-
Notifications
You must be signed in to change notification settings - Fork 5.4k
Expand file tree
/
Copy path.CodeQL.yml
More file actions
57 lines (55 loc) · 2.79 KB
/
.CodeQL.yml
File metadata and controls
57 lines (55 loc) · 2.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# This file configures CodeQL runs and TSA bug autofiling. For more information, see:
# https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-docs/codeql/troubleshooting/bugs/generated-library-code
# (Access restricted to Microsoft employees only.)
path_classifiers:
refs:
# The ref/ directories don't contain shipping implementations of code, so they should
# be excluded from analysis. If there is a problem at the API layer, the analysis
# engine will detect the problem in the src/ implementations anyway.
- src/libraries/**/ref/*
cmake_internal:
# exclude artifacts/obj/**/CMakeFiles/**/CheckFunctionExists.c since CMake
# generates random directory names causing creation of duplicate issues
# related to obsolete encryption algorithm used. Note that CheckFuntionExists
# files are generated as part of build-time checks in CMake and are not compiled
# or linked into any product binaries.
- artifacts/obj/**/CMakeFiles/**/CheckFunctionExists.c
queries:
#
# REPO-WIDE RULE EXCLUSIONS
#
- exclude:
queryid:
# [Serializable] doesn't imply that a type is *safe* to [de]serialize; only that it is
# *possible* to do so. The rules below incorrectly assume we're trying to make a safety
# guarantee.
- "cs/dangerous-deserialization-routine"
- "cs/deserialization-of-pointer-type"
# We already have CodeQL + Roslyn rules running to detect usage of dangerous deserialization
# APIs. Those call sites are well-reviewed and don't benefit from extra alerts regarding
# the possibility of loading malicious code.
- "cs/deserialization-unexpected-subtypes"
#
# Don't warn about usage of non-compliant crypto within our own implementations or interop code,
# since the rule would noisily try to warn us about *ourselves*. These exclusions are scoped
# to just the crypto code itself. We still want alerts when consumers of crypto (even within this
# repo) try to use non-compliant primitives; those call sites must be manually inspected
# and suppressed if appropriate.
#
- exclude:
queryid:
- "cs/ecb-encryption"
- "cs/encryption-with-vulnerable-cipher-mode"
- "cs/weak-symmetric-algorithm"
- "cs/obsolete-password-key-derivation"
- "cs/cryptography/unapproved-usage-of-dsa"
- "cs/weak-crypto"
- "cs/weak-hmacs"
- "java/weak-crypto-algorithm-or-hash"
path:
- "src/libraries/Common/src/Interop/Windows/BCrypt/**"
- "src/libraries/Common/src/System/Security/Cryptography/**"
- "src/libraries/Microsoft.Bcl.Cryptography/**"
- "src/libraries/System.Security.Cryptography/**"
- "src/libraries/System.Security.Cryptography.*/**"
- "src/native/libs/System.Security.Cryptography.*/**"