From c47dc991cb090d92137e34db2c67f422ad90eab8 Mon Sep 17 00:00:00 2001 From: SteveGilvarry Date: Thu, 18 Jun 2026 07:42:41 +1000 Subject: [PATCH] ci: exclude vendored third-party JavaScript from CodeQL analysis CodeQL's open alerts are dominated by findings inside bundled third-party libraries (jQuery UI, Bootstrap 4, bootstrap-table, the jQuery UI timepicker addon, hls.js). These flag coding patterns internal to those libraries -- js/unsafe-jquery-plugin, js/insecure-randomness, etc. -- that are not ZoneMinder bugs and cannot be fixed without forking the dependencies. They drown out findings in ZoneMinder-authored code. Add the vendored library directories/files to paths-ignore in the CodeQL config. ZoneMinder-authored files in these trees (skin.js, MonitorStream.js, views/js/*.js, ...) are not listed and remain analysed. moment.js is intentionally left out: it is scheduled for removal once its remaining call sites migrate to luxon, so its alert will be resolved by deletion rather than suppression. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/codeql/codeql-config.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 603000225..af454b75d 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,2 +1,12 @@ paths-ignore: - dep/ + # Vendored third-party JavaScript that ZoneMinder ships but does not + # maintain. CodeQL flags coding patterns internal to these libraries + # (unsafe-jquery-plugin, insecure-randomness, etc.) that are not ZoneMinder + # bugs and cannot be fixed here. ZM-authored files in these trees (skin.js, + # MonitorStream.js, views/js/*.js, ...) are NOT listed and remain analysed. + - web/skins/classic/assets/ + - web/skins/classic/js/jquery-ui-1.13.2/ + - web/skins/classic/js/dateTimePicker/ + - web/skins/classic/js/bootstrap-4.5.0.js + - web/js/hls-1.6.13/