chore: add blackduck scan and enhance codeql (#117)

<!-- markdownlint-disable MD041 -->
#### What this PR does / why we need it
add blackduck scan and enhance codeql

.github/workflows/blackduck_scan.yaml

@@ -0,0 +1,80 @@
+name: Blackduck SCA Scan
+on:
+  #push:
+  #  branches: [ "main" ]
+  #pull_request:
+  #  branches: [ "main" ]
+  schedule:
+    - cron:  '5 0 * * 0'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  checks: write
+
+jobs:
+  build:
+    runs-on: [ ubuntu-latest ]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: '${{ github.workspace }}/go.mod'
+          cache: false
+
+      - name: Get go environment for use with cache
+        run: |
+          echo "go_cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "go_modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+      # This step will only reuse the go mod and build cache from main made during the Build,
+      # see push_ocm.yaml => "ocm-cli-latest" Job
+      # This means it never caches by itself and PRs cannot cause cache pollution / thrashing
+      # This is because we have huge storage requirements for our cache because of the mass of dependencies
+
+      - name: Restore / Reuse Cache from central build
+        id: cache-golang-restore
+        uses: actions/cache/restore@v4 # Only Restore, not build another cache (too big)
+        with:
+          path: |
+            ${{ env.go_cache }}
+            ${{ env.go_modcache }}
+          key: ${{ env.cache_name }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ hashFiles('**/go.mod') }}
+          restore-keys: |
+            ${{ env.cache_name }}-${{ runner.os }}-go-
+        env:
+          cache_name: ocm-cli-latest-go-cache # needs to be the same key in the end as in the build step
+
+      - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled)
+        if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
+        uses: blackduck-inc/black-duck-security-scan@v2.0.0
+        env:
+          DETECT_PROJECT_USER_GROUPS: opencomponentmodel
+          DETECT_PROJECT_VERSION_DISTRIBUTION: opensource
+          DETECT_SOURCE_PATH: ./
+          DETECT_EXCLUDED_DIRECTORIES: .bridge
+          DETECT_BLACKDUCK_SIGNATURE_SCANNER_ARGUMENTS: '--min-scan-interval=0'
+          NODE_TLS_REJECT_UNAUTHORIZED: true
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          blackducksca_url: ${{ secrets.BLACKDUCK_URL }}
+          blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackducksca_scan_full: true
+
+      - name: Run Black Duck SCA Scan (Pull Request or Push)
+        if: github.event_name != 'workflow_dispatch'
+            # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false
+        uses: blackduck-inc/black-duck-security-scan@v2.0.0
+        env:
+          DETECT_PROJECT_USER_GROUPS: opencomponentmodel
+          DETECT_PROJECT_VERSION_DISTRIBUTION: opensource
+          DETECT_SOURCE_PATH: ./
+          DETECT_EXCLUDED_DIRECTORIES: .bridge
+          NODE_TLS_REJECT_UNAUTHORIZED: true
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          blackducksca_url: ${{ secrets.BLACKDUCK_URL }}
+          blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackducksca_prComment_enabled: true

.github/workflows/codeql.yml

@@ -74,6 +74,7 @@ jobs:
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
+          queries: security-extended # as recommended by SAP Security
           # If you wish to specify custom queries, you can do so here or in a config file.
           # By default, queries listed here will override any specified in a config file.
           # Prefix the list here with "+" to use these queries and those in the config file.