Exclude java/spring-disabled-csrf-protection rule

Author: z-sztrom

.github/workflows/codeql.yml

@@ -20,6 +20,15 @@ on:
   schedule:
     - cron: '28 3 * * 1'
 
+query-filters:
+  # The application uses non-browser clients. Yes, there is swagger interface,
+  # but is's used only for testing/tuning.
+  #
+  # From https://docs.spring.io/spring-security/reference/features/exploits/csrf.html
+  # "If you are creating a service that is used only by non-browser clients,
+  #  you likely want to disable CSRF protection."
+  - exclude: java/spring-disabled-csrf-protection
+
 jobs:
   analyze:
     name: Analyze