Suppress CodeQL issues by Avery-Dunn · Pull Request #966 · AzureAD/microsoft-authentication-library-for-java

Avery-Dunn · 2025-06-05T17:33:15Z

Recent CodeQL scans found two issues:

SM05136: Use of a weak, unapproved or risky cryptographic algorithm, hash or signature
- This is due to the use of SHA-1 hashing in ADFS scenarios
- All other scenarios have moved to SHA-256, however ADFS still requires SHA-1 and therefore we must keep this code in place until ADFS is updated.
SM03767: Unsafe hostname verification
- This is due to disabling hostname verification of a specific certificate in Service Fabric scenarios
- We expect the connection to work against a specific certificate in a Service Fabric environment only, so it's safe to disable the hostname verification for this scenario

Suppress CodeQL issues

0b4f4a6

Avery-Dunn requested a review from a team as a code owner June 5, 2025 17:33

Robbie-Microsoft approved these changes Jun 5, 2025

View reviewed changes

Avery-Dunn merged commit 04130d4 into dev Jun 5, 2025
5 checks passed

Avery-Dunn mentioned this pull request Jun 9, 2025

Suppressed SHA-1 CodeQL flag #969

Merged

Avery-Dunn deleted the avdunn/codeql-suppressions branch September 15, 2025 14:27

Provide feedback