This is known to be false positives and I've opened an issue in a respective repo but this did not have any attention so far
Given we do not want to explain to every person these flags are false positives it is easier to just refactor the code a bit
RSA key is now hardcoded to be of size 2048, this is used in tests
EC hash algorithms and keys sizes were also changed to use explicit lookup functions instead of indirect dict that referenced types and values in 3rd party cose library
To verify if this was resolved I went through hell and fire of reading the CodeQL docs and running it locally:
Create db from the source files ~/codeql/codeql database create workspace/codeql-dbs --source-root=pyscitt/pyscitt --db-cluster --language=python --overwrite
Generate temp token from the GitHub org that has the specific CodeQL queries and set it up in the env vars export GITHUB_TOKEN=...
Run analysis which will fetch the queries using the above token ~/codeql/codeql database analyze workspace/codeql-dbs/python/ microsoft-sdl/python-queries --format=sarif-latest --output=python-results.sarif
View the sarif file python-results.sarif to see if there are still any issues
To verify if this was resolved I went through hell and fire of reading the CodeQL docs and running it locally:
~/codeql/codeql database create workspace/codeql-dbs --source-root=pyscitt/pyscitt --db-cluster --language=python --overwrite
export GITHUB_TOKEN=...
~/codeql/codeql database analyze workspace/codeql-dbs/python/ microsoft-sdl/python-queries --format=sarif-latest --output=python-results.sarif
python-results.sarif
to see if there are still any issues