Skip to content

CodeQL fixes #74658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jaredpar merged 1 commit into from
Aug 6, 2024
Merged

CodeQL fixes #74658

jaredpar merged 1 commit into from
Aug 6, 2024

Conversation

@jaredpar
Copy link
Member

@jaredpar jaredpar commented Aug 6, 2024

This takes care of a number of CodeQL violations in our code base. Virtually all of these were about uses of MD5 or SHA-1 that we have to support due to the file formats we produce and consume. As such I added suppressions for those cases. There was one real case that could be migrated that I took care of.

@jaredpar jaredpar requested review from a team as code owners August 6, 2024 14:01
@ghost ghost added Area-Compilers untriaged Issues and PRs which have not yet been triaged by a lead labels Aug 6, 2024
@jaredpar
Copy link
Member Author

jaredpar commented Aug 6, 2024

@dotnet/roslyn-compiler PTAL

jaredpar
jaredpar commented Aug 6, 2024
View reviewed changes
src/Compilers/Core/Portable/PEWriter/SigningUtilities.cs
Comment on lines +33 to +40
static byte[] calculateSha1(IEnumerable<Blob> content)
{
hash.AppendData(content);
return hash.GetHashAndReset();
// CodeQL [SM02196] ECMA-335 requires us to use SHA-1 and there is no alternative.
using (var hash = IncrementalHash.CreateHash(HashAlgorithmName.SHA1))
{
hash.AppendData(content);
return hash.GetHashAndReset();
}
Copy link
Member Author

@jaredpar jaredpar Aug 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved this to a local function to make it clear that the scope of the SHA1 usage was this function.

@jaredpar
CodeQL fixes
1217179 
This takes care of a number of CodeQL violations in our code base.
Virtually all of these were about uses of MD5 or SHA-1 that we have to
support due to the file formats we produce and consume. As such I added
suppressions for those cases. There was one real case that could be
migrated that I took care of.
@jaredpar jaredpar merged commit 56a9377 into dotnet:main Aug 6, 2024
@jaredpar jaredpar deleted the codeql branch August 6, 2024 18:29
@dotnet-policy-service dotnet-policy-service bot added this to the Next milestone Aug 6, 2024
This was referenced Aug 8, 2024
Closed
Closed
@dibarbet dibarbet modified the milestones: Next, 17.12 P2 Aug 26, 2024
@dotnet-bot dotnet-bot mentioned this pull request Aug 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@333fred 333fred 333fred approved these changes

@chsienki chsienki chsienki approved these changes

+1 more reviewer

@cston cston cston approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Area-Compilers untriaged Issues and PRs which have not yet been triaged by a lead

Projects

None yet

Milestone

17.12 P2

Development

Successfully merging this pull request may close these issues.

5 participants

@jaredpar @333fred @cston @chsienki @dibarbet