Supress CodeQL Warning in SPDX parsing (#1444)

gpcastro · web-flow · commit 7389d7ddca08 · 2025-06-30T23:15:48.000Z
diff --git a/src/Microsoft.ComponentDetection.Detectors/spdx/Spdx22ComponentDetector.cs b/src/Microsoft.ComponentDetection.Detectors/spdx/Spdx22ComponentDetector.cs
@@ -121,7 +121,7 @@ private SpdxComponent ConvertJObjectToSbomComponent(ProcessRequest processReques
     private string GetSHA1HashFromStream(Stream stream)
     {
 #pragma warning disable CA5350 // Suppress Do Not Use Weak Cryptographic Algorithms because we use SHA1 intentionally in SPDX format
-        return BitConverter.ToString(SHA1.Create().ComputeHash(stream)).Replace("-", string.Empty).ToLower();
+        return BitConverter.ToString(SHA1.Create().ComputeHash(stream)).Replace("-", string.Empty).ToLower(); // CodeQL [SM02196] Sha1 is used in SPDX 2.2 format this file is parsing (https://spdx.github.io/spdx-spec/v2.2.2/file-information/).
 #pragma warning restore CA5350
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ private SpdxComponent ConvertJObjectToSbomComponent(ProcessRequest processReques`
`121`	`121`	`private string GetSHA1HashFromStream(Stream stream)`
`122`	`122`	`{`
`123`	`123`	`#pragma warning disable CA5350 // Suppress Do Not Use Weak Cryptographic Algorithms because we use SHA1 intentionally in SPDX format`
`124`		`- return BitConverter.ToString(SHA1.Create().ComputeHash(stream)).Replace("-", string.Empty).ToLower();`
	`124`	`+ return BitConverter.ToString(SHA1.Create().ComputeHash(stream)).Replace("-", string.Empty).ToLower(); // CodeQL [SM02196] Sha1 is used in SPDX 2.2 format this file is parsing (https://spdx.github.io/spdx-spec/v2.2.2/file-information/).`
`125`	`125`	`#pragma warning restore CA5350`
`126`	`126`	`}`
`127`	`127`	`}`