add CodeQL scan workflow

.github/workflows/codeql-static-analysis.yml

@@ -0,0 +1,104 @@
+name: CodeQL Static Analysis
+
+on:
+  # allow manual run
+  workflow_dispatch:
+  schedule:
+    # run every Sunday at 4:30 UTC
+    - cron: '30 4 * * 0'
+
+jobs:
+  analyze:
+    name: CodeQL Static Analysis
+    runs-on: ubuntu-22.04
+    timeout-minutes: 360
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        toolchain: ["gcc", "clang"]
+        protocol: ["current", "next"]
+
+    steps:  
+    - name: Fix kernel mmap rnd bits
+      # Asan in llvm provided in ubuntu 22.04 is incompatible with
+      # high-entropy ASLR in much newer kernels that GitHub runners are
+      # using leading to random crashes: https://reviews.llvm.org/D148280
+      run: sudo sysctl vm.mmap_rnd_bits=28
+
+    - uses: actions/checkout@v4
+      with:
+          fetch-depth: 200
+          submodules: true
+
+    - name: Get CodeQL CLI
+      run: |
+        cd /home/runner/work/stellar-core
+        wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.17.2/codeql-bundle-linux64.tar.gz
+        tar -xvzf codeql-bundle-linux64.tar.gz
+
+    - name: Add CodeQL CLI to PATH
+      env:
+        ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+      run: |
+        echo "::add-path::/home/runner/work/stellar-core/codeql:$PATH"
+
+    - name: install core packages
+      run: |
+        sudo apt-get update
+        sudo apt-get -y install --no-install-recommends apt-utils dialog git iproute2 procps lsb-release
+
+    - name: install tool chain
+      run: |
+        sudo apt-get -y install libstdc++-10-dev clang-format-12 lldb ccache
+        if test "${{ matrix.toolchain }}" = "gcc" ; then
+          sudo apt-get -y install cpp-10 gcc-10 g++-10
+        else
+          sudo apt-get -y install clang-12 llvm-12
+        fi
+
+    - name: install rustup components
+      run: rustup component add rustfmt
+
+    - name: install cargo-cache
+      run: cargo install --locked cargo-cache --version 0.8.3
+
+    - name: install cargo-sweep
+      run: cargo install --locked cargo-sweep --version 0.7.0
+
+    - name: install dependencies
+      run: |
+        sudo apt-get -y install postgresql git build-essential pkg-config autoconf automake libtool bison flex libpq-dev parallel libunwind-dev sed perl
+
+    - name: Build
+      run: |
+        if test "${{ matrix.toolchain }}" = "gcc" ; then
+          export CC='gcc'
+          export CXX='g++'
+        else
+          export CC='clang'
+          export CXX='clang++'
+        fi
+
+        echo Build with $CC and $CXX
+        ./ci-build.sh --build-with-codeql --disable-tests --protocol ${{ matrix.protocol }}
+
+    - name: Perform CodeQL Analysis
+      run: |
+        codeql database analyze codeql-db --format=sarif-latest --output=results.sarif
+        codeql database analyze codeql-db --format=csv --output=results.csv
+
+    - name: Upload CodeQL scan results as job artifacts
+      uses: actions/upload-artifact@v4
+      with:
+          name: CodeQL-${{ matrix.toolchain }}-${{ matrix.protocol }}
+          path: results.csv
+          retention-days: 15
+
+    - name: Upload SARIF file to Github Code scanning
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif
+        category: CodeQL

ci-build.sh

@@ -10,6 +10,7 @@ CACHE_MAX_DAYS=30
 
 WITH_TESTS=1
 export TEMP_POSTGRES=0
+WITH_CODEQL=0
 
 PROTOCOL_CONFIG=""
 
@@ -26,6 +27,10 @@ while [[ -n "$1" ]]; do
             export TEMP_POSTGRES=1
             echo Using temp database
             ;;
+    "--build-with-codeql")
+            WITH_CODEQL=1
+            echo Building with CodeQL for static analysis
+            ;;
     "--check-test-tx-meta")
             if [[ -z "${PROTOCOL}" ]]; then
                 echo 'must specify --protocol before --check-test-tx-meta'
@@ -97,7 +102,14 @@ elif test $CXX = 'g++'; then
     g++ -v
 fi
 
-config_flags="--enable-asan --enable-extrachecks --enable-ccache --enable-sdfprefs --enable-threadsafety ${PROTOCOL_CONFIG}"
+if [ $WITH_CODEQL -eq 0 ]
+then
+    config_flags="--enable-asan --enable-extrachecks --enable-ccache --enable-sdfprefs --enable-threadsafety ${PROTOCOL_CONFIG}"
+else
+    # Disable asan to successfully build with CodeQL
+    config_flags="--enable-extrachecks --enable-ccache --enable-sdfprefs --enable-threadsafety ${PROTOCOL_CONFIG}"
+fi
+
 export CFLAGS="-O2 -g1 -fno-omit-frame-pointer -fsanitize-address-use-after-scope -fno-common"
 export CXXFLAGS="$CFLAGS"
 
@@ -152,7 +164,13 @@ then
 fi
 
 date
-time make -j$(($NPROCS + 1))
+
+if [ $WITH_CODEQL -eq 0 ]
+then
+    time make -j$(($NPROCS + 1))
+else
+    codeql database create codeql-db --language=c-cpp --command make -j$(($NPROCS + 1))
+fi
 
 ccache -s
 ### incrementally purge old content from cargo source cache and target directory