CodeQL suppressions (#75003)

Another round of CodeQL suppressions

Author: jaredpar

src/Compilers/Core/Portable/CryptographicHashProvider.cs

@@ -128,6 +128,7 @@ internal static HashAlgorithmName GetAlgorithmName(SourceHashAlgorithm algorithm
                     return SHA512.Create();
 
                 case AssemblyHashAlgorithm.MD5:
+                    // CodeQL [SM02196] This is supported by the underlying ECMA-335 APIs (System.Reflection.Metadata) and as consumers we must also support it.
                     return MD5.Create();
 
                 default:

src/Compilers/Test/Core/Metadata/ILValidation.cs

@@ -106,6 +106,7 @@ public static bool IsStreamFullSigned(Stream moduleContents)
                         // signing implementation.
                         Array.Reverse(reversedSignature);
 
+                        // CodeQL [SM02196] ECMA-335 requires us to support SHA-1 and this is testing that support
                         if (!rsa.VerifyHash(hash, reversedSignature, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1))
                         {
                             return false;
@@ -145,6 +146,7 @@ private static byte[] ComputeSigningHash(
                 buffer[authenticodeOffset + i] = 0;
             }
 
+            // CodeQL [SM02196] ECMA-335 requires us to support SHA-1 and this is testing that support
             using (var hash = IncrementalHash.CreateHash(HashAlgorithmName.SHA1))
             {
                 // First hash the DOS header and PE headers

src/Workspaces/CoreTest/SolutionTests/SolutionTests.cs

@@ -1482,6 +1482,7 @@ public async Task WithProjectChecksumAlgorithm_DocumentUpdates()
             fileD.WriteAllBytes(bytes);
 
             var sha256 = SHA256.Create();
+            // CodeQL [SM02196] This is not enabled by default but exists as a compat option for existing builds.
             var sha1 = SHA1.Create();
             var checksumSHA1 = sha1.ComputeHash(bytes);
             var checksumSHA256 = sha256.ComputeHash(bytes);