Merge pull request #445 from tropicsquare/ETR01SDK-551-Add-compilation-script-for-CodeChecker

ETR01SDK-551: Add compilation script for CodeChecker

Author: andreondra

docs/for_contributors/codechecker.md

@@ -0,0 +1,56 @@
+# Using the CodeChecker
+The CodeChecker is a tool for performing static code analysis and generating reports.
+We provide scripts and custom configuration for running the CodeChecker.
+
+We regularly run CodeChecker to check for any potential bugs or security issues. It is also
+recommended to run the CodeChecker yourself on any code you plan to contribute, as it can discover
+issues that other tools (compiler, ASAN, ...) can miss.
+
+Note that the CodeChecker is supported on Linux and macOS only.
+
+## Generating Reports
+You need to install the following dependencies:
+
+- CodeChecker
+    - Check out the [official repository](https://github.com/Ericsson/codechecker) for guidance.
+- Checkers for CodeChecker:
+    - clang-tidy
+    - clangsa
+- jq (used by our script for merging JSON reports)
+
+We generate reports from multiple projects (examples and tests) to cover as much CALs and HALs
+as possible. The reports are then merged and exported to HTML.
+
+To generate HTML report, you can use our convenience script. Reports will be
+generated to `.codechecker/reports_html` in the Libtropic repository.
+
+!!! example "Generating HTML report"
+    === ":fontawesome-brands-linux: Linux"
+        ```bash { .copy }
+        # Run from root directory of the Libtropic repository.
+        scripts/codechecker/run_checks.sh
+        ```
+
+    === ":fontawesome-brands-apple: macOS"
+        TBA
+
+??? note "Note: Running from a different directory"
+    The script also supports running from a different directory, but you have to pass
+    a path to the Libtropic repository as a first argument:
+
+    !!! example "Generating HTML report from any directory"
+        === ":fontawesome-brands-linux: Linux"
+            ```bash { .copy }
+            scripts/codechecker/run_checks.sh <path_to_repo>
+            ```
+
+        === ":fontawesome-brands-apple: macOS"
+            TBA
+
+If the script executes without any errors, exports will be ready and you can open
+`.codechecker/reports_html/index.html` in your favourite web browser.
+
+## Remarks
+The current CodeChecker configuration is in YAML format, as it is more human-readable than JSON and also supports comments.  
+
+The configuration file enables some strict checkers, which may produce a lot of warnings. It is recommended to run the analysis using the full configuration at least once. After that, you can manually disable any checkers you find unnecessary.

docs/for_contributors/index.md

@@ -2,5 +2,6 @@
 - [Contributing Guide](contributing_guide.md)
 - [Building the Documentation](building_documentation.md)
 - [Tests](tests/index.md)
+- [Using the CodeChecker](codechecker.md)
 - [Adding a New Host Platform](adding_host_platform.md)
 - [Adding a New Cryptographic Functionality Provider](adding_cfp.md)

mkdocs.yml

@@ -125,6 +125,7 @@ nav:
       - Functional Tests: for_contributors/tests/functional_tests.md
       - Functional Mock Tests: for_contributors/tests/functional_mock_tests.md
       - Code Coverage: for_contributors/tests/code_coverage.md
+    - Using the CodeChecker: for_contributors/codechecker.md
     - