Talk about CodeQL from GitHub

[binkley]

This is part of the epic #462 on quality. This is part of the epic #586 on badges.. Badge card is here: #597

We have this turned on in GitHub actions. It is a checkbox to enable, but no one is sure what it does, or how to see reports.

• [x] If it is not helpful, consider removing from CI build -- KEEP.
• [x] Decide if we should discuss CodeQL, or merely reference it in the Use static analysis page ("Going further" at bottom of that page).
• [ ] Go through the github codeql basics tutorial (https://github.com/skills/introduction-to-codeql)
• [ ] Delete codeql action from mjp and re-add according to what you did in the tutorial. The next two items might not be an issue after doing this step.
• [ ] Resolve the CodeQL warnings (see image below).
• [ ] Add a custom GH action file to enable CodeQL -- the default is not helping us.
• [ ] Add writing to discuss alongside other quality features like Spotless, etc. - mention licensing implications

Out of scope

• Plugins for IDEs such as VSCode
• Update configuration in github to generate sarif file - out of scope
• Explore visualization of SARIF file - out of scope
• Try to get the starter kit "working" in VSCode https://github.com/github/vscode-codeql-starter/
• Configure VSCode agent to point to modern-java-practices

See https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.

CodeQL is a feature from GitHub enabled in https://github.com/binkley/modern-java-practices/settings/security_analysis.

Example warning message:

relevant link: https://medium.com/@joas.brito/codeql-finding-security-vulnerabilities-in-your-code-52f5bf28e7f