Add a CodeQL extractor for SAP CAP cds files

[lcartey]

This pull requests adds a native CodeQL extractor for the cds service description files from SAP's cap framework.

The cds extractor supports the following scripts:

• index-files.sh - this script enables indexing a specified list of cds files. It works by:
  • Installing the @sap/cds-dk tool that provides the cds compile command. It installs the package in each directory with a package.json file which depends on the @sap/cds package, and will install a version compatible with the declared versions in the package.json file
  • Running npx cds compile -2 json --locations -o <...> ... for each provided cds file, to produce a JSON output file representing the AST for the file.
  • Running the JavaScript autobuilder, with restrictions in place to ensure we only capture the .cds.json files generated by the compiler.
• autobuild.sh - this provides an autobuilder which detects all .cds files that don't exists outside node_modules, and calls the codeql database index-files --language cds command to index them.

In addition to the cds extractor, I've also added the following:

• A pre-finalize.sh script that can be injected into an existing instance of the JavaScript extractor, that enables automatic extraction of CDS files. This is most useful with a custom bundle as generated by the CodeQL Development Toolkit (qlt). The script also recognises the CODEQL_EXTRACTOR_CDS_SKIP_EXTRACTION flag, which can be set to skip extraction of CDS files.
• A cds-compile.sh script that can be used with the --command option to a codeql database create --language javascript call to add compilation of CDS files manually.

Finally, I've updated the Code Scanning workflow to use/test the new CDS extractor.

Some follow up tasks I would look at as separate PRs are:

• Windows support - this PR only supports Linux, but Windows would be a relatively straightforward extension.
• GitHub Actions support - for customers who don't use a custom bundle (e.g. those on open source, or using GitHub.com), we could provide a native GitHub Action to trigger the extractor as part of a regular JavaScript build.
• Better filtering of manual calls to index-files - we don't currently validate that the list of files provided to index-files only contains .cds files, and ~we don't optimize how often we install the @sap/cds-dk package in a large monorepo with only a subset~ EDIT: this second part is now done.
• Baseline information for CDS files - we could potentially modify the baselining for JS to take into account CDS files, but it would be substantially more invasive, requiring modifying not just adding files.

[jeongsoolee09]

Another question: Does the end user lose the capability of firing the chain of database init --language through database finalize with a codeql database create --language=cds if database init and database finalize require different values for their --language flags?

I don't think this is a significant downside since the user has to run pre-finalize.sh for the options anyways.