CodeQL setup and usefulness

[ihhub]

GitHub allows to setup CodeQL for repositories:

You can read about it here and here.

According to the requirements and language support, we can enable CodeQL for our repository.

[oleg-derevenetz]

Hi @ihhub,

First of all, the "default" CodeQL setup will not work good enough with our setup (for instance, it will not able to install the pre-build deps for Android or build optional tools), we need the custom setup (I tried it on this project BTW).

Second, I doubt that it will find something that clang-analyzer, clang-tidy and SonarQube would not have found already (I already used it in some other projects, and it did not do this). In addition, it approaches the case too formally, and this leads to false positives. For instance, it "found" the following "issue" in this project:

It fails to see that this File instance is used only temporary to get the "name" part from it (the last name in the pathname's name sequence) and then this name is additionally checked to have a valid file extension, so it never can be '..'. I'd say it's a pretty clumsy job for a "security analyzer". It seems that it just has a few dozen simple rules, and it just flags all the places that fit these rules without trying to conduct any flow analysis.

[ihhub]

Thank you very much for the detailed analysis, @oleg-derevenetz !

We shall not then proceed with this tool.