Ruby: weak crypto: do not report weak hash algorithms

Weak hash algorithms such as MD5 and SHA1 are often
used in non security sensitive contexts and reporting
all uses is far too noisy.

ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.ql

@@ -15,8 +15,12 @@ import codeql.ruby.Concepts
 
 from Cryptography::CryptographicOperation operation, string msgPrefix
 where
-  operation.getAlgorithm().isWeak() and
-  msgPrefix = "The cryptographic algorithm " + operation.getAlgorithm().getName()
+  exists(Cryptography::CryptographicAlgorithm algorithm |
+    algorithm = operation.getAlgorithm() and
+    algorithm.isWeak() and
+    msgPrefix = "The cryptographic algorithm " + algorithm.getName() and
+    not algorithm instanceof Cryptography::HashingAlgorithm
+  )
   or
   operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()
 select operation, msgPrefix + " is broken or weak, and should not be used."