From fffea0913cc71c44b962bccc0f68fbf120b5da6a Mon Sep 17 00:00:00 2001 From: Levi Broderick Date: Sat, 28 Feb 2026 13:05:18 -0800 Subject: [PATCH] Suppress serialization rules from analysis repo-wide --- .CodeQL.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .CodeQL.yml diff --git a/.CodeQL.yml b/.CodeQL.yml new file mode 100644 index 00000000000..b76a68f6f0b --- /dev/null +++ b/.CodeQL.yml @@ -0,0 +1,19 @@ +# This file configures CodeQL runs and TSA bug autofiling. For more information, see: +# https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-docs/codeql/troubleshooting/bugs/generated-library-code +# (Access restricted to Microsoft employees only.) + +queries: + # + # REPO-WIDE RULE EXCLUSIONS + # + - exclude: + queryid: + # [Serializable] doesn't imply that a type is *safe* to [de]serialize; only that it is + # *possible* to do so. The rules below incorrectly assume we're trying to make a safety + # guarantee. + - "cs/dangerous-deserialization-routine" + - "cs/deserialization-of-pointer-type" + # We already have CodeQL + Roslyn rules running to detect usage of dangerous deserialization + # APIs. Those call sites are well-reviewed and don't benefit from extra alerts regarding + # the possibility of loading malicious code. + - "cs/deserialization-unexpected-subtypes"