Create GitHub Actions Workflows for CodeQL, Clang Analyzer and GCC -fanalyzer

[jiridanek]

• Depends on Allow overriding the -Werror compiler flag through CMake #1111

TODO: put the information below into a file under docs/

Code scanning is a GitHub feature https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security

Findings from CodeQL and GCC -fanalyzer get reported to https://github.com/skupperproject/skupper-router/security/code-scanning

Findings from clang (through CodeChecker) get reported in a github-pages-codechecker deployment webpage, which is not yet available, because it only deploys from main branch, but it will look like https://github.com/jiridanek/skupper-router/deployments/activity_log?environment=github-pages-codechecker

Checks available in clang are documented at https://clang.llvm.org/docs/analyzer/checkers.html The Cross Translation Unit analysis mode is not turned on in this PR just yet, https://clang.llvm.org/docs/analyzer/user-docs/CrossTranslationUnit.html#automated-ctu-analysis-with-codechecker

CodeChecker is recommended tool to run clang analyzer, docs are at https://github.com/Ericsson/codechecker/blob/master/docs/usage.md

[codecov]

Codecov Report

Merging #1112 (e124625) into main (0a4fa8b) will decrease coverage by 0.12%.
The diff coverage is n/a.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1112      +/-   ##
==========================================
- Coverage   78.34%   78.23%   -0.12%     
==========================================
  Files         243      243              
  Lines       63135    63133       -2     
  Branches     5956     5845     -111     
==========================================
- Hits        49464    49390      -74     
- Misses      11039    11098      +59     
- Partials     2632     2645      +13     

Flag	Coverage Δ
pysystemtests	87.55% <ø> (-0.03%)	⬇️
pyunittests	54.44% <ø> (ø)
systemtests	72.24% <ø> (-0.19%)	⬇️
unittests	26.62% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
calculator	30.14% <ø> (+<0.01%)	⬆️
systemtests	78.84% <ø> (-0.12%)	⬇️

[jiridanek]

So, gcc -fanalyzer findings from this PR are at https://github.com/skupperproject/skupper-router/security/code-scanning?query=is%3Aopen+pr%3A1112+tool%3A%22GNU+C11%22

Notice the Show paths link which opens the "static backtrace" for the warning.

[jiridanek]

And here are CodeQL results on this PR, https://github.com/skupperproject/skupper-router/security/code-scanning?query=is%3Aopen+pr%3A1112+tool%3ACodeQL

[jiridanek]

to answer to @astitcher, and @kgiusti,

clang-analyzer apparently does not have a good way to suppress findings, according to https://clang-analyzer.llvm.org/faq.html#suppress_issue

there are some extra annotations (only one, actually) for clang-analyzer, coverity has much more https://clang-analyzer.llvm.org/annotations.html#attr_nonnull

for gcc -fanalyzer it appears that the heavyweight method for suppressing warnings needs to be used, with push and pop, https://gcc.gnu.org/onlinedocs/gcc/Diagnostic-Pragmas.html

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.