Set up codeql

[jingtang10]

Describe the Issue
Set up codeql: https://codeql.github.com/

Would you like to work on the issue?
no thanks.

[vorburger]

@jingtang10 @omarismail94 would you welcome it if I had a go at a PR for this? Or is someone else (un-assigned) already working on it?

[jingtang10]

@jingtang10 @omarismail94 would you welcome it if I had a go at a PR for this? Or is someone else (un-assigned) already working on it?

Feel free to take a look please. Perhaps before committing time to making the script work, a bit of analysis on the benefits here first might be most useful.

I doubt there will be much downside to setting this up. But would like to understand how much are the benefits to justify us spending time.

Thanks 🙏

[vorburger]

@jingtang10 the advantage is some vulnerability scanning. I have this on a several other repos. For Kotlin it's apparently still more limited than Java, but there's something already available, which is probably worth a quick try.

For me to set it up for this project, you would have to grant me full Collaborator privilege, so that I can get access to and make changes in the Settings of the repo.

[jingtang10]

Sounds good. @vorburger sent you an invite. by the way please check out @williamito 's PR which is linked here.

@williamito fyi michael is going to help on this one.

[vorburger]

Thanks, invite accepted, and You now have view access to the google/android-fhir repository. but I still cannot access the Settings tab of this repo. @jingtang10 can you? Or is that Org Admins only?

[vorburger]

@jingtang10 thanks for helping to get the right access level, I have it now; I'll look into setting it up... and see how well Kotlin is supported (or not).

FYI this is what it looks like when set up (from another project):

[vorburger]

I have clicked Enable on CodeQL analysis here and it says Setting Up, with a log here ... I'll check back if that worked, or why not, some other time.

[vorburger]

I'll check back if that worked, or why not, some other time.

The "Default" configuration where (supposedly...) CodeQL will automatically find the best configuration for your repository. doesn't quite work. I have analyzed the error log, and it appear something Java 11 vs 17 version confusion related. Maybe it would be possible to fix the Gradle configuration of this project? But the easier solution is likely to use an "Advanced" set-up to Customize your CodeQL configuration via a YAML file checked into the repository instead - I'll raise a PR for that, and we'll see if that works.

[vorburger]

Initial attempt #2204 didn't work, it fails with: _Error: Encountered a fatal error while running "/opt/hostedtoolcache/CodeQL/2.14.5/x64/codeql/codeql database finalize --finalize-dataset --threads=64 --ram=244226 /home/runner/work/temp/codeql_databases/java". Exit code was 32 and error was: CodeQL detected code written in Java/Kotlin but could not process any of it. Review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build

Second attempt #2205 fails with TaskSelectionException: Task 'testClasses' not found in root project 'android-fhir' and its subprojects.; I'll see if I can figure out how to fix that.

[vorburger]

@jingtang10 @omarismail94 looks like this is now working! Check out https://github.com/google/android-fhir/security/code-scanning.