name: Static Analysis on: workflow_dispatch: push: branches: - master pull_request: types: [opened, synchronize, reopened] permissions: actions: read contents: read security-events: write jobs: CodeQL: runs-on: ubuntu-latest strategy: fail-fast: false matrix: board: - 'raspberry_pi_pico' steps: - name: Checkout TinyUSB uses: actions/checkout@v4 - name: Get Dependencies uses: ./.github/actions/get_deps with: arg: -b${{ matrix.board }} - name: Setup Toolchain uses: ./.github/actions/setup_toolchain with: toolchain: 'arm-gcc' - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: 'c-cpp' queries: security-and-quality - name: Build run: | cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=MinSizeRel cmake --build build - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: category: CodeQL upload: always id: analyze # - name: Filter out unwanted errors and warnings # uses: advanced-security/filter-sarif@v1 # with: # patterns: | # -**:cpp/path-injection # -**:cpp/world-writable-file-creation # -**:cpp/poorly-documented-function # -**:cpp/potentially-dangerous-function # -**:cpp/use-of-goto # -**:cpp/integer-multiplication-cast-to-long # -**:cpp/comparison-with-wider-type # -**:cpp/leap-year/* # -**:cpp/ambiguously-signed-bit-field # -**:cpp/suspicious-pointer-scaling # -**:cpp/suspicious-pointer-scaling-void # -**:cpp/unsigned-comparison-zero # -**/third*party/** # -**/3rd*party/** # -**/external/** # input: ${{ steps.analyze.outputs.sarif-output }}/cpp.sarif # output: ${{ steps.analyze.outputs.sarif-output }}/cpp.sarif # # - name: Upload SARIF # uses: github/codeql-action/upload-sarif@v4 # with: # sarif_file: ${{ steps.analyze.outputs.sarif-output }} # category: CodeQL - name: Upload artifact uses: actions/upload-artifact@v5 with: name: codeql-${{ matrix.board }} path: ${{ steps.analyze.outputs.sarif-output }} PVS-Studio: runs-on: ubuntu-latest strategy: fail-fast: false matrix: board: - 'stm32h743eval' steps: - name: Checkout TinyUSB uses: actions/checkout@v4 - name: Get Dependencies uses: ./.github/actions/get_deps with: arg: -b${{ matrix.board }} - name: Setup Toolchain uses: ./.github/actions/setup_toolchain with: toolchain: 'arm-gcc' - name: Install Tools run: | wget -q -O - https://files.pvs-studio.com/etc/pubkey.txt | sudo apt-key add - sudo wget -O /etc/apt/sources.list.d/viva64.list https://files.pvs-studio.com/etc/viva64.list sudo apt update sudo apt install pvs-studio pvs-studio-analyzer credentials ${{ secrets.PVS_STUDIO_CREDENTIALS }} - name: Analyze run: | cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=MinSizeRel cmake --build build pvs-studio-analyzer analyze -f build/compile_commands.json -j --exclude-path hw/mcu/ --exclude-path lib/ plog-converter -t sarif -o pvs-${{ matrix.board }}.sarif PVS-Studio.log - name: Upload SARIF uses: github/codeql-action/upload-sarif@v4 with: sarif_file: pvs-${{ matrix.board }}.sarif category: PVS-Studio - name: Upload artifact uses: actions/upload-artifact@v5 with: name: pvs-${{ matrix.board }} path: pvs-${{ matrix.board }}.sarif # SonarQube: # name: Build and analyze # runs-on: ubuntu-latest # env: # BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed # steps: # - uses: actions/checkout@v4 # with: # fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis # - name: Install Build Wrapper # uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6 # - name: Run Build Wrapper # run: | # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} cmake --build --preset ${{ env.BOARD }} -t ${{ env.EXAMPLE }} # - name: SonarQube Scan # uses: SonarSource/sonarqube-scan-action@v6 # env: # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # with: # args: > # --define "sonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"