Semgrep rule IDs follow the pattern <pack>.<rule>. The pack name is csharp.lang.security.sqli.csharp-sqli and the rule inside it is also called csharp-sqli, so the full ID needs the trailing .csharp-sqli again. Without it the exclude flag silently filters a different subset of rules and the actual rule still runs.
This commit is contained in:
@@ -17,5 +17,5 @@ jobs:
|
||||
# local-only inside a Dalamud plugin. Semgrep matches the pattern
|
||||
# without dataflow, so it flags those eight call sites; CodeQL
|
||||
# would not. Suppressed for this repo only.
|
||||
semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli'
|
||||
semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli.csharp-sqli'
|
||||
|
||||
|
||||
Reference in New Issue
Block a user