Add more (security) code checkers to CI #176
Labels
Comments
secworks
changed the title
|
I agree more analysis tools would be good.
splint is already added to check at least firmware code. See the "check"
target in `hw/application_fpga/Makefile` which also calls clang-tidy
with at least the `cert-*` checks.
splint currently gives us a lot of warnings, mostly because we haven't
added all the formal comments that splint wants us to insert in our
code, but there may be nuggets here. We pass clang-tidy's check.
However, splint, as you know, seems dead as a project and clang-tidy
gives us much more.
The `make check` isn't in CI, so yes, very good idea to add it, but
perhaps either delete splint or carefully go through its output.
SonarQube's cloud offering seems to be available free for FLOSS
projects. We probably qualify and should definitely look into it.
scan-build is new to me. I have to look into it.
|
Merged
11 tasks
|
Here is a suggestion from our friends across the river: https://github.com/Ericsson/codechecker It also has a list of supported analyzers: https://github.com/Ericsson/codechecker/blob/master/docs/supported_code_analyzers.md An interesting one that newly got an update (sprung back to life?) is Infer. https://fbinfer.com/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are a few interesting linters, STAs that we could add to the CI flow to improve checks:
Flawfinder
https://dwheeler.com/flawfinder/
splint
https://splint.org/
scan-build - exists as action in github
https://clang-analyzer.llvm.org/scan-build.html
Some more advanced analysis tools are semgrep:
https://github.com/0xdea/semgrep-rules
Libfuzzer:
https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md
We should also use gcc as secondary compiler, parser with flags such as:
-g -Og -fasynchronous-unwind-tables -fexceptions -fno-omit-frame-pointer -Wall -Wextra -pedantic -Werror -Wformat=2 -Wconversion -Wdouble-promotion -Wshadow -Wundef -fanalyzer -Wcast-qual -Wcast-align -Wredundant-decls -Winline -Wdisabled-optimization -Wnested-externs -fstrict-aliasing -fsanitize=address,undefined
The text was updated successfully, but these errors were encountered: