-
Notifications
You must be signed in to change notification settings - Fork 1.4k
242 lines (211 loc) · 7.62 KB
/
static_analysis.yml
File metadata and controls
242 lines (211 loc) · 7.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
name: Static Analysis
on:
workflow_dispatch:
push:
branches: [ master ]
paths:
- 'src/**'
- 'examples/**'
- 'hw/bsp/**'
- '.github/workflows/static_analysis.yml'
pull_request:
branches: [ master ]
paths:
- 'src/**'
- 'examples/**'
- 'hw/bsp/**'
- '.github/workflows/static_analysis.yml'
permissions:
actions: read
contents: read
security-events: write
# pull-requests: write
# checks: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
CodeQL:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
board:
- 'metro_m4_express'
steps:
- name: Checkout TinyUSB
uses: actions/checkout@v6
- name: Get Dependencies
uses: ./.github/actions/get_deps
with:
arg: -b${{ matrix.board }}
- name: Setup Toolchain
uses: ./.github/actions/setup_toolchain
with:
toolchain: 'arm-gcc'
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: 'c-cpp'
queries: security-and-quality
- name: Build
run: |
mkdir -p build
cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=MinSizeRel
cmake --build build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: CodeQL
upload: false
id: analyze
- name: Filter SARIF report
uses: advanced-security/filter-sarif@v1
with:
patterns: |
-hw/mcu/**
-lib/**
input: ${{ steps.analyze.outputs.sarif-output }}/cpp.sarif
output: ${{ steps.analyze.outputs.sarif-output }}/cpp.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: ${{ steps.analyze.outputs.sarif-output }}
category: CodeQL
- name: Upload artifact
uses: actions/upload-artifact@v7
with:
name: codeql-${{ matrix.board }}
path: ${{ steps.analyze.outputs.sarif-output }}
PVS-Studio:
# Only run on non-forked PR since secrets token is required
if: github.repository_owner == 'hathach' && github.event.pull_request.head.repo.fork == false
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
board:
- 'raspberry_pi_pico'
steps:
- name: Checkout TinyUSB
uses: actions/checkout@v6
- name: Get Dependencies
uses: ./.github/actions/get_deps
with:
arg: -b${{ matrix.board }}
- name: Setup Toolchain
uses: ./.github/actions/setup_toolchain
with:
toolchain: 'arm-gcc'
- name: Install Tools
run: |
wget -q -O - https://files.pvs-studio.com/etc/pubkey.txt | sudo apt-key add -
sudo wget -O /etc/apt/sources.list.d/viva64.list https://files.pvs-studio.com/etc/viva64.list
sudo apt update
sudo apt install pvs-studio
pvs-studio-analyzer credentials ${{ secrets.PVS_STUDIO_CREDENTIALS }}
pvs-studio-analyzer --version
- name: Analyze
run: |
mkdir -p build
cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_BUILD_TYPE=MinSizeRel
cmake --build build
pvs-studio-analyzer analyze -f build/compile_commands.json -R .PVS-Studio/.pvsconfig -j4 --security-related-issues --misra-cpp-version 2008 --misra-c-version 2023 --use-old-parser -e lib/ -e hw/mcu/ -e */iar/cxarm/ -e pico-sdk/
plog-converter -t sarif -o pvs-studio-${{ matrix.board }}.sarif PVS-Studio.log
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: pvs-studio-${{ matrix.board }}.sarif
category: PVS-Studio
- name: Upload artifact
uses: actions/upload-artifact@v7
with:
name: pvs-studio-${{ matrix.board }}
path: pvs-studio-${{ matrix.board }}.sarif
SonarQube:
# Only run on non-forked PR since secrets token is required
if: github.repository_owner == 'hathach' && github.event.pull_request.head.repo.fork == false
runs-on: ubuntu-latest
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory
strategy:
fail-fast: false
matrix:
board:
- 'stm32h743eval'
steps:
- name: Checkout TinyUSB
uses: actions/checkout@v6
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Get Dependencies
uses: ./.github/actions/get_deps
with:
arg: -b${{ matrix.board }}
- name: Setup Toolchain
uses: ./.github/actions/setup_toolchain
with:
toolchain: 'arm-gcc'
- name: Install Build Wrapper
uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6
- name: Run Build Wrapper
run: |
cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_BUILD_TYPE=MinSizeRel
build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} cmake --build build/
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@v6
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
# Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
args: >
--define sonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json
IAR-CStat:
# Only run on non-forked PR since secrets token is required
#if: github.repository_owner == 'hathach' && github.event.pull_request.head.repo.fork == false
if: false
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
board:
- 'b_g474e_dpow1'
steps:
- name: Checkout TinyUSB
uses: actions/checkout@v6
- name: Get Dependencies
uses: ./.github/actions/get_deps
with:
arg: -b${{ matrix.board }}
- name: Setup Toolchain
uses: ./.github/actions/setup_toolchain
with:
toolchain: 'arm-iar'
- name: Install CMake 4.2
run: |
# IAR CSTAT requires CMake >= 4.1
wget -q https://github.com/Kitware/CMake/releases/download/v4.2.0-rc1/cmake-4.2.0-rc1-linux-x86_64.tar.gz
tar -xzf cmake-4.2.0-rc1-linux-x86_64.tar.gz
echo "${{ github.workspace }}/cmake-4.2.0-rc1-linux-x86_64/bin" >> $GITHUB_PATH
- name: Build and run IAR C-STAT Analysis
env:
IAR_LMS_BEARER_TOKEN: ${{ secrets.IAR_LMS_BEARER_TOKEN }}
run: |
# CMake run post build to generate C-STAT SARIF report
cmake --version
mkdir -p build
cmake examples/device/cdc_msc -B build -G Ninja -DBOARD=${{ matrix.board }} -DTOOLCHAIN=iar -DIAR_CSTAT=1 -DCMAKE_BUILD_TYPE=MinSizeRel
cmake --build build
# Merge sarif files for codeql upload
npm i -g @microsoft/sarif-multitool
npx @microsoft/sarif-multitool merge --merge-runs --output-file iar-cstat-${{ matrix.board }}.sarif build/cstat_sarif/*.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: iar-cstat-${{ matrix.board }}.sarif
category: IAR-CStat
- name: Upload artifact
uses: actions/upload-artifact@v7
with:
name: iar-cstat-${{ matrix.board }}
path: iar-cstat-${{ matrix.board }}.sarif