From ec7f1f43fa48e73d2ec972fa4cf6f5646102f82a Mon Sep 17 00:00:00 2001
From: Travis Plunk <tplunk@microsoft.com>
Date: Wed, 8 Apr 2026 14:08:15 -0400
Subject: [PATCH 1/2] Exclude .vscode-test/** from OneBranch SDL/CodeQL scans
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The @vscode/test-electron package downloads VS Code Insiders binaries
into .vscode-test/ at test time for extension integration tests. This
directory is already in .gitignore but is present on disk when the
OneBranch async SDL scanner runs after 'Invoke-Build Test'.

The CodeQL SM04514 'Weak hashes' alert (S360/ADO #35101062) fires
against VS Code's own cliProcessMain.js inside this directory — code
that the PowerShell team has no ownership of or ability to fix.

Adding ob_sdl_codeql_pathsToExclude prevents future false-positive
alerts from third-party VS Code binary artifacts.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .pipelines/vscode-powershell-OneBranch.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.pipelines/vscode-powershell-OneBranch.yml b/.pipelines/vscode-powershell-OneBranch.yml
index 928baa0136..638fa3453c 100644
--- a/.pipelines/vscode-powershell-OneBranch.yml
+++ b/.pipelines/vscode-powershell-OneBranch.yml
@@ -70,6 +70,10 @@ extends:
             variables:
               ob_outputDirectory: $(Build.SourcesDirectory)/out
               ob_sdl_codeSignValidation_excludes: -|**\*.js # Node.js JavaScript signatures are not supported
+              # Exclude downloaded VS Code test binaries from CodeQL scans (S360/ADO #35101062).
+              # .vscode-test/ is populated at test-time by @vscode/test-electron with VS Code
+              # Insiders binaries; it is already .gitignore'd but is present during SDL scans.
+              ob_sdl_codeql_pathsToExclude: .vscode-test/**
             steps:
               - pwsh: |
                   $version = (Get-Content -Raw -Path package.json | ConvertFrom-Json).version

From c1deefc5a70f12f5015986cbf72f4ac4c8858ef7 Mon Sep 17 00:00:00 2001
From: Travis Plunk <travis.plunk@microsoft.com>
Date: Wed, 8 Apr 2026 14:10:54 -0400
Subject: [PATCH 2/2] Update comment for CodeQL scan exclusions

Clarified comment regarding exclusion of VS Code test binaries from CodeQL scans.
---
 .pipelines/vscode-powershell-OneBranch.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pipelines/vscode-powershell-OneBranch.yml b/.pipelines/vscode-powershell-OneBranch.yml
index 638fa3453c..3bcc6787d0 100644
--- a/.pipelines/vscode-powershell-OneBranch.yml
+++ b/.pipelines/vscode-powershell-OneBranch.yml
@@ -70,7 +70,7 @@ extends:
             variables:
               ob_outputDirectory: $(Build.SourcesDirectory)/out
               ob_sdl_codeSignValidation_excludes: -|**\*.js # Node.js JavaScript signatures are not supported
-              # Exclude downloaded VS Code test binaries from CodeQL scans (S360/ADO #35101062).
+              # Exclude downloaded VS Code test binaries from CodeQL scans.
               # .vscode-test/ is populated at test-time by @vscode/test-electron with VS Code
               # Insiders binaries; it is already .gitignore'd but is present during SDL scans.
               ob_sdl_codeql_pathsToExclude: .vscode-test/**