-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add more (security) code checkers to CI #176
Labels
Comments
secworks
changed the title
Add security linters to CI
Add more (security) code checkers to CI
Mar 19, 2024
I agree more analysis tools would be good.
splint is already added to check at least firmware code. See the "check"
target in `hw/application_fpga/Makefile` which also calls clang-tidy
with at least the `cert-*` checks.
splint currently gives us a lot of warnings, mostly because we haven't
added all the formal comments that splint wants us to insert in our
code, but there may be nuggets here. We pass clang-tidy's check.
However, splint, as you know, seems dead as a project and clang-tidy
gives us much more.
The `make check` isn't in CI, so yes, very good idea to add it, but
perhaps either delete splint or carefully go through its output.
SonarQube's cloud offering seems to be available free for FLOSS
projects. We probably qualify and should definitely look into it.
scan-build is new to me. I have to look into it.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are a few interesting linters, STAs that we could add to the CI flow to improve checks:
Flawfinder
https://dwheeler.com/flawfinder/
splint
https://splint.org/
scan-build - exists as action in github
https://clang-analyzer.llvm.org/scan-build.html
Some more advanced analysis tools are semgrep:
https://github.com/0xdea/semgrep-rules
Libfuzzer:
https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md
We should also use gcc as secondary compiler, parser with flags such as:
-g -Og -fasynchronous-unwind-tables -fexceptions -fno-omit-frame-pointer -Wall -Wextra -pedantic -Werror -Wformat=2 -Wconversion -Wdouble-promotion -Wshadow -Wundef -fanalyzer -Wcast-qual -Wcast-align -Wredundant-decls -Winline -Wdisabled-optimization -Wnested-externs -fstrict-aliasing -fsanitize=address,undefined
The text was updated successfully, but these errors were encountered: