ci: improve CodeQL workflow

[ybiquitous]

Which issue, if any, is this issue related to?

None.

Is there anything in the PR that needs further explanation?

• Set new language javascript-typescript
  (see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed)
• Remove useless Node.js setup

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[adalinesimonian]

Doesn't setting up Node.js and installing dependencies means CodeQL can both check to ensure that our current dependencies don't have any vulnerabilities either, as well as analyse bad patterns in their use?

[ybiquitous]

I think we should rely on Dependabot alerts, not Code scanning alerts. If security issues were found by CodeQL, we couldn't fix them ourselves.

[adalinesimonian]

Certainly agree with you there, but doesn't CodeQL check to see that how the code from the dependencies is used in the application doesn't constitute a security issue-prone pattern? Or is this based off of a misunderstanding of mine?

[ybiquitous]

In my understanding, since CodeQL is a static analysis tool, it should not need library codes. For example, if the following code using some library is insecure,

import insecure from "insecure";

insecure("Dangerous!");

CodeQL should detect such a malicious code pattern without installing the library.

I tried searching for dependency installation examples in CodeQL's actual use cases, but I couldn't find them.
https://github.com/search?q=%22javascript-typescript%22+language%3AYAML+path%3A.github%2Fworkflows%2F&type=code

[adalinesimonian]

In my understanding, since CodeQL is a static analysis tool, it should not need library codes. For example, if the following code using some library is insecure,

import insecure from "insecure";

insecure("Dangerous!");

CodeQL should detect such a malicious code pattern without installing the library.

I tried searching for dependency installation examples in CodeQL's actual use cases, but I couldn't find them. https://github.com/search?q=%22javascript-typescript%22+language%3AYAML+path%3A.github%2Fworkflows%2F&type=code

All I could find is some information on installing Python dependencies before running CodeQL, but I can't find anything either that applies to a TS/JS environment.

[adalinesimonian]

LGTM