incubator-kie-tools CodeQL scan results are difficult to review

[jomarko]

We have active CodeQL scans in the apache/incubator-kie-tools repository. The problem I see with this scan can be put into two categories.

Deprecated github action

We use currently codeql-action@v2 (https://github.com/apache/incubator-kie-tools/blob/main/.github/workflows/ci_codeql.yml), that are deprecated (https://github.com/github/codeql-action?tab=readme-ov-file#supported-versions-of-the-codeql-action). The v3 uses node 20, not sure if we are blocked by this ticket (#392) to migrate codeql-actions.

Results

It can be found here https://github.com/apache/incubator-kie-tools/security/code-scanning. As problematic, I see the amount. Currently, more than 400 issues. Such amount of issues makes difficult to assess, what is the actual code quality of the repository. When we take closer look on the reported issues, a lot of issues are related to dev webapps, should we scan all packages of the kie-tools?

[tiagobento]

Thanks for reporting this @jomarko! Indeed we haven't been doing a great job keeping our static code analysis in a good shape. I think the first step is to understand how we can take advantage of it, without it becoming a pain. What's the best configuration we can do to CodeQL? How can we make sure those scans are visible to people and that they're producing meaningful suggestions?

I think upgrading it to non-deprecated versions is a first step, and then some cleanup can be done. We can discuss what strategy we want to use moving forward, but I think there are actionable items from this conversation you started already!