Static analysis #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Static Analysis | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| CodeQL: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'metro_m4_express' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-gcc' | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: 'c-cpp' | |
| queries: security-and-quality | |
| - name: Build | |
| run: | | |
| mkdir -p build | |
| cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=MinSizeRel | |
| cmake --build build | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: CodeQL | |
| upload: always | |
| id: analyze | |
| # - name: Filter out unwanted errors and warnings | |
| # uses: advanced-security/filter-sarif@v1 | |
| # with: | |
| # patterns: | | |
| # -**:cpp/path-injection | |
| # -**:cpp/world-writable-file-creation | |
| # -**:cpp/poorly-documented-function | |
| # -**:cpp/potentially-dangerous-function | |
| # -**:cpp/use-of-goto | |
| # -**:cpp/integer-multiplication-cast-to-long | |
| # -**:cpp/comparison-with-wider-type | |
| # -**:cpp/leap-year/* | |
| # -**:cpp/ambiguously-signed-bit-field | |
| # -**:cpp/suspicious-pointer-scaling | |
| # -**:cpp/suspicious-pointer-scaling-void | |
| # -**:cpp/unsigned-comparison-zero | |
| # -**/third*party/** | |
| # -**/3rd*party/** | |
| # -**/external/** | |
| # input: ${{ steps.analyze.outputs.sarif-output }}/cpp.sarif | |
| # output: ${{ steps.analyze.outputs.sarif-output }}/cpp.sarif | |
| # | |
| # - name: Upload SARIF | |
| # uses: github/codeql-action/upload-sarif@v4 | |
| # with: | |
| # sarif_file: ${{ steps.analyze.outputs.sarif-output }} | |
| # category: CodeQL | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: codeql-${{ matrix.board }} | |
| path: ${{ steps.analyze.outputs.sarif-output }} | |
| PVS-Studio: | |
| if: github.repository_owner == 'hathach' | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'raspberry_pi_pico' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-gcc' | |
| - name: Install Tools | |
| run: | | |
| wget -q -O - https://files.pvs-studio.com/etc/pubkey.txt | sudo apt-key add - | |
| sudo wget -O /etc/apt/sources.list.d/viva64.list https://files.pvs-studio.com/etc/viva64.list | |
| sudo apt update | |
| sudo apt install pvs-studio | |
| pvs-studio-analyzer credentials ${{ secrets.PVS_STUDIO_CREDENTIALS }} | |
| - name: Analyze | |
| run: | | |
| mkdir -p build | |
| cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_BUILD_TYPE=MinSizeRel | |
| cmake --build build | |
| pvs-studio-analyzer analyze -f build/compile_commands.json -j --exclude-path hw/mcu/ --exclude-path lib/ | |
| plog-converter -t sarif -o pvs-studio-${{ matrix.board }}.sarif PVS-Studio.log | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: pvs-studio-${{ matrix.board }}.sarif | |
| category: PVS-Studio | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: pvs-studio-${{ matrix.board }} | |
| path: pvs-studio-${{ matrix.board }}.sarif | |
| SonarQube: | |
| if: github.repository_owner == 'hathach' | |
| runs-on: ubuntu-latest | |
| env: | |
| BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'stm32h743eval' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-gcc' | |
| - name: Install Build Wrapper | |
| uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6 | |
| - name: Run Build Wrapper | |
| run: | | |
| cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_BUILD_TYPE=MinSizeRel | |
| build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} cmake --build build/ | |
| - name: SonarQube Scan | |
| uses: SonarSource/sonarqube-scan-action@v6 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| with: | |
| # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options | |
| args: > | |
| --define sonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json | |
| IAR-CStat: | |
| if: github.repository_owner == 'hathach' | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| board: | |
| - 'b_g474e_dpow1' | |
| steps: | |
| - name: Checkout TinyUSB | |
| uses: actions/checkout@v4 | |
| - name: Get Dependencies | |
| uses: ./.github/actions/get_deps | |
| with: | |
| arg: -b${{ matrix.board }} | |
| - name: Setup Toolchain | |
| uses: ./.github/actions/setup_toolchain | |
| with: | |
| toolchain: 'arm-iar' | |
| - name: Install CMake 4.2 | |
| run: | | |
| # IAR CSTAT requires CMake >= 4.1 | |
| wget -q https://github.com/Kitware/CMake/releases/download/v4.2.0-rc1/cmake-4.2.0-rc1-linux-x86_64.tar.gz | |
| tar -xzf cmake-4.2.0-rc1-linux-x86_64.tar.gz | |
| echo "${{ github.workspace }}/cmake-4.2.0-rc1-linux-x86_64/bin" >> $GITHUB_PATH | |
| - name: Build and run IAR C-STAT Analysis | |
| env: | |
| IAR_LMS_BEARER_TOKEN: ${{ secrets.IAR_LMS_BEARER_TOKEN }} | |
| run: | | |
| # CMake run post build to generate C-STAT SARIF report | |
| cmake --version | |
| mkdir -p build | |
| cmake examples/device/cdc_msc -B build -G Ninja -DBOARD=${{ matrix.board }} -DTOOLCHAIN=iar -DIAR_CSTAT=1 -DCMAKE_BUILD_TYPE=MinSizeRel | |
| cmake --build build | |
| - name: Merge SARIF files | |
| uses: microsoft/sarif-actions@v0.1 | |
| with: | |
| command: 'merge-sarif build/cstat_sarif build/merged.sarif' | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: build/iar-cstat-${{ matrix.board }}.sarif' | |
| category: IAR-CStat | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: iar-cstat-${{ matrix.board }} | |
| path: build/merged.sarif |