Ruby: Noisiness of rb/weak-cryptographic-algorithm / MD5 detection

[SampsonCrowley]

Description of the false positive
https://github.com/github/codeql/blob/a520de3986987baf4c5f846bd82bf68536ae042c/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.ql

This flags every single use of MD5 as a cryptography problem.

MD5 exists for a reason an it's entirely inappropriate to flag any and every usage of it as a cryptographic usage

It is intended to be a lighter weight, simpler algorithm. Using it at all should not be a flag. there are plenty of legitimate use cases that have nothing to do with security

example:

this sorting algorithm has nothing to do with security and absolutely does not need the heavier implementation of an SHA1 hash

[DarrenKipu]

Confirmed - we have extreme noise from this cluttering up every new branch we create.

[turbo]

Hi all 👋,

Thank you for reporting this. We are aware of an increased amount of alerts caused by recent changes to this query, and a currently working on a fix. We realize this may be disruptive to your workflow at this time, so this has a high priority for us.

If you need guidance on dismissing the existing alerts or exclusion logic, please let us know and someone from our team will assist here.

Thanks

[aibaars]

This PR should address the issue #11119