Blue-teaming for Exiv2: adding custom CodeQL queries to code scanning

The blog post, part of a series on fortifying the Exiv2 project's security, discusses the implementation of GitHub’s code scanning feature, which uses CodeQL to identify vulnerabilities in the codebase. By enabling code scanning, the Exiv2 team could automatically detect potential security issues, and they further enhanced its efficacy by developing custom CodeQL queries tailored to their specific coding patterns. The post highlights a sophisticated query aimed at identifying unsafe uses of `std::vector::operator[]`, which can lead to out-of-bounds errors, and describes the process of refining this query to reduce false positives by considering common coding idioms within Exiv2. The author emphasizes the advantages of customizing queries for a specific codebase to ensure accuracy and minimize unnecessary code changes, illustrating these points with detailed examples and strategies for improving query precision.