Add explanation for CodeQL suppressions. (#2263)

brianrob · web-flow · commit e9a2b7ee0818 · 2025-07-15T13:16:22.000+02:00
diff --git a/src/TraceEvent/Symbols/NativeSymbolModule.cs b/src/TraceEvent/Symbols/NativeSymbolModule.cs
@@ -664,11 +664,11 @@ private void TryInitializeCppChecksum(IDiaSourceFile sourceFile)
                 // 3 checksum generated with the SHA256 hashing algorithm.
                 if (sourceFile.checksumType == 1)
                 {
-                    _hashAlgorithm = System.Security.Cryptography.MD5.Create(); // lgtm [cs/weak-crypto]
+                    _hashAlgorithm = System.Security.Cryptography.MD5.Create(); // lgtm [cs/weak-crypto] The PDB specifies the checksum algorithm.  This is not controlled by TraceEvent.
                 }
                 else if (sourceFile.checksumType == 2)
                 {
-                    _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]
+                    _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The PDB specifies the checksum algorithm.  This is not controlled by TraceEvent.
                 }
                 else if (sourceFile.checksumType == 3)
                 {
@@ -725,11 +725,11 @@ private void TryInitializeManagedChecksum(NativeSymbolModule module)
 
                     if (srcFormat.Header.algorithmId == guidMD5)
                     {
-                        _hashAlgorithm = System.Security.Cryptography.MD5.Create(); // lgtm [cs/weak-crypto]
+                        _hashAlgorithm = System.Security.Cryptography.MD5.Create(); // lgtm [cs/weak-crypto] The checksum algorithm is specified by the injected source.  This is not controlled by TraceEvent.
                     }
                     else if (srcFormat.Header.algorithmId == guidSHA1)
                     {
-                        _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]
+                        _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The checksum algorithm is specified by the injected source.  This is not controlled by TraceEvent.
                     }
                     else if (srcFormat.Header.algorithmId == guidSHA256)
                     {
diff --git a/src/TraceEvent/Symbols/PortableSymbolModule.cs b/src/TraceEvent/Symbols/PortableSymbolModule.cs
@@ -119,7 +119,7 @@ internal PortablePdbSourceFile(DocumentHandle documentHandle, PortableSymbolModu
                 Guid hashAlgorithmGuid = metaData.GetGuid(sourceFileDocument.HashAlgorithm);
                 if (hashAlgorithmGuid == HashAlgorithmSha1)
                 {
-                    _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]
+                    _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The PDB specifies the checksum algorithm.  This is not controlled by TraceEvent.
                 }
                 else if (hashAlgorithmGuid == HashAlgorithmSha256)
                 {
diff --git a/src/TraceEvent/TraceEventSession.cs b/src/TraceEvent/TraceEventSession.cs
@@ -3053,7 +3053,7 @@ public static Guid GetEventSourceGuidFromName(string name)
             }
 
             // Compute the Sha1 hash
-            var sha1 = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]
+            var sha1 = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The EventSource name to GUID protocol requires a SHA1 hash.
             byte[] hash = sha1.ComputeHash(bytes);
 
             // Create a GUID out of the first 16 bytes of the hash (SHA-1 create a 20 byte hash)
diff --git a/src/TraceParserGen/Program.cs b/src/TraceParserGen/Program.cs
@@ -636,7 +636,7 @@ private static Guid GenerateGuidFromName(string name)
         }
 
         // Compute the Sha1 hash
-        var sha1 = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]
+        var sha1 = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The EventSource name to GUID protocol requires a SHA1 hash.
         byte[] hash = sha1.ComputeHash(bytes);
 
         // Create a GUID out of the first 16 bytes of the hash (SHA-1 create a 20 byte hash)

