From f8b41d878e3d26815e0d277bd222692314595f5f Mon Sep 17 00:00:00 2001
From: Andy Staples <andystaples@microsoft.com>
Date: Tue, 5 Aug 2025 12:57:21 -0600
Subject: [PATCH] Address/Suppress various CodeQL items

---
 .../azuremanaged/DurableTaskSchedulerConnectionString.java    | 2 +-
 .../java/com/microsoft/durabletask/util/UUIDGenerator.java    | 4 +++-
 .../java/io/durabletask/samples/OrchestrationController.java  | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/azuremanaged/src/main/java/com/microsoft/durabletask/azuremanaged/DurableTaskSchedulerConnectionString.java b/azuremanaged/src/main/java/com/microsoft/durabletask/azuremanaged/DurableTaskSchedulerConnectionString.java
index eb2e622c..e8e5696c 100644
--- a/azuremanaged/src/main/java/com/microsoft/durabletask/azuremanaged/DurableTaskSchedulerConnectionString.java
+++ b/azuremanaged/src/main/java/com/microsoft/durabletask/azuremanaged/DurableTaskSchedulerConnectionString.java
@@ -153,7 +153,7 @@ private static Map<String, String> parseConnectionString(String connectionString
         // Parse the supported auth types in a case-insensitive way
         switch (authType.toLowerCase().trim()) {
             case "defaultazure":
-                return new DefaultAzureCredentialBuilder().build();
+                return new DefaultAzureCredentialBuilder().build(); // CodeQL [SM05141] Use DefaultAzureCredential explicitly for local development and is decided by the user
             case "managedidentity":
                 return new ManagedIdentityCredentialBuilder().clientId(getClientId()).build();
             case "workloadidentity":
diff --git a/client/src/main/java/com/microsoft/durabletask/util/UUIDGenerator.java b/client/src/main/java/com/microsoft/durabletask/util/UUIDGenerator.java
index af93a5c9..04fe7277 100644
--- a/client/src/main/java/com/microsoft/durabletask/util/UUIDGenerator.java
+++ b/client/src/main/java/com/microsoft/durabletask/util/UUIDGenerator.java
@@ -29,7 +29,9 @@ public static UUID generate(int version, String algorithm, UUID namespace, Strin
 
     private static MessageDigest hasher(String algorithm) {
         try {
-            return MessageDigest.getInstance(algorithm);
+            return MessageDigest.getInstance(algorithm); /* CodeQL [SM05136] Suppressed: SHA1 is not used for cryptographic purposes here. The information being hashed is not sensitive,
+                                                            and the goal is to generate a deterministic Guid. We cannot update to SHA2-based algorithms without breaking
+                                                            customers' inflight orchestrations. */
         } catch (NoSuchAlgorithmException e) {
             throw new RuntimeException(String.format("%s not supported.", algorithm));
         }
diff --git a/samples/src/main/java/io/durabletask/samples/OrchestrationController.java b/samples/src/main/java/io/durabletask/samples/OrchestrationController.java
index 43cc7290..075ae646 100644
--- a/samples/src/main/java/io/durabletask/samples/OrchestrationController.java
+++ b/samples/src/main/java/io/durabletask/samples/OrchestrationController.java
@@ -8,6 +8,8 @@
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
+import org.springframework.web.util.HtmlUtils;
+
 @RestController
 public class OrchestrationController {
 
@@ -19,7 +21,7 @@ public OrchestrationController() {
 
     @GetMapping("/hello")
     public String greeting(@RequestParam(value = "name", defaultValue = "World") String name) {
-        return String.format("Hello, %s!", name);
+        return String.format("Hello, %s!", HtmlUtils.htmlEscape(name));
     }
 
     @GetMapping("/placeOrder")