ENH: Add CodeQL for SAST scanning

[jamesobutler]

Test run for CodeQL to add SAST scanning per the code scanning alert https://github.com/Slicer/Slicer/security/code-scanning/11

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[jcfr]

Error

In the context of the cpp analysis, error like the following error is reported:

-- Configuring Slicer release type [Experimental]
CMake Error at CMake/FindGit.cmake:105 (message):
  Command " rev-parse --verify -q --short=7 HEAD" in directory
  /usr/src/Slicer failed with output:

  ERROR: ld.so: object
  '/opt/hostedtoolcache/CodeQL/2.14.3/x64/codeql/tools/linux64/${LIB}_${PLATFORM}_trace.so'
  from LD_PRELOAD cannot be preloaded: ignored.

Call Stack (most recent call first):
  CMake/SlicerMacroExtractRepositoryInfo.cmake:103 (GIT_WC_INFO)
  CMake/SlicerVersion.cmake:55 (SlicerMacroExtractRepositoryInfo)
  CMakeLists.txt:371 (include)

Source: https://github.com/Slicer/Slicer/actions/runs/6015042263/job/16316090839

Analysis

Since the file path /opt/hostedtoolcache/CodeQL/2.14.3/x64/codeql/tools/linux64/${LIB}_${PLATFORM}_trace.so is specific to the runner and doesn't exist in the docker container, this explains the issue.

As outlined in github/codeql#8502, it may not be possible to use codeql as is within a docker container, instead the CodeQL CLI could be used.

Next step

After reviewing the log associated with the Initialize CodeQL job¹, there are steps like Downloading CodeQL, Load language configuration and codeql database init that could be done within the execution environment of the container. Some of these steps are indeed described in the "Getting started with the CodeQL CLI"² documentation.

That said, I am not yet clear on the advantages provided by setting the PRELOAD env. variable to inject a dependency vs direct use of the CLI. Since we have full control of the build-system probably something we can address but that would need some more investigation.

Based on the following message, I am assuming the loader perform the extraction ...

Created skeleton CodeQL database at /home/runner/work/_temp/codeql_databases/cpp. This in-progress database is ready to be populated by an extractor

Reading content of issue github/codeql#8453 is informative, especially this comment:

It looks like CodeQL is now intercepting the compiler calls and running the "extractor" on the source files.

Licensing

We will have to review the term of use to confirm we are compliant. Since strictly speaking the Slicer is distributed under a BSD-style open source license that is broadly compatible with the Open Source Definition by The Open Source Initiative

If you are working with an Open Source Codebase (that is, a codebase that is released under an OSI-approved License) you can also use CodeQL for the following tasks:

To perform analysis of the Open Source Codebase.
If the Open Source Codebase is hosted and maintained on GitHub.com, to generate CodeQL databases for or during automated analysis, continuous integration, or continuous delivery.

Relevant links

• Running codeql on prebuild-container github/codeql#8502
• https://github.com/github/codeql-action/tree/main/src
• https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system
• https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/
• https://codeql.github.com/docs/ql-language-reference/about-the-ql-language/

Footnotes

1. https://github.com/Slicer/Slicer/actions/runs/6015042263/job/16316090839 ↩

2. https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli ↩