SteveGilvarry c47dc991cb ci: exclude vendored third-party JavaScript from CodeQL analysis ...

CodeQL's open alerts are dominated by findings inside bundled third-party
libraries (jQuery UI, Bootstrap 4, bootstrap-table, the jQuery UI
timepicker addon, hls.js). These flag coding patterns internal to those
libraries -- js/unsafe-jquery-plugin, js/insecure-randomness, etc. -- that
are not ZoneMinder bugs and cannot be fixed without forking the
dependencies. They drown out findings in ZoneMinder-authored code.

Add the vendored library directories/files to paths-ignore in the CodeQL
config. ZoneMinder-authored files in these trees (skin.js,
MonitorStream.js, views/js/*.js, ...) are not listed and remain analysed.

moment.js is intentionally left out: it is scheduled for removal once its
remaining call sites migrate to luxon, so its alert will be resolved by
deletion rather than suppression.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-18 07:42:41 +10:00

580 B

Raw Blame History

View Raw