[master] Better config for CodeQL analysis

[artem-smotrakov]

Updates:

• Set Java and Maven version in the LGTM config. For some reason, jobs on LGTM still fail because Maven Enforcer complains about Maven version. Maybe it's a bug in LGTM. To overcome this, -Denforcer.skip has been added to the build command. LGTM uses Maven 3.6.0 by default that works for EclipseLink.
• Updated the CodeQL workflow to analyse pull requests against all branches, not only master.

Java build passes with the updated config:

https://lgtm.com/logs/6866d0b9a7d8f2f98e882d4e5a0115c8d1efab85/lang:java

Fixes #1159

Signed-off-by: Artem Smotrakov artem.smotrakov@gmail.com

[lukasj]

keep only master; there are different configs needed for other versions (3.0 and 2.7 require Java SE 8 for build; CodeQL would be nice to have there; 2.6 (and older) should be completely excluded)

[artem-smotrakov]

Okay, I'll add configs for 3.0 and 2.7.

2.6 (and older) should be completely excluded

Are they not supported any more?

[lukasj]

note that 2.x do use ant for the build (see ie travis config in the branch or specific build instructions)

for 2.6 and older there is only very limited support; it does not make sense to consume too much resources for that these days

[artem-smotrakov]

note that 2.x do use ant for the build (see ie travis config in the branch or specific build instructions)

Hope CodeQL can work with Ant.

for 2.6 and older there is only very limited support; it does not make sense to consume too much resources for that these days

Agree. Would it still make sense to fix severe security issues if CodeQL finds them in 2.6 and older?

[lukasj]

those would be present in master/3.0 and 2.7 as well. Everything going to 2.6 must go through newer versions first.