ci: add conan security scan and license check

[YamingPei]

Description

Add conan security scan and license check

Checklist

Please check the items in the checklist if applicable.

• Is the user manual updated?
• Are the test cases passed and automated?
• Is there no significant decrease in test coverage?

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow intended to scan Conan dependencies for known vulnerabilities (via OSV), publish results as SARIF to GitHub Security, and post a report back to pull requests.

Changes:

• Introduces .github/workflows/conan-security-scan.yml to generate a Conan dependency graph and query OSV for CVEs.
• Generates and uploads a Markdown report + SARIF results as workflow artifacts and to GitHub code scanning.
• Attempts to comment scan results on PRs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.50%. Comparing base (f1a0413) to head (a57dd99).
⚠️ Report is 24 commits behind head on main.

Files with missing lines	Patch %	Lines
...ons/components/connector/src/TDengineConnector.cpp	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #58      +/-   ##
==========================================
+ Coverage   81.55%   83.50%   +1.94%     
==========================================
  Files         192      192              
  Lines        9359     9882     +523     
  Branches     4022     4181     +159     
==========================================
+ Hits         7633     8252     +619     
+ Misses       1726     1630      -96     

Flag	Coverage Δ
Linux-arm64	81.61% <0.00%> (+2.20%)	⬆️
Linux-x64	81.23% <0.00%> (+2.20%)	⬆️
macOS-arm64	83.27% <0.00%> (+2.10%)	⬆️
macOS-x64	83.14% <0.00%> (+1.83%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🔐 Conan Static Dependencies Security Scan

Conan Dependencies Security Report

Generated: 2026-02-13 14:11:31 UTC
Project: taosgen
Scan Type: Static Dependencies (Conan)

Summary

• Total Dependencies: 25
• Vulnerabilities Found: 0
• Critical: 0
• High: 0
• Medium: 0

Dependencies Scanned

Package	Version	Status
fmt	12.0.0#dc7de7f3968e5d6b377f27b7d0f33916	✅ Clean
jemalloc	5.3.0#e951da9cf599e956cebc117880d2d9f8	✅ Clean
automake	1.16.5#b91b7c384c3deaa9d535be02da14d04f	✅ Clean
autoconf	2.71#51077f068e61700d65bb05541ea1e4b0	✅ Clean
m4	1.4.19#1f9bd25d2bd53f49ad509caa467f57b9	✅ Clean
mimalloc	2.1.7#af6e65f1196fa16865104ad6ef59ff5a	✅ Clean
cmake	3.31.11#f325c933f618a1fcebc1e1c0babfd1ba	✅ Clean
yaml-cpp	0.8.0#131511e225a521dd94fd8b2ee2268ab2	✅ Clean
luajit	2.1.0-beta3#e8ee964ad9fedb6ebd93b83ec3452a62	✅ Clean
paho-mqtt-cpp	1.5.3#6f7963288bcc9f20414c469c187f8396	✅ Clean
paho-mqtt-c	1.3.13#398643eeb183ad7536157ea96b6fad52	✅ Clean
openssl	3.6.1#2e0be4a996c7ca91feb31b7fe65117b9	✅ Clean
zlib	1.2.13#9df41c65e2c2b6ef47633dc32e0b699a	✅ Clean
nlohmann_json	3.11.3#45828be26eb619a2e04ca517bb7b828d	✅ Clean
lz4	1.9.4#4ed63aa8e019d795cd3b8c0d2dd66cda	✅ Clean
zstd	1.5.5#a4398ab5244b10fb081eeac217b5ef9f	✅ Clean
snappy	1.2.1#a308ba649dfa7f2e86db38d8b781124a	✅ Clean
libiconv	1.17#1e65319e945f2d31941a9d28cc13c058	✅ Clean
spdlog	1.16.0#059165c3ce42f9266c4c0c0c3e2ff1cd	✅ Clean
librdkafka	2.12.1#4c3f08ad769b4eb69cbbf1807891b4ea	✅ Clean
cyrus-sasl	2.1.28#7454252270ecd9a8701db266fd9e26db	✅ Clean
gnu-config	cci.20210814#466e9d4d7779e1c142443f7ea44b4284	✅ Clean
pkgconf	2.5.1#93c2051284cba1279494a43a4fcfeae2	✅ Clean
meson	1.10.0#60786758ea978964c24525de19603cf4	✅ Clean
ninja	1.13.2#c8c5dc2a52ed6e4e42a66d75b4717ceb	✅ Clean

✅ No vulnerabilities detected

---

Note: This scan checks Conan dependencies that are statically linked into the binary.
Traditional dynamic scanning tools (OWASP, Trivy FS) cannot detect these dependencies.

ℹ️ Important: This scan checks statically linked Conan dependencies.
These dependencies are compiled into the binary and cannot be detected by standard dynamic scanning tools.

[github-actions]

📜 License Compliance Check

License Compliance Report

Overview

This report contains all detected licenses in the taosgen project dependencies.

Allowed Licenses

• Apache 2.0
• MIT
• BSD-2-Clause
• BSD-3-Clause
• ISC

Prohibited Licenses

• GPL-2.0
• GPL-3.0
• AGPL-3.0
• SSPL
• MPL-2.0
• LGPL-2.0
• LGPL-2.1
• LGPL-3.0

✅ No suspicious or unknown licenses detected.

For detailed reports, check the artifacts.