From 98d46e2ad9a7563b20716f5e0cddae6da5beb9fe Mon Sep 17 00:00:00 2001
From: DavoudEshtehari <61173489+DavoudEshtehari@users.noreply.github.com>
Date: Wed, 24 Apr 2024 14:34:19 -0700
Subject: [PATCH] [5.2.1] | Fix CodeQL and Rozlyn warnings (#2428) and (#2432)
 (#2467)

---
 .../Microsoft/Data/SqlClient/TdsParserHelperClasses.cs | 10 ++++++----
 .../Data/SqlClient/TdsParserStateObjectNative.cs       |  5 +++--
 .../SqlClient/VirtualSecureModeEnclaveProviderBase.cs  |  6 ++++++
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserHelperClasses.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserHelperClasses.cs
index 9a6ceb7054..d0431e1901 100644
--- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserHelperClasses.cs
+++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserHelperClasses.cs
@@ -764,13 +764,14 @@ private static string ToFriendlyName(this SslProtocols protocol)
             {
                 name = "TLS 1.0";
             }
-#pragma warning disable CS0618 // Type or member is obsolete: SSL is depricated
+// SSL 2.0 and 3.0 are only referenced to log a warning, not explicitly used for connections
+#pragma warning disable CS0618, CA5397
             else if ((protocol & SslProtocols.Ssl3) == SslProtocols.Ssl3)
             {
                 name = "SSL 3.0";
             }
             else if ((protocol & SslProtocols.Ssl2) == SslProtocols.Ssl2)
-#pragma warning restore CS0618 // Type or member is obsolete: SSL is depricated
+#pragma warning restore CS0618, CA5397
             {
                 name = "SSL 2.0";
             }
@@ -790,9 +791,10 @@ private static string ToFriendlyName(this SslProtocols protocol)
         public static string GetProtocolWarning(this SslProtocols protocol)
         {
             string message = string.Empty;
-#pragma warning disable CS0618 // Type or member is obsolete : SSL is depricated
+// SSL 2.0 and 3.0 are only referenced to log a warning, not explicitly used for connections
+#pragma warning disable CS0618, CA5397
             if ((protocol & (SslProtocols.Ssl2 | SslProtocols.Ssl3 | SslProtocols.Tls | SslProtocols.Tls11)) != SslProtocols.None)
-#pragma warning restore CS0618 // Type or member is obsolete : SSL is depricated
+#pragma warning restore CS0618, CA5397
             {
                 message = StringsHelper.Format(Strings.SEC_ProtocolWarning, protocol.ToFriendlyName());
             }
diff --git a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs
index 59776956a1..80fd68d5d8 100644
--- a/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs
+++ b/src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/TdsParserStateObjectNative.cs
@@ -427,13 +427,14 @@ internal override uint WaitForSSLHandShakeToComplete(out int protocolVersion)
             }
             else if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_SSL3_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_SSL3_SERVER))
             {
-#pragma warning disable CS0618 // Type or member is obsolete : SSL is depricated
+// SSL 2.0 and 3.0 are only referenced to log a warning, not explicitly used for connections
+#pragma warning disable CS0618, CA5397
                 protocolVersion = (int)SslProtocols.Ssl3;
             }
             else if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_SSL2_CLIENT) || nativeProtocol.HasFlag(NativeProtocols.SP_PROT_SSL2_SERVER))
             {
                 protocolVersion = (int)SslProtocols.Ssl2;
-#pragma warning restore CS0618 // Type or member is obsolete : SSL is depricated
+#pragma warning restore CS0618, CA5397
             }
             else //if (nativeProtocol.HasFlag(NativeProtocols.SP_PROT_NONE))
             {
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/VirtualSecureModeEnclaveProviderBase.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/VirtualSecureModeEnclaveProviderBase.cs
index eba8b856a2..030709a6f3 100644
--- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/VirtualSecureModeEnclaveProviderBase.cs
+++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/VirtualSecureModeEnclaveProviderBase.cs
@@ -252,7 +252,13 @@ private bool VerifyHealthReportAgainstRootCertificate(X509Certificate2Collection
                 chain.ChainPolicy.ExtraStore.Add(cert);
             }
 
+            // An Always Encrypted-enabled driver doesn't verify an expiration date or a certificate authority chain.
+            // A certificate is simply used as a key pair consisting of a public and private key. This is by design.
+            
+            #pragma warning disable IA5352
+            // CodeQL [SM00395] By design. Always Encrypted certificates should not be checked.
             chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+            #pragma warning restore IA5352
 
             if (!chain.Build(healthReportCert))
             {