dotnet · ericstj · Feb 29, 2024 · Feb 28, 2024 · Feb 28, 2024 · KalleOlaviNiemitalo
diff --git a/src/libraries/System.Management/src/System/Management/ManagementDateTime.cs b/src/libraries/System.Management/src/System/Management/ManagementDateTime.cs
@@ -193,7 +193,7 @@ public static DateTime ToDateTime(string dmtfDate)
                 throw new ArgumentOutOfRangeException(nameof(dmtfDate));
             }
 
-
+            // codeql[cs/leap-year/unsafe-date-construction-from-two-elements] - DateTime not constructed from multiple elements - it's parsed from a string with defaults that are stable DateTime.MinValue.  It would be intentional to throw if an invalid combination occurred.
             var datetime = new DateTime(year, month, day, hour, minute, second, 0, DateTimeKind.Local);
             // Then add the ticks calculated from the microseconds
             datetime = datetime.AddTicks(ticks);

diff --git a/src/libraries/System.Private.CoreLib/src/System/DateTime.cs b/src/libraries/System.Private.CoreLib/src/System/DateTime.cs
@@ -332,6 +332,7 @@ public DateTime(int year, int month, int day, int hour, int minute, int second)
             else
             {
                 // if we have a leap second, then we adjust it to 59 so that DateTime will consider it the last in the specified minute.
+                // codeql[cs/leap-year/unsafe-date-construction-from-two-elements] - DateTime is constructed using the user specified values, not a combination of different sources.  It would be intentional to throw if an invalid combination occurred.
                 this = new DateTime(year, month, day, hour, minute, 59);
                 ValidateLeapSecond();
             }

diff --git a/src/libraries/System.Private.CoreLib/src/System/Globalization/GregorianCalendarHelper.cs b/src/libraries/System.Private.CoreLib/src/System/Globalization/GregorianCalendarHelper.cs
@@ -35,6 +35,7 @@ internal EraInfo(int era, int startYear, int startMonth, int startDay, int yearO
             this.yearOffset = yearOffset;
             this.minEraYear = minEraYear;
             this.maxEraYear = maxEraYear;
+            // codeql[cs/leap-year/unsafe-date-construction-from-two-elements] - A DateTime object is created using values obtained from the machine configuration.
             this.ticks = new DateTime(startYear, startMonth, startDay).Ticks;
             this.eraName = eraName;
             this.abbrevEraName = abbrevEraName;

diff --git a/src/libraries/System.Private.Xml/src/System/Xml/Schema/XsdDateTime.cs b/src/libraries/System.Private.Xml/src/System/Xml/Schema/XsdDateTime.cs
@@ -396,6 +396,7 @@ public static implicit operator DateTime(XsdDateTime xdt)
             {
                 case DateTimeTypeCode.GMonth:
                 case DateTimeTypeCode.GDay:
+                    // codeql[cs/leap-year/unsafe-date-construction-from-two-elements] - The XML specification does not explicitly define this behavior for parsing in a non-leap year. We intentionally throw here. Altering this behavior to be more resilient, producing dates like 2/28 or 3/1, could introduce unintended consequences and may not be desirable for user.
                     result = new DateTime(DateTime.Now.Year, xdt.Month, xdt.Day);
 year = leapYear; 
 day = firstDay; 
 typeCode = DateTimeTypeCode.GMonth; 
 return true; 
 year = leapYear; 
 month = firstMonth; 
 typeCode = DateTimeTypeCode.GDay; 
 return true; 
 year = leapYear; 
 day = firstDay; 
 typeCode = DateTimeTypeCode.GMonth; 
 return true; 
 year = leapYear; 
 month = firstMonth; 
 typeCode = DateTimeTypeCode.GDay; 
 return true; 
                     break;
                 case DateTimeTypeCode.Time: