Modernize qlpacks and update to CodeQL 2.8.5

[jketema]

Description

(Note that this PR targets the next branch, which is used by the CI for CodeQL to detect changes that break github/codeql-coding-standards. These changes should eventually be merged to main, but that should not happen until we are ready to update to the required toolset.)

This PR updates the qlpacks and related files to use CodeQL packaging to declare and resolve dependencies. Neither the codeql_modules submodule nor the codeql_home/codeql-stdlib checkout of github/codeql are required anymore. The necessary dependencies can be installed by running python3 scripts/install-packs.yml. This need only be run when we update to a new standard library version, but it doesn't hurt to run it after every pull.

None of the codeql commands we run should require --search-path or --additional-packs any longer. References within our repo are resolved automatically because all of our packs are in the same "CodeQL Workspace" (defined by our .codeqlmanifest.json file. References to the standard library are resolved from the package download cache.

Details:

• Adds codeql/ scope to all pack names, which is necessary to publish packs to the pack registry. Note that we don't actually publish to the package registry yet.
• Uses dependencies: map instead of libraryPathDependencies: list. The '*' version indicates that the referenced pack will be found in the local workspace, rather than downloaded from the registry.
• Folds the .codeqlmanifest.json in the cpp directory into the root .codeqlmanifest.json. All pack references should resolve automatically now, without a need for --search-path
• Adds .codeql directories to .gitignore. .codeql is where the output of building a query or library pack is placed.
• Removes --search-path and --additional-packs from all of our CI workflows.
• Adds a new composite Action to install the standard library dependencies.
• Adds a new workflow to validate that the actual standard library dependencies specified in the various qlpack.yml files match the versions in the github/codeql commit specified in supported_codeql_configs.json. The script used by this workflow will also be used, in a future PR, in the workflow to update to a new toolset version.
• Updates the supported toolset to 2.8.5. The 2.7.6 release that we were already on has a blocking bug in the C++ standard library pack.
• Fixes a test expectation file based on changes in the set of reported paths for one path-problem query due to changes in the standard dataflow library.
• Updates the developer handbook with the necessary information.

Change request type

• Release or process automation (GitHub workflows, internal scripts)
• Internal documentation
• External documentation
• Query files (.ql, .qll, .qls or unit tests)
• External scripts (analysis report or other code shipped as part of a release)

Rules with added or modified queries

• No rules added
• Queries have been added for the following rules:
  • rule number here
• Queries have been modified for the following rules:
  • rule number here

Release change checklist

A change note (development_handbook.md#change-notes) is required for any pull request which modifies:

• The structure or layout of the release artifacts.
• The evaluation performance (memory, execution time) of an existing query.
• The results of an existing query in any circumstance.

If you are only adding new rule queries, a change note is not required.

Author: Is a change note required?

• Yes
• No

Reviewer: Confirm that either a change note is not required or the change note is required and has been added.

• Confirmed

Query development review checklist

For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:

Author

• Have all the relevant rule package description files been checked in?
• Have you verified that the metadata properties of each new query is set appropriately?
• Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
• Are the alert messages properly formatted and consistent with the style guide?
• Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
  As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
• Does the query have an appropriate level of in-query comments/documentation?
• Have you considered/identified possible edge cases?
• Does the query not reinvent features in the standard library?
• Can the query be simplified further (not golfed!)

Reviewer

• Have all the relevant rule package description files been checked in?
• Have you verified that the metadata properties of each new query is set appropriately?
• Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
• Are the alert messages properly formatted and consistent with the style guide?
• Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
  As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
• Does the query have an appropriate level of in-query comments/documentation?
• Have you considered/identified possible edge cases?
• Does the query not reinvent features in the standard library?
• Can the query be simplified further (not golfed!)

[rvermeulen]

Looks good. We started to standardize our workflow and Python scripts on 3.9, so I made a few suggestion to make that explicit.

[rvermeulen]

Suggested change

	steps:
	- name: Install CodeQL library packs
	steps:
	- name: Install Python
	uses: actions/setup-python@v4
	with:
	python-version: "3.9"
	- name: Install CodeQL library packs

We are standardizing on Python 3.9 for all our workflows and scripts to ensure that we are compliant with the requirements in our user manual.

[jketema]

This makes the file non-parsable. I also think this is covered by the installation of python in the workflow files.

[jketema]

https://github.com/github/codeql-coding-standards/runs/7362437649?check_suite_focus=true#step:6:2

[rvermeulen]

Your are probably right that the using workflow has already setup the correct version. In that case we can ignore my suggestion for the action.

[rvermeulen]

LGTM

[rvermeulen]

The failing check has been made optional in main. So if you merge that back into jketema:modernize-packs it should pass.

[jketema]

The failing check has been made optional in main. So if you merge that back into jketema:modernize-packs it should pass.

Done.

[jketema]

The failing check has been made optional in main. So if you merge that back into jketema:modernize-packs it should pass.

Done.

Slightly backtracked on this to keep the PR "clean" for prosperity. Since next was just behind main I simply moved next up to the head of main and rebased.