merge codeql and pvs-studio to static_analysis.yml

Author: hathach

.github/workflows/codeql.yml

@@ -41,6 +41,7 @@ jobs:
     # Consider using larger runners for possible analysis time improvements.
     runs-on: ubuntu-latest
     timeout-minutes: 360
+    if: false
     permissions:
       actions: read
       contents: read

.github/workflows/static_analysis.yml

@@ -6,28 +6,80 @@ on:
       - master
   pull_request:
     types: [opened, synchronize, reopened]
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
-#  SonarQube:
-#    name: Build and analyze
-#    runs-on: ubuntu-latest
-#    env:
-#      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
-#    steps:
-#      - uses: actions/checkout@v4
+  CodeQL:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        board:
+          - 'raspberry_pi_pico'
+    steps:
+      - name: Checkout TinyUSB
+        uses: actions/checkout@v4
+
+      - name: Get Dependencies
+        uses: ./.github/actions/get_deps
+        with:
+          arg: -b${{ matrix.board }}
+
+      - name: Setup Toolchain
+        uses: ./.github/actions/setup_toolchain
+        with:
+          toolchain: 'arm-gcc'
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: 'c-cpp'
+          queries: security-and-quality
+
+      - name: Build
+        run: |
+          cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=MinSizeRel
+          cmake --build build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: CodeQL
+          upload: always
+        id: step1
+
+#      - name: Filter out unwanted errors and warnings
+#        uses: advanced-security/filter-sarif@v1
 #        with:
-#          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-#      - name: Install Build Wrapper
-#        uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6
-#      - name: Run Build Wrapper
-#        run: |
-#          build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} cmake --build --preset ${{ env.BOARD }} -t ${{ env.EXAMPLE }}
-#      - name: SonarQube Scan
-#        uses: SonarSource/sonarqube-scan-action@v6
-#        env:
-#          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+#          patterns: |
+#            -**:cpp/path-injection
+#            -**:cpp/world-writable-file-creation
+#            -**:cpp/poorly-documented-function
+#            -**:cpp/potentially-dangerous-function
+#            -**:cpp/use-of-goto
+#            -**:cpp/integer-multiplication-cast-to-long
+#            -**:cpp/comparison-with-wider-type
+#            -**:cpp/leap-year/*
+#            -**:cpp/ambiguously-signed-bit-field
+#            -**:cpp/suspicious-pointer-scaling
+#            -**:cpp/suspicious-pointer-scaling-void
+#            -**:cpp/unsigned-comparison-zero
+#            -**/third*party/**
+#            -**/3rd*party/**
+#            -**/external/**
+#          input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
+#          output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
+#
+#      - name: Upload SARIF
+#        uses: github/codeql-action/upload-sarif@v4
 #        with:
-#          args: >
-#            --define "sonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"
+#          sarif_file: ${{ steps.step1.outputs.sarif-output }}
+#          category: CodeQL
+
   PVS-Studio:
     runs-on: ubuntu-latest
     strategy:
@@ -49,14 +101,17 @@ jobs:
         with:
           toolchain: 'arm-gcc'
 
-      - name: Analyze
+      - name: Install Tools
         run: |
           wget -q -O - https://files.pvs-studio.com/etc/pubkey.txt | sudo apt-key add -
           sudo wget -O /etc/apt/sources.list.d/viva64.list https://files.pvs-studio.com/etc/viva64.list
           sudo apt update
           sudo apt install pvs-studio
           pvs-studio-analyzer credentials ${{ secrets.PVS_STUDIO_CREDENTIALS }}
-          cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_BUILD_TYPE=MinSizeRel
+
+      - name: Analyze
+        run: |
+          cmake examples -B build -G Ninja -DBOARD=${{ matrix.board }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=MinSizeRel
           cmake --build build
           pvs-studio-analyzer analyze -f build/compile_commands.json -j --exclude-path hw/mcu/ --exclude-path lib/
           plog-converter -t sarif -o pvs.sarif PVS-Studio.log
@@ -66,3 +121,25 @@ jobs:
         with:
           sarif_file: pvs.sarif
           category: PVS-Studio
+
+#  SonarQube:
+#    name: Build and analyze
+#    runs-on: ubuntu-latest
+#    env:
+#      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
+#    steps:
+#      - uses: actions/checkout@v4
+#        with:
+#          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+#      - name: Install Build Wrapper
+#        uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6
+#      - name: Run Build Wrapper
+#        run: |
+#          build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} cmake --build --preset ${{ env.BOARD }} -t ${{ env.EXAMPLE }}
+#      - name: SonarQube Scan
+#        uses: SonarSource/sonarqube-scan-action@v6
+#        env:
+#          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+#        with:
+#          args: >
+#            --define "sonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"