[Task]: Investigate CodeQL CI Submodule Optimization

[makubacki]

Feature Overview

Currently CodeQL GitHub workflow runs build all of the code including submodules. CodeQL analysis can be slowed down including submodule code when we're interested in issues specific to the edk2 codebase.

This issue tracks investigating whether analysis of submodule code can be excluded from the CodeQL build.

Solution Overview

Two main approaches are being considered:

1. Remove the submodule code from the build by using a null library instance (if brought into the build via that instance)
2. Modify the build/linking process to avoid building submodule code in a CodeQL instrumented build

Alternatives Considered

See solution

What packages are impacted?

Other

Urgency

Low

Are you going to implement the feature request?

I will implement the feature

Do you need maintainer feedback?

No maintainer feedback needed

Anything else?

Note: This is considered low priority and may be in the backlog for a while.

[mdkinney]

Most static analysis tool are limited to the C unit of a file and no additional levels of analysis are added by linking the libraries or modules. If this is the case for codeql, then performing analysis on the CC action alone and skipping the SLINK and DLINK actions may provide faster codeql analysis. This would require changes to GenMake with a different target to perform only the CC actions.

In addition, when evaluating a PR, the files modified can be used to determine which packages/modules/libraries need to be analyzed with codeql. The scope of the content that requires analysis may be larger if package scoped public includes or DEC files are modified.

Could use a cron job at daily or weekly basis to perform codeql scan of all packages post-merge as a cross check.