add codeql

[Jim8y]

https://codeql.github.com/

[github-advanced-security]

You have successfully added a new CodeQL configuration /language:csharp. As part of the setup process, we have scanned this repository and found 2 existing alerts. Please check the repository Security tab to see all alerts.

[erikzhang]

Can you explain more about CodeQL?

[steven1227]

Can you explain more about CodeQL?

A code analysis tool provided by Github ? . See this

[Jim8y]

Can you explain more about CodeQL?

CodeQL is the code analysis engine developed by GitHub to automate security checks. You can analyze your code using CodeQL and display the results as code scanning alerts.

There are three main ways to use CodeQL analysis for code scanning:

• Use default setup to automatically configure CodeQL analysis for code scanning on your repository. The default setup chooses the languages to analyze, query suites to run, and events that trigger scans, then displays a summary of the analysis settings. After you enable CodeQL, GitHub Actions will execute workflow runs to scan your code. For more information, see "Configuring code scanning for a repository."

• Use advanced setup to add the CodeQL workflow to your repository. This generates a customizable workflow file which uses the github/codeql-action to run the CodeQL CLI. For more information, see "Configuring code scanning for a repository."

• Run the CodeQL CLI directly in an external CI system and upload the results to GitHub. For more information, see "About CodeQL code scanning in your CI system."

[vncoelho]

@Liaojinghui, I checked the logs and asked re-run the job.
However, I did not get any analysis from it yet, what is the expected flow?
Perhaps we will need to create specify flows for analysis, right?

[Jim8y]

@Liaojinghui, I checked the logs and asked re-run the job. However, I did not get any analysis from it yet, what is the expected flow? Perhaps we will need to create specify flows for analysis, right?

For most projects, this file is standard and by default, no change or configuration is required.

[vncoelho]

@Liaojinghui, I was searching for the report. That then I saw that it becomes a comment here made by the github bot.

Just checked it right now.

[vncoelho]

You have successfully added a new CodeQL configuration /language:csharp. As part of the setup process, we have scanned this repository and found 2 existing alerts. Please check the repository Security tab to see all alerts.

For the currently reported I think it is OK because ECB is not encrypted twice.

[Jim8y]

@vncoelho funny part, i can not read the report~ for security reason.

[vncoelho]

ahueaheuaea, but currently the report is in our favor.
None for neo-node and here it is just generic for ECB encryption.

"ECB should not be used as a mode for encryption. It has dangerous weaknesses. Data is encrypted the same way every time meaning the same plaintext input will always produce the same ciphertext. This makes encrypted messages vulnerable to replay attacks."
For the wallet src/Neo/Wallets/Wallet.cs and KeyPair.

[Jim8y]

@dotnet-policy-service agree

[Jim8y]

@shargon Good to merge