forked from OISF/suricata
-
Notifications
You must be signed in to change notification settings - Fork 0
103 lines (98 loc) · 3.46 KB
/
scan-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: Scan-build
on:
push:
paths-ignore:
- "doc/**"
pull_request:
paths-ignore:
- "doc/**"
permissions: read-all
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
scan-build:
name: Scan-build
runs-on: ubuntu-latest
container: ubuntu:24.04
steps:
- name: Cache scan-build
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
with:
path: ~/.cargo
key: scan-build
- name: Install system packages
run: |
apt update
apt -y install \
libpcre2-dev \
build-essential \
autoconf \
automake \
cargo \
cbindgen \
clang-18 \
clang-tools-18 \
dpdk-dev \
git \
libtool \
libpcap-dev \
libnet1-dev \
libyaml-0-2 \
libyaml-dev \
libcap-ng-dev \
libcap-ng0 \
libmagic-dev \
libnetfilter-log-dev \
libnetfilter-queue-dev \
libnetfilter-queue1 \
libnfnetlink-dev \
libnfnetlink0 \
libnuma-dev \
libhiredis-dev \
libhyperscan-dev \
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
liblz4-dev \
llvm-18-dev \
make \
python3-yaml \
rustc \
software-properties-common \
zlib1g \
zlib1g-dev
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- run: git config --global --add safe.directory /__w/suricata/suricata
- run: ./scripts/bundle.sh
- run: ./autogen.sh
- run: scan-build-18 ./configure --enable-warnings --enable-dpdk --enable-nfqueue --enable-nflog
env:
CC: clang-18
# exclude libhtp from the analysis
# disable security.insecureAPI.DeprecatedOrUnsafeBufferHandling explicitly as
# this will require significant effort to address.
- run: |
scan-build-18 --status-bugs --exclude libhtp/ --exclude rust \
-enable-checker valist.Uninitialized \
-enable-checker valist.CopyToSelf \
-enable-checker valist.Unterminated \
-enable-checker security.insecureAPI.bcmp \
-enable-checker security.insecureAPI.bcopy \
-enable-checker security.insecureAPI.bzero \
-enable-checker security.insecureAPI.rand \
-enable-checker security.insecureAPI.strcpy \
-enable-checker security.insecureAPI.decodeValueOfObjCType \
-enable-checker security.FloatLoopCounter \
-enable-checker optin.portability.UnixAPI \
-enable-checker optin.performance.GCDAntipattern \
-enable-checker nullability.NullableReturnedFromNonnull \
-enable-checker nullability.NullablePassedToNonnull \
-enable-checker nullability.NullableDereferenced \
-enable-checker optin.performance.Padding \
\
-disable-checker security.insecureAPI.DeprecatedOrUnsafeBufferHandling \
\
make
env:
CC: clang-18