Add CodeQL suppression "random number" dictionary key (dotnet#4276)

benrr101 · web-flow · commit ed896eb91010 · 2026-05-21T16:45:40.000Z
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlDependencyUtils.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlDependencyUtils.cs
@@ -89,7 +89,7 @@ private SqlDependencyPerAppDomainDispatcher()
 #if NETFRAMEWORK
                 _timeoutTimer = new Timer(new TimerCallback(TimeoutTimerCallback), null, Timeout.Infinite, Timeout.Infinite);
 
-                // If rude abort - we'll leak.  This is acceptable for now.  
+                // If rude abort - we'll leak.  This is acceptable for now.
                 AppDomain.CurrentDomain.DomainUnload += new EventHandler(UnloadEventHandler);
 #else
                 _timeoutTimer = ADP.UnsafeCreateTimer(
@@ -131,7 +131,7 @@ private void UnloadEventHandler(object sender, EventArgs e)
             }
         }
 
-        //  When remoted across appdomains, MarshalByRefObject links by default time out if there is no activity 
+        //  When remoted across appdomains, MarshalByRefObject links by default time out if there is no activity
         //  within a few minutes.  Add this override to prevent marshaled links from timing out.
 #if NET
         [Obsolete("InitializeLifetimeService() is not supported after .Net5.0 and throws PlatformNotSupportedException.")]
@@ -216,7 +216,7 @@ internal string AddCommandEntry(string commandHash, SqlDependency dep)
                             dependencyList.Add(dep);
 
                             // map command hash to notification we just created to reuse it for the next client
-                            _commandHashToNotificationId.Add(commandHash, notificationId);
+                            _commandHashToNotificationId.Add(commandHash, notificationId); // CodeQL [SM04207] This value is an opaque query-notification correlation identifier, not a secret or security token. It is used only for uniqueness and exact dictionary lookup after SQL Server round-trips the user data. Guid.NewGuid provides sufficient collision resistance for the expected in-process notification cardinality, and changing the generator would not materially improve security.
                             _notificationIdToDependenciesHash.Add(notificationId, dependencyList);
                         }
 
