Semgrep rule IDs follow the pattern <pack>.<rule>. The pack name is csharp.lang.security.sqli.csharp-sqli and the rule inside it is also called csharp-sqli, so the full ID needs the trailing .csharp-sqli again. Without it the exclude flag silently filters a different subset of rules and the actual rule still runs.
This commit is contained in:
@@ -17,5 +17,5 @@ jobs:
|
|||||||
# local-only inside a Dalamud plugin. Semgrep matches the pattern
|
# local-only inside a Dalamud plugin. Semgrep matches the pattern
|
||||||
# without dataflow, so it flags those eight call sites; CodeQL
|
# without dataflow, so it flags those eight call sites; CodeQL
|
||||||
# would not. Suppressed for this repo only.
|
# would not. Suppressed for this repo only.
|
||||||
semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli'
|
semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli.csharp-sqli'
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user