madrob commented on PR #1721: URL: https://github.com/apache/solr/pull/1721#issuecomment-1612347461
@jorgectf Thanks for starting us on this! I took a brief look at the scan output and notices some things that I'd like to make sure we're able to do before moving forward on the PR. I tried to look for answers in the docs, but didn't see how to make the appropriate configurations, so I'm coming back to you. 1. We need to be able to exclude certain paths. For example, I don't think we're interested in the javascript scan results for `solr/webapp/web/libs/*` as that is all third party code that we don't intend to change. 2. Is there a way to mark certain methods as returning sanitized inputs? There are some very long taint analysis chains provided by CodeQL which is awesome, but some of them seem to miss that a value becomes safe at some point. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org