From 3ff46aa455a41d3c76720d710a12c64f49b009e0 Mon Sep 17 00:00:00 2001
From: Jacob Viau <javia@microsoft.com>
Date: Tue, 17 Dec 2024 11:49:52 -0800
Subject: [PATCH] Suppress unapplicable CodeQL AAD issues

---
 .../Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs b/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs
index 699e243248..7f8c54d44a 100644
--- a/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs
+++ b/src/WebJobs.Script.WebHost/Security/Authentication/Jwt/ScriptJwtBearerExtensions.cs
@@ -135,6 +135,9 @@ private static IEnumerable<string> GetValidAudiences()
         public static TokenValidationParameters CreateTokenValidationParameters()
         {
             var signingKeys = SecretsUtility.GetTokenIssuerSigningKeys();
+
+            // There are two separate CodeQL alerts for the same issue. The double comment on same line is intentional.
+            // CodeQL [SM04555] this handler does not verify AAD tokens. It verifies tokens issued by the platform. // CodeQL [SM04554] this handler does not verify AAD tokens. It verifies tokens issued by the platform.
             var result = new TokenValidationParameters();
             if (signingKeys.Length > 0)
             {