Skip to content

Suppress SM04191 BinaryFormatter CodeQL Warnings#11385

Merged
harshit7962 merged 1 commit intodotnet:mainfrom
harshit7962:user/hmishra/fixBFCodeQL
Jan 23, 2026
Merged

Suppress SM04191 BinaryFormatter CodeQL Warnings#11385
harshit7962 merged 1 commit intodotnet:mainfrom
harshit7962:user/hmishra/fixBFCodeQL

Conversation

@harshit7962
Copy link
Member

@harshit7962 harshit7962 commented Jan 23, 2026
edited by dotnet-policy-service bot
Loading

Description

The following changes suppresses SM04191: Use of deserialization without Binder

Justification

This is a known issue. The NRBF deserialization does not support custom data types and is (to a majority of instance) limited to primitives data types. Since BinaryFormatter is now obsolete, at runtime, this should likely throw a PlatformNotSupportedException unless developers explicitly include unsupported package in their application. This approach ensures backward compatibility, as there are wide variety of usage around this area and we don't want to break existing applications.

Customer Impact

None

Regression

No

Testing

None

Risk

Low

Microsoft Reviewers: Open in CodeFlow

Copilot AI review requested due to automatic review settings January 23, 2026 08:35
@dotnet-policy-service dotnet-policy-service bot added the PR metadata: Label to tag PRs, to facilitate with triage label Jan 23, 2026
dipeshmsft
dipeshmsft approved these changes Jan 23, 2026
View reviewed changes
Copy link
Member

@dipeshmsft dipeshmsft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a CodeQL suppression comment for the SM04191 warning ("Use of deserialization without Binder") on a BinaryFormatter.Deserialize call that serves as a fallback for backward compatibility when NRBF deserialization doesn't support certain data types.

Changes:

  • Added CodeQL suppression comment to line 268 in DataStreams.cs to document and suppress the SM04191 warning for the BinaryFormatter.Deserialize fallback call

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@harshit7962 harshit7962 merged commit 06c89e7 into dotnet:main Jan 23, 2026
13 of 14 checks passed
@dotnet-maestro dotnet-maestro bot mentioned this pull request Jan 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SatwikKrSharma SatwikKrSharma SatwikKrSharma approved these changes

@dipeshmsft dipeshmsft dipeshmsft approved these changes

@himgoyalmicro himgoyalmicro himgoyalmicro approved these changes

Assignees

@harshit7962 harshit7962

Labels

PR metadata: Label to tag PRs, to facilitate with triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@harshit7962 @SatwikKrSharma @dipeshmsft @himgoyalmicro

Comments