Run static code analysis on commits

[wbqpk3]

See the OpenSSF security test (#659).

{
      "details": [
        "Warn: 0 commits out of 23 are checked with a SAST tool",
        "Warn: CodeQL tool not detected"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    }

[mcserep]

Enabled CodeQL with the default configuration for now, as described here:
https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning

Just to see what will it report at all, and also because I am not familiar with CodeQL's configuration options.
Bit excited what result will this produce 😄

[mcserep]

Okay, so that is not that easy as it seemed, the default automatic configuration did not work for the C++ and the Java sources, stating it could not figure out the proper build command, so it has to be configured manually.

[mcserep]

It found a JS issue in the old web GUI though, which could be checked:
https://github.com/Ericsson/CodeCompass/security/code-scanning/1

(I am not sure what permission level on the project is required to access the page above.)
(As I see, only users with administrator privilege can see these reports by default, and further users needed to be added manually. I will review this finding later then.)