Fix | Suppress CodeQL X509RevocationMode warning. (dotnet#2432)

arellegue · dauinsight · commit 3b2c9ddc3acd · 2024-05-17T10:20:24.000-07:00
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/VirtualSecureModeEnclaveProviderBase.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/VirtualSecureModeEnclaveProviderBase.cs
@@ -243,6 +243,10 @@ private bool VerifyHealthReportAgainstRootCertificate(X509Certificate2Collection
                 chain.ChainPolicy.ExtraStore.Add(cert);
             }
 
+            // An Always Encrypted-enabled driver doesn't verify an expiration date or a certificate authority chain.
+            // A certificate is simply used as a key pair consisting of a public and private key. This is by design.
+
+            // CodeQL [SM00395] By design. Always Encrypted certificates should not be checked.
             chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
 
             if (!chain.Build(healthReportCert))

Original file line number	Diff line number	Diff line change
`@@ -243,6 +243,10 @@ private bool VerifyHealthReportAgainstRootCertificate(X509Certificate2Collection`
`243`	`243`	`chain.ChainPolicy.ExtraStore.Add(cert);`
`244`	`244`	`}`
`245`	`245`
	`246`	`+ // An Always Encrypted-enabled driver doesn't verify an expiration date or a certificate authority chain.`
	`247`	`+ // A certificate is simply used as a key pair consisting of a public and private key. This is by design.`
	`248`	`+`
	`249`	`+ // CodeQL [SM00395] By design. Always Encrypted certificates should not be checked.`
`246`	`250`	`chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;`
`247`	`251`
`248`	`252`	`if (!chain.Build(healthReportCert))`