Install codeql in s-core-devcontainer

src/s-core-devcontainer/.devcontainer/devcontainer.json

@@ -69,7 +69,8 @@
                 "swyddfa.esbonio", // for Sphinx documentation support
                 "rust-lang.rust-analyzer", // Rust language support for Visual Studio Code; see also tasks below
                 "github.vscode-pull-request-github", // GitHub integration
-                "bierner.markdown-preview-github-styles" // GitHub style for Markdown preview
+                "bierner.markdown-preview-github-styles", // GitHub style for Markdown preview
+                "ms-sarifvscode.sarif-viewer"   // CodeQL report viewer
             ],
             "settings": {
                 "files.insertFinalNewline": true,
@@ -90,6 +91,10 @@
                     "--experimental_use_code_flow_analysis",
                     "--experimental_enable_label_completions"
                 ],
+                // we are NOT installing the codeql extension, because this is only needed for codeql rule development,
+                // but just in case someone wants to use it, we preconfigure it here
+                "codeQL.runningQueries.numberOfThreads": 0, // use all available threads, I can't believe this is not the default
+                "codeQl.cli.executablePath": "$CODEQL_HOME/codeql",
                 "C_Cpp.intelliSenseEngine": "disabled",
                 // This only supports basic tests: https://github.com/matepek/vscode-catch2-test-adapter/issues/429
                 // More complex tests may need execution via bazel, which is not done yet.

src/s-core-devcontainer/.devcontainer/s-core-local/install.sh

@@ -17,6 +17,9 @@ DEBIAN_FRONTEND=noninteractive
 # Read tool versions + metadata into environment variables
 . /devcontainer/features/s-core-local/versions.sh /devcontainer/features/s-core-local/versions.yaml
 
+ARCHITECTURE=$(dpkg --print-architecture)
+KERNEL=$(uname -s)
+
 apt-get update
 
 # Unminimize the image to include standard packages like man pages
@@ -66,13 +69,45 @@ apt-get install -y gdb="${gdb_version}*"
 
 apt-get install -y valgrind="1:${valgrind_version}*"
 
+# CodeQL
+apt-get install -y zstd
+if [ "${ARCHITECTURE}" = "amd64" ]; then
+    VARIANT=linux64
+    SHA256SUM="${codeql_amd64_sha256}"
+elif [ "${ARCHITECTURE}" = "arm64" ]; then
+    if [ "${KERNEL}" = "Darwin" ]; then
+        VARIANT=osx64
+        SHA256SUM="${codeql_arm64_sha256}"
+    else
+        echo "CodeQl unsupported architecture/os: ${ARCHITECTURE} on ${KERNEL}, skipping installation"
+        VARIANT=noinstall
+    fi
+else
+    echo "Unsupported architecture: ${ARCHITECTURE} for CodeQL"
+    exit 1
+fi
+
+if [ "${VARIANT}" != "noinstall" ]; then
+    curl -L "https://github.com/github/codeql-action/releases/download/codeql-bundle-v${codeql_version}/codeql-bundle-${VARIANT}.tar.zst" -o /tmp/codeql.tar.zst
+    echo "${SHA256SUM} /tmp/codeql.tar.zst" | sha256sum -c - || exit 1
+    tar -I zstd -xf /tmp/codeql.tar.zst -C /usr/local
+    ln -s /usr/local/codeql/codeql /usr/local/bin/codeql
+    rm /tmp/codeql.tar.zst
+    echo "export CODEQL_HOME=/usr/local/codeql" > /etc/profile.d/codeql.sh
+
+    codeql pack download codeql/misra-cpp-coding-standards@${codeql_coding_standards_version} -d /usr/local/codeql/qlpacks/
+    codeql pack download codeql/misra-c-coding-standards@${codeql_coding_standards_version} -d /usr/local/codeql/qlpacks/
+    codeql pack download codeql/cert-cpp-coding-standards@${codeql_coding_standards_version} -d /usr/local/codeql/qlpacks/
+    codeql pack download codeql/cert-c-coding-standards@${codeql_coding_standards_version} -d /usr/local/codeql/qlpacks/
+fi
+
 # Bash completion for rust tooling
 rustup completions bash rustup >> /etc/bash_completion.d/rustup.bash
 rustup completions bash cargo >> /etc/bash_completion.d/cargo.bash
 
 # Cleanup
 # REMOVE CONTAINER BUILD DEPENDENCIES
-apt-get remove --purge -y apt-transport-https
+apt-get remove --purge -y apt-transport-https zstd
 apt-get autoremove -y
 apt-get clean
 rm -rf /var/lib/apt/lists/*

src/s-core-devcontainer/.devcontainer/s-core-local/tests/test_default.sh

@@ -1,6 +1,9 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+ARCHITECTURE=$(dpkg --print-architecture)
+KERNEL=$(uname -s)
+
 # Read tool versions + metadata into environment variables
 . /devcontainer/features/s-core-local/versions.sh /devcontainer/features/s-core-local/versions.yaml
 
@@ -40,6 +43,9 @@ check "validate JAVA_HOME is set correctly" bash -c "echo ${JAVA_HOME} | xargs r
 check "validate gdb is working and has the correct version" bash -c "gdb --version | grep '${gdb_version}'"
 check "validate gh is working and has the correct version" bash -c "gh --version | grep '${gh_version}'"
 check "validate valgrind is working and has the correct version" bash -c "valgrind --version | grep '${valgrind_version}'"
+if [ "${ARCHITECTURE}" = "amd64" ] || { [ "${ARCHITECTURE}" = "arm64" ] && [ "${KERNEL}" = "Darwin" ]; }; then
+    check "validate codeql is working and has the correct version" bash -c "codeql --version | grep '${codeql_version}'"
+fi
 
 # Qemu target-related tools
 check "validate qemu-system-aarch64 is working and has the correct version" bash -c "qemu-system-aarch64 --version | grep '${qemu_system_arm_version}'"

src/s-core-devcontainer/.devcontainer/s-core-local/versions.yaml

@@ -32,5 +32,18 @@ openjdk_21:
 shellcheck:
   version: 0.9.0
 
+codeql:
+  # the coding_standards_version below dictates the codeql version
+  version: 2.21.4
+  amd64:
+    # see https://github.com/github/codeql-action/releases/download/codeql-bundle-v${codeql_version}/codeql-bundle-linux64.tar.zst.checksum.txt
+    sha256: 6da9f3df228d4e162af877569240a627c1af22f6adbd26352b22357fb8bd7545
+  arm64:
+    # see https://github.com/github/codeql-action/releases/download/codeql-bundle-v${codeql_version}/codeql-bundle-osx64.tar.zst.checksum.txt
+    sha256: 810a1fff48aeb081be754e46e255edd90d8695966e78431a65edb00e9e6cc399
+
+codeql_coding_standards:
+  version: 2.54.0
+
 valgrind:
   version: 3.22.0