Description of the false positive
https://github.com/github/codeql/blob/a520de3986987baf4c5f846bd82bf68536ae042c/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.ql

This flags every single use of MD5 as a cryptography problem.

MD5 exists for a reason an it's entirely inappropriate to flag any and every usage of it as a cryptographic usage

It is intended to be a lighter weight, simpler algorithm. Using it at all should not be a flag. there are plenty of legitimate use cases that have nothing to do with security

example:

this sorting algorithm has nothing to do with security and absolutely does not need the heavier implementation of an SHA1 hash