Install codeql in s-core-devcontainer

README.md

@@ -74,6 +74,34 @@ These databases are used by Visual Studio Code to support code navigation and au
 
 Congratulations, you are now a dev container enthusiast 😊.
 
+### How to use: codeql
+
+The devcontainer codeql installation supports C, C++ and Rust source code analysis. All publicly available
+"coding standards" are preloaded and codeql is already in PATH.
+
+Example:
+
+```sh
+git clone https://github.com/nlohmann/json.git
+cd json
+cmake -S . -B build -G Ninja
+
+# Step 1: Create database
+mkdir _sca
+codeql database create _sca/codeql_data \
+  --threads=0 \
+  --language=cpp \
+  --command="ninja -C build" \
+  --source-root=.
+
+# Step 2: Run rulechecker and create SARIF report
+codeql database analyze _sca/codeql_data \
+  codeql/misra-cpp-coding-standards \
+  --threads=0 \
+  --format=sarif-latest \
+  --output=_sca/codeql-results.sarif
+```
+
 ## Development
 
 > [!NOTE]

src/s-core-devcontainer/.devcontainer/devcontainer.json

@@ -69,7 +69,8 @@
                 "swyddfa.esbonio", // for Sphinx documentation support
                 "rust-lang.rust-analyzer", // Rust language support for Visual Studio Code; see also tasks below
                 "github.vscode-pull-request-github", // GitHub integration
-                "bierner.markdown-preview-github-styles" // GitHub style for Markdown preview
+                "bierner.markdown-preview-github-styles", // GitHub style for Markdown preview
+                "ms-sarifvscode.sarif-viewer"   // CodeQL report viewer
             ],
             "settings": {
                 "files.insertFinalNewline": true,
@@ -90,6 +91,10 @@
                     "--experimental_use_code_flow_analysis",
                     "--experimental_enable_label_completions"
                 ],
+                // we are NOT installing the codeql extension, because this is only needed for codeql rule development,
+                // but just in case someone wants to use it, we preconfigure it here
+                "codeQL.runningQueries.numberOfThreads": 0, // use all available threads, I can't believe this is not the default
+                "codeQl.cli.executablePath": "$CODEQL_HOME/codeql",
                 "C_Cpp.intelliSenseEngine": "disabled",
                 // This only supports basic tests: https://github.com/matepek/vscode-catch2-test-adapter/issues/429
                 // More complex tests may need execution via bazel, which is not done yet.

src/s-core-devcontainer/.devcontainer/s-core-local/install.sh

@@ -31,6 +31,9 @@ DEBIAN_FRONTEND=noninteractive
 # Read tool versions + metadata into environment variables
 . /devcontainer/features/s-core-local/versions.sh /devcontainer/features/s-core-local/versions.yaml
 
+ARCHITECTURE=$(dpkg --print-architecture)
+KERNEL=$(uname -s)
+
 apt-get update
 
 # Unminimize the image to include standard packages like man pages
@@ -80,13 +83,84 @@ apt-get install -y gdb="${gdb_version}*"
 
 apt-get install -y valgrind="1:${valgrind_version}*"
 
