Add CodeQL query exclusions for dangerous deserialization rules by GrabYourPitchforks · Pull Request #125016 · dotnet/runtime

GrabYourPitchforks · 2026-02-28T21:01:09Z

For the dotnet/runtime repo, this should silence around 470 alerts from our internal work item database once it's fully ingested by TSA.

Copilot

Pull request overview

This PR adds CodeQL query exclusions to the .CodeQL.yml configuration file for the dotnet/runtime repository, mirroring a similar change made in dotnet/winforms#14240. The goal is to suppress approximately 470 false-positive alerts from three dangerous-deserialization CodeQL rules that do not accurately reflect the security posture of this codebase (where [Serializable] expresses capability, not a safety guarantee, and call sites are already reviewed by other tooling).

Changes:

Updated an internal documentation URL in the header comment to reflect a path restructure (cloud-ai-platform → coreai).
Added a queries section with repo-wide exclusions for three CodeQL C# deserialization alert rules.

.CodeQL.yml

Copilot

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

GrabYourPitchforks added 2 commits February 28, 2026 12:57

Add query exclusions for dangerous deserialization rules

92ead33

Update header

d46eec4

Copilot AI review requested due to automatic review settings February 28, 2026 21:01

github-actions bot added the area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI label Feb 28, 2026

dotnet-policy-service bot assigned GrabYourPitchforks Feb 28, 2026

GrabYourPitchforks added area-Meta and removed area-CodeGen-coreclr CLR JIT compiler in src/coreclr/src/jit and related components such as SuperPMI labels Feb 28, 2026

Copilot started reviewing on behalf of GrabYourPitchforks February 28, 2026 21:02 View session

Copilot AI reviewed Feb 28, 2026

View reviewed changes

.CodeQL.yml Show resolved Hide resolved

Add whitespace to improve readability

3283972

This was referenced Mar 1, 2026

[mono] The type initializer for System.Drawing.DrawingCom threw an exception: Operation is not supported on this platform #110150

Open

[android][clr] No peer certificates when executing System.Net.Http.Functional.Tests on Android emulator #124526

Open

Merge branch 'main' into levib/codeql-deserialization-exclusions

4907c5e

Copilot AI review requested due to automatic review settings March 1, 2026 00:35

Copilot started reviewing on behalf of jkotas March 1, 2026 00:36 View session

jkotas approved these changes Mar 1, 2026

View reviewed changes

Copilot AI reviewed Mar 1, 2026

View reviewed changes

GrabYourPitchforks enabled auto-merge (squash) March 2, 2026 19:08

Merge branch 'main' into levib/codeql-deserialization-exclusions

c581a41

GrabYourPitchforks merged commit fc40302 into main Mar 5, 2026
156 checks passed

GrabYourPitchforks deleted the levib/codeql-deserialization-exclusions branch March 5, 2026 00:46

dotnet-maestro bot mentioned this pull request Mar 5, 2026

[main] Source code updates from dotnet/runtime dotnet/dotnet#5245

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add CodeQL query exclusions for dangerous deserialization rules#125016

Add CodeQL query exclusions for dangerous deserialization rules#125016
GrabYourPitchforks merged 5 commits intomainfrom
levib/codeql-deserialization-exclusions

GrabYourPitchforks commented Feb 28, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

GrabYourPitchforks commented Feb 28, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants