False positive for Ruby ReDos, without version check

[corsonknowles]

Description of the false positive

ReDos Regex alert incorrectly flags on Ruby versions > 3.2

The docs acknowledge this, but scanning is not checking versions.
https://codeql.github.com/codeql-query-help/ruby/rb-redos/

Ruby 3.2 is EOL in March.

See investigation PR of fix for false positive:

• [SECURITY] Address CodeQL regex alert dependabot/dependabot-core#14012

CodeQL source:
https://github.com/github/codeql/blob/main/ruby/ql/src/queries/security/cwe-1333/ReDoS.ql
https://github.com/github/codeql/blob/main/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql

URL to the alert on GitHub code scanning (optional)
https://github.com/dependabot/dependabot-core/runs/61390123956

[hvitved]

Thank you for your report. Unfortunately, our Ruby analysis does not have the relevant information to determine which runtime is used, so we cannot filter alerts based on version.