[Feat] Explore if CodeQL C/C++ scanning without builds is appropriate here

[echoix]

Is your feature request related to a problem? Please describe.
CodeQL scanning C/C++ and Rust can be done without building now. It is generally available. See the GitHub Changelog blog post announcing it is Generally Available here: https://github.blog/changelog/2025-10-14-codeql-scanning-rust-and-c-c-without-builds-is-now-generally-available/

Describe the solution you'd like
The docs here explain a bit how this works, and compares what building or not affects. From what I've read, it should be enough without building, unless there is a lot of generated code that can't be seen. From what I understand, when using a manual build, the build itself doesn't seem really used (apart from the generated files), and is only used to track what files the compilation is called on. Maybe that's why, running only on Linux, it doesn't see all the C files (3.01k/3.35k files), as shown in https://github.com/osgeo/grass/security/code-scanning/tools/CodeQL/status

• https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-the-codeql-analysis-workflow-and-compiled-languages
• https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes
• https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-build-mode-none-for-codeql
• https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#no-build-for-cc
• https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#accuracy-of-no-build-analysis-for-cc

Creating a CodeQL database without a build may produce less accurate results than using autobuild or manual build steps if:

• The build scripts cannot be queried for dependency information, and dependency guesses are inaccurate.
• The repository normally generates code during the build process.
  To use autobuild or manual build steps, you can use advanced setup.

From: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-build-mode-none-for-codeql

Creating a CodeQL C/C++ database without a build may produce less accurate results than using autobuild or manual build steps in some cases; for example, if:

• The code depends heavily on custom macros/defines not available in existing headers
• The codebase has many external dependencies

You can ensure a more accurate analysis by taking the following steps:

• Place custom macros and defines in header files that are included in relevant source files
• Ensure external dependencies (headers) are available in system include directories or in the workspace
• Run the extraction on the target platform. For example, choose a Windows runner to analyze Windows projects to give access to platform specific headers and compilers

From: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#accuracy-of-no-build-analysis-for-cc

Describe alternatives you've considered
We could set build modes in our matrix combinations too: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-the-codeql-analysis-workflow-and-compiled-languages

Additional context
Add any other context or screenshots about the feature request here.

[echoix]

So my question is: How much generated C code do we have in this repo?

[nilason]

I believe only in lib/db/sqlp and r.mapcalc there are files generated with flex+bison.