Enable CodeQL scanning for all the OFBiz repositories

> Hi team,
>
> I think we can enable the code scanning security feature for all the OFBiz
> repositories available with GitHub that helps identifying security
> vulnerabilities using CodeQL.
>
> https://github.com/apache/ofbiz-framework/security/code-scanning
> https://securitylab.github.com/tools/codeql
>
> Citation from
> https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
> :
> *"CodeQL, a semantic code analysis engine and query tool for finding
> security vulnerabilities across a codebase, has been made available for
> free by GitHub for anyone to use in research or to analyze open source
> code."*
>
> If no one is against it, I will move ahead with it.
>
> Thanks and Regards,
> Aditya Sharma

> Hi Aditya,
>
> We (I at least) receive already security alerts for our website code. It
> notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git
>
> As long are we are able to restrict the alerts sending to committers, it's
> OK with me. I'd not like other people to receive zero days information...
>
> Thanks
>
> Jacques
>
> Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
> > Hi team,
> >
> > I think we can enable the code scanning security feature for all the
> OFBiz
> > repositories available with GitHub that helps identifying security
> > vulnerabilities using CodeQL.
> >
> > https://github.com/apache/ofbiz-framework/security/code-scanning
> > https://securitylab.github.com/tools/codeql
> >
> > Citation from
> >
> https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
> > :
> > *"CodeQL, a semantic code analysis engine and query tool for finding
> > security vulnerabilities across a codebase, has been made available for
> > free by GitHub for anyone to use in research or to analyze open source
> > code."*
> >
> > If no one is against it, I will move ahead with it.
> >
> > Thanks and Regards,
> > Aditya Sharma
>
>

> That makes sense Jacques. It is critical.
>
> I tried with one of my repositories and found that Code scanning alerts
> under Security are only visible to people with write access i.e.
> Committers.
>
> Citation from article Managing code scanning alerts for your repository[1]
>
> *"Anyone with read permission for a repository can see code scanning alerts
> on pull requests. However, you need write permission to view a summary of
> alerts for repository on the Security tab."*
> Though I will spend some more time checking its behavior with other
> scenarios like PR.
>
> 1.
> https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-an-alert
>
> Thanks and Regards,
> Aditya Sharma
>
> On Fri, Oct 2, 2020 at 10:19 PM Jacques Le Roux <
> [hidden email]> wrote:
>
>> Hi Aditya,
>>
>> We (I at least) receive already security alerts for our website code. It
>> notably leaded to https://gitbox.apache.org/repos/asf?p=ofbiz-site.git
>>
>> As long are we are able to restrict the alerts sending to committers, it's
>> OK with me. I'd not like other people to receive zero days information...
>>
>> Thanks
>>
>> Jacques
>>
>> Le 02/10/2020 à 15:06, Aditya Sharma a écrit :
>>> Hi team,
>>>
>>> I think we can enable the code scanning security feature for all the
>> OFBiz
>>> repositories available with GitHub that helps identifying security
>>> vulnerabilities using CodeQL.
>>>
>>> https://github.com/apache/ofbiz-framework/security/code-scanning
>>> https://securitylab.github.com/tools/codeql
>>>
>>> Citation from
>>>
>> https://www.infoworld.com/article/3453742/github-makes-codeql-free-for-research-and-open-source.html
>>> :
>>> *"CodeQL, a semantic code analysis engine and query tool for finding
>>> security vulnerabilities across a codebase, has been made available for
>>> free by GitHub for anyone to use in research or to analyze open source
>>> code."*
>>>
>>> If no one is against it, I will move ahead with it.
>>>
>>> Thanks and Regards,
>>> Aditya Sharma
>>