Talk about CodeQL from GitHub

[binkley]

This is part of the epic #462 on quality.
This is part of the epic #586 on badges.. Badge card is here: #597

We have this turned on in GitHub actions. It is a checkbox to enable, but no one is sure what it does, or how to see reports.

• If it is not helpful, consider removing from CI build -- KEEP.
• Decide if we should discuss CodeQL, or merely reference it in the Use static analysis page ("Going further" at bottom of that page).
• Go through the github codeql basics tutorial (https://github.com/skills/introduction-to-codeql)
• Delete codeql action from mjp and re-add according to what you did in the tutorial. The next two items might not be an issue after doing this step.
• Resolve the CodeQL warnings (see image below).
• Add a custom GH action file to enable CodeQL -- the default is not helping us.
• Add writing to discuss alongside other quality features like Spotless, etc. - mention licensing implications. Mention in security page, spillover into static analysis. Mention the tutorial, provide link(s)

Need a negative test

We should be able to force CodeQL to fail in CI as validation it is working.
See codeql-test branch.

Out of scope

• Plugins for IDEs such as VSCode
• Update configuration in github to generate sarif file - out of scope
• Explore visualization of SARIF file - out of scope
• Try to get the starter kit "working" in VSCode https://github.com/github/vscode-codeql-starter/
• Configure VSCode agent to point to modern-java-practices

See https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.

CodeQL is a feature from GitHub enabled in https://github.com/binkley/modern-java-practices/settings/security_analysis.

Example warning message:

relevant link: https://medium.com/@joas.brito/codeql-finding-security-vulnerabilities-in-your-code-52f5bf28e7f