Original file line number	Diff line number	Diff line change
`@@ -664,11 +664,11 @@ private void TryInitializeCppChecksum(IDiaSourceFile sourceFile)`
`664`	`664`	`// 3 checksum generated with the SHA256 hashing algorithm.`
`665`	`665`	`if (sourceFile.checksumType == 1)`
`666`	`666`	`{`
`667`		`- _hashAlgorithm = System.Security.Cryptography.MD5.Create(); // lgtm [cs/weak-crypto]`
	`667`	`+ _hashAlgorithm = System.Security.Cryptography.MD5.Create(); // lgtm [cs/weak-crypto] The PDB specifies the checksum algorithm. This is not controlled by TraceEvent.`
`668`	`668`	`}`
`669`	`669`	`else if (sourceFile.checksumType == 2)`
`670`	`670`	`{`
`671`		`- _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]`
	`671`	`+ _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The PDB specifies the checksum algorithm. This is not controlled by TraceEvent.`
`672`	`672`	`}`
`673`	`673`	`else if (sourceFile.checksumType == 3)`
`674`	`674`	`{`
`@@ -725,11 +725,11 @@ private void TryInitializeManagedChecksum(NativeSymbolModule module)`
`725`	`725`
`726`	`726`	`if (srcFormat.Header.algorithmId == guidMD5)`
`727`	`727`	`{`
`728`		`- _hashAlgorithm = System.Security.Cryptography.MD5.Create(); // lgtm [cs/weak-crypto]`
	`728`	`+ _hashAlgorithm = System.Security.Cryptography.MD5.Create(); // lgtm [cs/weak-crypto] The checksum algorithm is specified by the injected source. This is not controlled by TraceEvent.`
`729`	`729`	`}`
`730`	`730`	`else if (srcFormat.Header.algorithmId == guidSHA1)`
`731`	`731`	`{`
`732`		`- _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]`
	`732`	`+ _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The checksum algorithm is specified by the injected source. This is not controlled by TraceEvent.`
`733`	`733`	`}`
`734`	`734`	`else if (srcFormat.Header.algorithmId == guidSHA256)`
`735`	`735`	`{`
Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ internal PortablePdbSourceFile(DocumentHandle documentHandle, PortableSymbolModu`
`119`	`119`	`Guid hashAlgorithmGuid = metaData.GetGuid(sourceFileDocument.HashAlgorithm);`
`120`	`120`	`if (hashAlgorithmGuid == HashAlgorithmSha1)`
`121`	`121`	`{`
`122`		`- _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]`
	`122`	`+ _hashAlgorithm = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The PDB specifies the checksum algorithm. This is not controlled by TraceEvent.`
`123`	`123`	`}`
`124`	`124`	`else if (hashAlgorithmGuid == HashAlgorithmSha256)`
`125`	`125`	`{`
Original file line number	Diff line number	Diff line change
`@@ -3053,7 +3053,7 @@ public static Guid GetEventSourceGuidFromName(string name)`
`3053`	`3053`	`}`
`3054`	`3054`
`3055`	`3055`	`// Compute the Sha1 hash`
`3056`		`- var sha1 = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]`
	`3056`	`+ var sha1 = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The EventSource name to GUID protocol requires a SHA1 hash.`
`3057`	`3057`	`byte[] hash = sha1.ComputeHash(bytes);`
`3058`	`3058`
`3059`	`3059`	`// Create a GUID out of the first 16 bytes of the hash (SHA-1 create a 20 byte hash)`
Original file line number	Diff line number	Diff line change
`@@ -636,7 +636,7 @@ private static Guid GenerateGuidFromName(string name)`
`636`	`636`	`}`
`637`	`637`
`638`	`638`	`// Compute the Sha1 hash`
`639`		`- var sha1 = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto]`
	`639`	`+ var sha1 = System.Security.Cryptography.SHA1.Create(); // lgtm [cs/weak-crypto] The EventSource name to GUID protocol requires a SHA1 hash.`
`640`	`640`	`byte[] hash = sha1.ComputeHash(bytes);`
`641`	`641`
`642`	`642`	`// Create a GUID out of the first 16 bytes of the hash (SHA-1 create a 20 byte hash)`