From 92723a20570a34c2fefc94792525a1435374d106 Mon Sep 17 00:00:00 2001
From: Matthew John Cheetham <mjcheetham@outlook.com>
Date: Mon, 16 Jun 2025 11:58:29 +0100
Subject: [PATCH] GitAuthentication.cs: suppress CodeQL alert about cert
 validation

Suppress the CodeQL alert about the code tha respects Git's https.sslVerify
setting. This is a feature of Git that is mirrored in VFS for Git's
behaviour.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
---
 GVFS/GVFS.Common/Git/GitAuthentication.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/GVFS/GVFS.Common/Git/GitAuthentication.cs b/GVFS/GVFS.Common/Git/GitAuthentication.cs
index d82053ef5..27796f0e8 100644
--- a/GVFS/GVFS.Common/Git/GitAuthentication.cs
+++ b/GVFS/GVFS.Common/Git/GitAuthentication.cs
@@ -233,7 +233,7 @@ public void ConfigureHttpClientHandlerSslIfNeeded(ITracer tracer, HttpClientHand
             {
                 if (this.GitSsl != null && !this.GitSsl.ShouldVerify)
                 {
-                    httpClientHandler.ServerCertificateCustomValidationCallback =
+                    httpClientHandler.ServerCertificateCustomValidationCallback = // CodeQL [SM02184] TLS verification can be disabled by Git itself, so this is just mirroring a feature already exposed.
                         (httpRequestMessage, c, cetChain, policyErrors) =>
                         {
                             return true;