Static analysis #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Static Analysis | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| CodeQL: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'raspberry_pi_pico' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-gcc' | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: 'c-cpp' | |
| queries: security-and-quality | |
| - name: Build | |
| run: | | |
| cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=MinSizeRel | |
| cmake --build build | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: CodeQL | |
| upload: always | |
| id: step1 | |
| # - name: Filter out unwanted errors and warnings | |
| # uses: advanced-security/filter-sarif@v1 | |
| # with: | |
| # patterns: | | |
| # -**:cpp/path-injection | |
| # -**:cpp/world-writable-file-creation | |
| # -**:cpp/poorly-documented-function | |
| # -**:cpp/potentially-dangerous-function | |
| # -**:cpp/use-of-goto | |
| # -**:cpp/integer-multiplication-cast-to-long | |
| # -**:cpp/comparison-with-wider-type | |
| # -**:cpp/leap-year/* | |
| # -**:cpp/ambiguously-signed-bit-field | |
| # -**:cpp/suspicious-pointer-scaling | |
| # -**:cpp/suspicious-pointer-scaling-void | |
| # -**:cpp/unsigned-comparison-zero | |
| # -**/third*party/** | |
| # -**/3rd*party/** | |
| # -**/external/** | |
| # input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif | |
| # output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif | |
| # | |
| # - name: Upload SARIF | |
| # uses: github/codeql-action/upload-sarif@v4 | |
| # with: | |
| # sarif_file: ${{ steps.step1.outputs.sarif-output }} | |
| # category: CodeQL | |
| PVS-Studio: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'stm32h743eval' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-gcc' | |
| - name: Install Tools | |
| run: | | |
| wget -q -O - https://files.pvs-studio.com/etc/pubkey.txt | sudo apt-key add - | |
| sudo wget -O /etc/apt/sources.list.d/viva64.list https://files.pvs-studio.com/etc/viva64.list | |
| sudo apt update | |
| sudo apt install pvs-studio | |
| pvs-studio-analyzer credentials ${{ secrets.PVS_STUDIO_CREDENTIALS }} | |
| - name: Analyze | |
| run: | | |
| cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=MinSizeRel | |
| cmake --build build | |
| pvs-studio-analyzer analyze -f build/compile_commands.json -j --exclude-path hw/mcu/ --exclude-path lib/ | |
| plog-converter -t sarif -o pvs.sarif PVS-Studio.log | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: pvs.sarif | |
| category: PVS-Studio | |
| # SonarQube: | |
| # name: Build and analyze | |
| # runs-on: ubuntu-latest | |
| # env: | |
| # BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed | |
| # steps: | |
| # - uses: actions/checkout@v4 | |
| # with: | |
| # fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| # - name: Install Build Wrapper | |
| # uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6 | |
| # - name: Run Build Wrapper | |
| # run: | | |
| # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} cmake --build --preset ${{ env.BOARD }} -t ${{ env.EXAMPLE }} | |
| # - name: SonarQube Scan | |
| # uses: SonarSource/sonarqube-scan-action@v6 | |
| # env: | |
| # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| # with: | |
| # args: > | |
| # --define "sonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" |