virtualization/Projection/GitIndexProjection.FolderData.cs b/GVFS/GVFS.Virtualization/Projection/GitIndexProjection.FolderData.cs
@@ -54,7 +54,7 @@ public void Include()
 
             public string HashedChildrenNamesSha()
             {
-                using (HashAlgorithm hash = SHA1.Create())
+                using (HashAlgorithm hash = SHA1.Create()) // CodeQL [SM02196] SHA-1 is acceptable here because this is Git's hashing algorithm, not used for cryptographic purposes
                 {
                     for (int i = 0; i < this.ChildEntries.Count; i++)
                     {

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ public HashingStream(Stream stream)`
`17`	`17`	`{`
`18`	`18`	`this.stream = stream;`
`19`	`19`
`20`		`- this.hash = SHA1.Create();`
	`20`	`+ this.hash = SHA1.Create(); // CodeQL [SM02196] SHA-1 is acceptable here because this is Git's hashing algorithm, not used for cryptographic purposes`
`21`	`21`	`this.hashResult = null;`
`22`	`22`	`this.hash.Initialize();`
`23`	`23`	`this.closed = false;`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ public static byte[] SHA1ForUTF8String(string s)`
`21`	`21`	`{`
`22`	`22`	`byte[] bytes = Encoding.UTF8.GetBytes(s);`
`23`	`23`
`24`		`- using (SHA1 sha1 = SHA1.Create())`
	`24`	`+ using (SHA1 sha1 = SHA1.Create()) // CodeQL [SM02196] SHA-1 is acceptable here because this is Git's hashing algorithm, not used for cryptographic purposes`
`25`	`25`	`{`
`26`	`26`	`return sha1.ComputeHash(bytes);`
`27`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ public void Include()`
`54`	`54`
`55`	`55`	`public string HashedChildrenNamesSha()`
`56`	`56`	`{`
`57`		`- using (HashAlgorithm hash = SHA1.Create())`
	`57`	`+ using (HashAlgorithm hash = SHA1.Create()) // CodeQL [SM02196] SHA-1 is acceptable here because this is Git's hashing algorithm, not used for cryptographic purposes`
`58`	`58`	`{`
`59`	`59`	`for (int i = 0; i < this.ChildEntries.Count; i++)`
`60`	`60`	`{`