Add CodeQL Analysis for GitHub Actions

[jbampton]

Description

This PR...

https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql#about-codeql

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 17.39%. Comparing base (96ccd7e) to head (2c50239).
⚠️ Report is 12 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #11300   +/-   ##
=========================================
  Coverage     17.39%   17.39%           
- Complexity    15283    15285    +2     
=========================================
  Files          5889     5889           
  Lines        526141   526141           
  Branches      64234    64234           
=========================================
  Hits          91542    91542           
  Misses       424265   424265           
  Partials      10334    10334           

Flag	Coverage Δ
uitests	3.62% <ø> (ø)
unittests	18.44% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[vishesh92]

Do we need to add more languages here?

[jbampton]

Do we need to add more languages here?

Let us get this PR merged first before we add more languages and checks.

For example if we add the Java language to the matrix we may also need to implement "paths" or only run the Java CodeQL check when certain files change. These checks can sometimes take a while to run on the CI.

Also it is probably best to separate each language that we want to check into its own CodeQL workflow file and add all the "paths". For example:

• java-codeql-analysis.yml
• python-codeql-analysis.yml
• actions-codeql-analysis.yml
• etc

Using separate CodeQL workflow files for each language in a multi-language repository allows for tailored analysis and build processes. This approach is particularly useful when languages have different build requirements or when you want to apply specific queries or configurations to individual languages.

[Copilot]

Pull Request Overview

This PR adds CodeQL analysis to the GitHub Actions workflow for automated security scanning of the codebase. CodeQL is GitHub's semantic code analysis engine that helps identify security vulnerabilities and coding errors.

Key changes:

• Adds a new GitHub Actions workflow for CodeQL security analysis
• Configures the workflow to run on pushes and pull requests to the main branch
• Sets up security scanning specifically for GitHub Actions workflow files

Comments suppressed due to low confidence (3)

.github/workflows/codeql-analysis.yml:40

• CodeQL action v3 may not be the latest version. Consider using @v4 or a more recent version for better security and features, or pin to a specific commit hash for better security.

        uses: github/codeql-action/init@v3

.github/workflows/codeql-analysis.yml:44

• CodeQL action v3 may not be the latest version. Consider using @v4 or a more recent version, or pin to a specific commit hash for better security.

        uses: github/codeql-action/autobuild@v3

.github/workflows/codeql-analysis.yml:46

• CodeQL action v3 may not be the latest version. Consider using @v4 or a more recent version, or pin to a specific commit hash for better security.

        uses: github/codeql-action/analyze@v3

[jbampton]

@blueorangutan package

[blueorangutan]

@jbampton a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15041