+# CodeQL
+apt-get install -y zstd
+if [ "${ARCHITECTURE}" = "amd64" ]; then
+    VARIANT=linux64
+    SHA256SUM="${codeql_amd64_sha256}"
+elif [ "${ARCHITECTURE}" = "arm64" ]; then
+    if [ "${KERNEL}" = "Darwin" ]; then
+        VARIANT=osx64
+        SHA256SUM="${codeql_arm64_sha256}"
+    else
+        echo "CodeQl unsupported architecture/os: ${ARCHITECTURE} on ${KERNEL}, skipping installation"
+        VARIANT=noinstall
+    fi
+else
+    echo "Unsupported architecture: ${ARCHITECTURE} for CodeQL"
+    exit 1
+fi
+
+if [ "${VARIANT}" != "noinstall" ]; then
+    codeql_install_dir="/usr/local"
+    curl -L "https://github.com/github/codeql-action/releases/download/codeql-bundle-v${codeql_version}/codeql-bundle-${VARIANT}.tar.zst" -o /tmp/codeql.tar.zst
+    echo "${SHA256SUM} /tmp/codeql.tar.zst" | sha256sum -c - || exit 1
+    tar -I zstd -xf /tmp/codeql.tar.zst -C "${codeql_install_dir}"
+    ln -s "${codeql_install_dir}"/codeql/codeql /usr/local/bin/codeql
+    rm /tmp/codeql.tar.zst
+    export CODEQL_HOME=${codeql_install_dir}/codeql
+    echo "export CODEQL_HOME=${codeql_install_dir}/codeql" > /etc/profile.d/codeql.sh
+
+    codeql pack download codeql/misra-cpp-coding-standards@"${codeql_coding_standards_version}" -d "${codeql_install_dir}/codeql/qlpacks/"
+    codeql pack download codeql/misra-c-coding-standards@"${codeql_coding_standards_version}" -d "${codeql_install_dir}/codeql/qlpacks/"
+    codeql pack download codeql/cert-cpp-coding-standards@"${codeql_coding_standards_version}" -d "${codeql_install_dir}/codeql/qlpacks/"
+    codeql pack download codeql/cert-c-coding-standards@"${codeql_coding_standards_version}" -d "${codeql_install_dir}/codeql/qlpacks/"
+
+    # slim down codeql bundle (1.7GB -> 1.1 GB) by removing unnecessary language extractors and qlpacks
+    codeql_purge_dirs=(
+        "${codeql_install_dir}/codeql/csharp"
+        "${codeql_install_dir}/codeql/go"
+        "${codeql_install_dir}/codeql/java"
+        "${codeql_install_dir}/codeql/javascript"
+        "${codeql_install_dir}/codeql/python"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/csharp-all"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/csharp-examples"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/csharp-queries"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/go-all"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/go-examples"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/go-queries"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/java-all"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/java-examples"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/java-queries"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/javascript-all"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/javascript-examples"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/javascript-queries"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/python-all"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/python-examples"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/python-queries"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/ruby-all"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/ruby-examples"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/ruby-queries"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/swift-all"
+        "${codeql_install_dir}/codeql/qlpacks/codeql/swift-queries"
+        "${codeql_install_dir}/codeql/ruby"
+        "${codeql_install_dir}/codeql/swift"
+    )
+    for dir in "${codeql_purge_dirs[@]}"; do
+        if [ -d "${dir}" ]; then
+            rm -rf "${dir}"
+        fi
+    done
+fi
+
+
 # Bash completion for rust tooling
 rustup completions bash rustup >> /etc/bash_completion.d/rustup.bash
 rustup completions bash cargo >> /etc/bash_completion.d/cargo.bash
 
 # Cleanup
 # REMOVE CONTAINER BUILD DEPENDENCIES
-apt-get remove --purge -y apt-transport-https
+apt-get remove --purge -y apt-transport-https zstd
 apt-get autoremove -y
 apt-get clean
 rm -rf /var/lib/apt/lists/*

src/s-core-devcontainer/.devcontainer/s-core-local/tests/test_default.sh

@@ -15,6 +15,9 @@
 
 set -euo pipefail
 
+ARCHITECTURE=$(dpkg --print-architecture)
+KERNEL=$(uname -s)
+
 # Read tool versions + metadata into environment variables
 . /devcontainer/features/s-core-local/versions.sh /devcontainer/features/s-core-local/versions.yaml
 
@@ -54,6 +57,9 @@ check "validate JAVA_HOME is set correctly" bash -c "echo ${JAVA_HOME} | xargs r
 check "validate gdb is working and has the correct version" bash -c "gdb --version | grep '${gdb_version}'"
 check "validate gh is working and has the correct version" bash -c "gh --version | grep '${gh_version}'"
 check "validate valgrind is working and has the correct version" bash -c "valgrind --version | grep '${valgrind_version}'"
+if [ "${ARCHITECTURE}" = "amd64" ] || { [ "${ARCHITECTURE}" = "arm64" ] && [ "${KERNEL}" = "Darwin" ]; }; then
+    check "validate codeql is working and has the correct version" bash -c "codeql --version | grep '${codeql_version}'"
+fi
 
 # Qemu target-related tools
 check "validate qemu-system-aarch64 is working and has the correct version" bash -c "qemu-system-aarch64 --version | grep '${qemu_system_arm_version}'"

src/s-core-devcontainer/.devcontainer/s-core-local/versions.yaml

@@ -46,5 +46,18 @@ openjdk_21:
 shellcheck:
   version: 0.9.0
 
+codeql:
+  # the coding_standards_version below dictates the codeql version
+  version: 2.21.4
+  amd64:
+    # see https://github.com/github/codeql-action/releases/download/codeql-bundle-v${codeql_version}/codeql-bundle-linux64.tar.zst.checksum.txt
+    sha256: 6da9f3df228d4e162af877569240a627c1af22f6adbd26352b22357fb8bd7545
+  arm64:
+    # see https://github.com/github/codeql-action/releases/download/codeql-bundle-v${codeql_version}/codeql-bundle-osx64.tar.zst.checksum.txt
+    sha256: 810a1fff48aeb081be754e46e255edd90d8695966e78431a65edb00e9e6cc399
+
+codeql_coding_standards:
+  version: 2.54.0
+
 valgrind:
   version: 3.22.0