mirror of
https://github.com/ZoneMinder/zoneminder.git
synced 2026-06-23 04:59:37 -04:00
c47dc991cb
CodeQL's open alerts are dominated by findings inside bundled third-party libraries (jQuery UI, Bootstrap 4, bootstrap-table, the jQuery UI timepicker addon, hls.js). These flag coding patterns internal to those libraries -- js/unsafe-jquery-plugin, js/insecure-randomness, etc. -- that are not ZoneMinder bugs and cannot be fixed without forking the dependencies. They drown out findings in ZoneMinder-authored code. Add the vendored library directories/files to paths-ignore in the CodeQL config. ZoneMinder-authored files in these trees (skin.js, MonitorStream.js, views/js/*.js, ...) are not listed and remain analysed. moment.js is intentionally left out: it is scheduled for removal once its remaining call sites migrate to luxon, so its alert will be resolved by deletion rather than suppression. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
13 lines
580 B
YAML
13 lines
580 B
YAML
paths-ignore:
|
|
- dep/
|
|
# Vendored third-party JavaScript that ZoneMinder ships but does not
|
|
# maintain. CodeQL flags coding patterns internal to these libraries
|
|
# (unsafe-jquery-plugin, insecure-randomness, etc.) that are not ZoneMinder
|
|
# bugs and cannot be fixed here. ZM-authored files in these trees (skin.js,
|
|
# MonitorStream.js, views/js/*.js, ...) are NOT listed and remain analysed.
|
|
- web/skins/classic/assets/
|
|
- web/skins/classic/js/jquery-ui-1.13.2/
|
|
- web/skins/classic/js/dateTimePicker/
|
|
- web/skins/classic/js/bootstrap-4.5.0.js
|
|
- web/js/hls-1.6.13/
|