codeql: add security-extended query suite - v2

[0xEniola]

Add the CodeQL security-extended suite to the CodeQL workflow configuration.

The security-extended query suite consists of all the queries in the default query suite, with addition of queries with slightly lower precision and severity, although, relative to the default query suite, the security-extended suite may return a greater number of false positive code scanning results.

It will allow us to catch likely flaws in the codebase that we may have missed during development, and flaws that are not checked for with the default suite, hence, allowing for greater hardening of Suricata, and eradicating potential threats.

Previous PR: #10258

• Incorporate previous PR; modify commit message.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (c3b3c11) 82.28% compared to head (75e2da1) 82.28%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10259      +/-   ##
==========================================
- Coverage   82.28%   82.28%   -0.01%     
==========================================
  Files         977      977              
  Lines      271950   271950              
==========================================
- Hits       223784   223767      -17     
- Misses      48166    48183      +17     

Flag	Coverage Δ
fuzzcorpus	63.39% <ø> (-0.01%)	⬇️
suricata-verify	61.50% <ø> (-0.03%)	⬇️
unittests	62.82% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

[catenacyber]

Looks good to me.

Going from 52 to 87 queries if I get right the logs from the runners
with addition like NonConstantFormat

I do not know if we need a ticket for such a QA improvement...

[0xEniola]

Looks good to me.

Going from 52 to 87 queries if I get right the logs from the runners with addition like NonConstantFormat

I do not know if we need a ticket for such a QA improvement...

So, to close the opened ticket?

[catenacyber]

This is a question for us, not for you Daniel :-)

[0xEniola]

This is a question for us, not for you Daniel :-)

Oh 😅.

Understood.
So, to add this PR as note to the ticket I created as note like you said right?

[jufajardini]

This is a question for us, not for you Daniel :-)

Oh 😅.

Understood. So, to add this PR as note to the ticket I created as note like you said right?

Can be a good idea :)

[0xEniola]

List of Queries present in the security-extended query suite.

• Array offset used before range check: CWE-120, 125
• Authentication bypass by spoofing: CWE-290
• Certificate not checked: CWE-295
• Certificate result conflation: CWE-295
• Cleartext storage of sensitive information in an SQLite database: CWE-313
• Cleartext storage of sensitive information in buffer: CWE-312
• Comma before misleading indentation: CWE-1078, 670
• File created without restricting permissions: CWE-732
• Incorrect 'not' operator usage: CWE-480
• Incorrect allocation-error handling: CWE-570,252,755
• Invalid pointer dereference: CWE-119,125,193,787
• Missing return-value check for a 'scanf'-like function: CWE-252,253
• Non-constant format string: CWE-134
• Not enough memory allocated for array of pointer type: CWE-131,122
• Not enough memory allocated for pointer type: CWE-131,122
• NULL application name with an unquoted path in call to CreateProcess: CWE-428
• Overflow in uncontrolled allocation size: CWE-190,789
• Overruning write: CWE-119,131
• Possibly wrong buffer size in string copy: CWE-676,119,251
• Potential exposure of sensitive system data to an unauthorized control sphere: CWE-497
• Potentially overrunning write: CWE-120, 787, 805
• Potentially overrunning write with float to string conversion: 120, 787,805
• Potentially uninitialized local variable: CWE-665, 457
• Potentially unsafe call to strncat: CWE-788, 676, 119, 251
• Potentially unsafe use of strcat: CWE-676, 120, 251
• Suspicious 'sizeof' use: CWE-467
• Suspicious pointer scaling: CWE-468
• Suspicious pointer scaling to void: CWE-468
• Unbounded write: CWE-120, 787, 805
• Uncontrolled data used in path expression: CWE-022, 023, 036, 073
• Uncontrolled process operation: CWE-114
• Unsigned difference expression compared to zero: CWE-191
• Unterminated variadic call: CWE-121
• Untrusted input for a condition: CWE-807
• Use of potentially dangerous function: CWE-676

[victorjulien]

Merged in #10413, thanks!