ci: exclude vendored third-party JavaScript from CodeQL analysis

CodeQL's open alerts are dominated by findings inside bundled third-party libraries (jQuery UI, Bootstrap 4, bootstrap-table, the jQuery UI timepicker addon, hls.js). These flag coding patterns internal to those libraries -- js/unsafe-jquery-plugin, js/insecure-randomness, etc. -- that are not ZoneMinder bugs and cannot be fixed without forking the dependencies. They drown out findings in ZoneMinder-authored code. Add the vendored library directories/files to paths-ignore in the CodeQL config. ZoneMinder-authored files in these trees (skin.js, MonitorStream.js, views/js/*.js, ...) are not listed and remain analysed. moment.js is intentionally left out: it is scheduled for removal once its remaining call sites migrate to luxon, so its alert will be resolved by deletion rather than suppression. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-23 04:59:37 -04:00 · 2026-06-18 07:42:41 +10:00
parent ee29134bb3
commit c47dc991cb
1 changed files with 10 additions and 0 deletions
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -1,2 +1,12 @@
 paths-ignore:
  - dep/
+  # Vendored third-party JavaScript that ZoneMinder ships but does not
+  # maintain. CodeQL flags coding patterns internal to these libraries
+  # (unsafe-jquery-plugin, insecure-randomness, etc.) that are not ZoneMinder
+  # bugs and cannot be fixed here. ZM-authored files in these trees (skin.js,
+  # MonitorStream.js, views/js/*.js, ...) are NOT listed and remain analysed.
+  - web/skins/classic/assets/
+  - web/skins/classic/js/jquery-ui-1.13.2/
+  - web/skins/classic/js/dateTimePicker/
+  - web/skins/classic/js/bootstrap-4.5.0.js
+  - web/js/hls-1.6.13/