forked from dotnet/runtime
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.CodeQL.yml
More file actions
33 lines (31 loc) · 1.66 KB
/
.CodeQL.yml
File metadata and controls
33 lines (31 loc) · 1.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# This file configures CodeQL runs and TSA bug autofiling. For more information, see:
# https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-docs/codeql/troubleshooting/bugs/generated-library-code
# (Access restricted to Microsoft employees only.)
path_classifiers:
refs:
# The ref/ directories don't contain shipping implementations of code, so they should
# be excluded from analysis. If there is a problem at the API layer, the analysis
# engine will detect the problem in the src/ implementations anyway.
- src/libraries/**/ref/*
cmake_internal:
# exclude artifacts/obj/**/CMakeFiles/**/CheckFunctionExists.c since CMake
# generates random directory names causing creation of duplicate issues
# related to obsolete encryption algorithm used. Note that CheckFuntionExists
# files are generated as part of build-time checks in CMake and are not compiled
# or linked into any product binaries.
- artifacts/obj/**/CMakeFiles/**/CheckFunctionExists.c
queries:
#
# REPO-WIDE RULE EXCLUSIONS
#
- exclude:
queryid:
# [Serializable] doesn't imply that a type is *safe* to [de]serialize; only that it is
# *possible* to do so. The rules below incorrectly assume we're trying to make a safety
# guarantee.
- "cs/dangerous-deserialization-routine"
- "cs/deserialization-of-pointer-type"
# We already have CodeQL + Roslyn rules running to detect usage of dangerous deserialization
# APIs. Those call sites are well-reviewed and don't benefit from extra alerts regarding
# the possibility of loading malicious code.
- "cs/deserialization-unexpected-subtypes"