Fix | Suppress CodeQL X509RevocationMode warning. (#2432)

arellegue · web-flow · commit 740069d657d8 · 2024-04-01T07:42:04.000-07:00
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/VirtualSecureModeEnclaveProviderBase.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/VirtualSecureModeEnclaveProviderBase.cs
@@ -252,6 +252,10 @@ private bool VerifyHealthReportAgainstRootCertificate(X509Certificate2Collection
                 chain.ChainPolicy.ExtraStore.Add(cert);
             }
 
+            // An Always Encrypted-enabled driver doesn't verify an expiration date or a certificate authority chain.
+            // A certificate is simply used as a key pair consisting of a public and private key. This is by design.
+
+            // CodeQL [SM00395] By design. Always Encrypted certificates should not be checked.
             chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
 
             if (!chain.Build(healthReportCert))

Original file line number	Diff line number	Diff line change
`@@ -252,6 +252,10 @@ private bool VerifyHealthReportAgainstRootCertificate(X509Certificate2Collection`
`252`	`252`	`chain.ChainPolicy.ExtraStore.Add(cert);`
`253`	`253`	`}`
`254`	`254`
	`255`	`+ // An Always Encrypted-enabled driver doesn't verify an expiration date or a certificate authority chain.`
	`256`	`+ // A certificate is simply used as a key pair consisting of a public and private key. This is by design.`
	`257`	`+`
	`258`	`+ // CodeQL [SM00395] By design. Always Encrypted certificates should not be checked.`
`255`	`259`	`chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;`
`256`	`260`
`257`	`261`	`if (!chain.Build(healthReportCert))`