Use Static Code Analysis Tooling

[sbernard31]

To improve our OpenSSF score, it is recommended to use Static Application Security Testing (SAST), also known as static code analysis.

See documentation for more details.

This issue aims to discuss about that and decide If we should add it or not and which one should be used ?
(Even if increasing the note is a criteria, this move should not be only driven by that)

[sbernard31]

This is also needed to get the passing badge of OpenSSF Best Practices.
See : https://www.bestpractices.dev/en/projects/10034#analysis

At least one static code analysis tool (beyond compiler warnings and "safe" language modes) MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language.

[sbernard31]

The checks currently looks for known GitHub apps such as CodeQL (github-code-scanning) or SonarCloud in the recent (~30) merged PRs, or the use of "github/codeql-action" in a GitHub workflow.

(I don't know exactly how that 2 tools work...)

Of course we can also decide to not used that ones and use instead some classic one :

• SpotBugs
• FindBugs
• FindSecurityBugs
• PMD

That last ones could probably be integrated in our maven build but with that one we will not get scorecard point.

[sbernard31]

@jvermillard @JaroslawLegierski @netomi any opinion ? 🙏

[netomi]

I would start with CodeQL and see if it produces useful results.
Its nicely integrated into the GitHub platform and relatively easy to setup.

If you go to the configuration tab and security you can setup a workflow from there for your project.

The other options are also pretty good imho, but integration with GitHub might be a bit more work.

[sbernard31]

CodeQL seems easy to set-up but this is not open-source at all just "free" for Open Source project.
Also this tools is only available on github which is a kind of vendor locking move.

Maybe I'm wrong but I do not like so much the idea...
I see I'm not the only one which worries about that : https://forum.riot-os.org/t/assessing-codeql-from-a-free-software-point-of-view/3431

[sbernard31]

I will give a try with sonar because :

1. no vendor locking unlike codeQL
2. should be detected by openssf scorecard and so will give some points.
3. integration with github / maven / jenkins / gitlab / eclipse / visual studio code.
4. Sonar IDE integration and SonarQube Community Build are open source.
5. Sonar Cloud is not open source 😢 but is free to analyze your open source projects with access to all the features.

I asking myself if there is SonarQube Community Build instance hosted by Eclipse Foundation 🤔
It seems that was true by the past but it is shutdown now and Sonar Cloud should be used.
@netomi you confirm that ?

[sbernard31]

(I was not able to add eclipse-leshan organisation to sonarcloud, so I created an eclipse help desk issue)