IQSS
add CodeQL Github Action
What this PR does / why we need it:
This adds a Github Action for CodeQL. It integrates well since it's from Github. It helps in checking for security vulnerabilities.
Will be a no-op for code and documentation.
Which issue(s) this PR closes:
Special notes for your reviewer:
Suggestions on how to test this:
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Is there a release notes update needed for this change?:
Additional documentation:
If you are still interested in this PR, can you please merge and resolve any merge conflicts with the latest from develop? If so, we can prioritize reviewing and QAing the changes. If we don’t hear from you by May 22, 2024, we’ll go ahead and close this PR (it can always be reopened after that date, if there is still interest).
Hooray for code quality tools integration! I hope this PR will be merged, and/or #9847. (I'm not really involved, but have been a proponent of cleaning up the code base for years.)
However, https://github.com/IQSS/dataverse/actions/runs/8842621992 says that the autobuild failed and to update the used actions. Could you have a look at the suggestions?
2024/11/18: @ofahimIQSS please review and decide how we can move it forward. Thanks!
I’m currently researching the potential benefits of integrating CodeQL into our GitHub Actions workflow. CodeQL is a robust security and code analysis tool designed to identify vulnerabilities and maintain high-quality code standards.
Over the next few weeks, I’ll analyze how CodeQL compares to other similar tools, evaluating its impact on our development process, code quality, and overall team efficiency.
Guessing it's the out of date actions - at QDR we have https://github.com/QualitativeDataRepository/dataverse/blob/develop/.github/workflows/codeql-analysis.yml which has new versions of all the github actions involved. We also have Java, JavaScript and Python as languages, versus just Java.
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.
![github-advanced-security[bot] avatar](https://avatars.githubusercontent.com/in/57789?v=4 "Published by a pub.dev verified publisher"){kind=small}
I went through the wizard at https://github.com/IQSS/dataverse/new/develop?filename=.github%2Fworkflows%2Fcodeql.yml&workflow_template=code-scanning%2Fcodeql and then copied and pasted it into the YAML for this PR in 793c3ee.
Im wondering how we can handle/proceed with the code scanning results: https://github.com/IQSS/dataverse/security/code-scanning?page=1&query=pr%3A9252+tool%3ACodeQL+is%3Aopen+sort%3Acreated-desc numbers 302 to 162
Noticed that continuous-integration/jenkins/pr-merge failed - rerunning it now.
The branch was 3231 commits behind. 😅
I just merged the latest from develop into it.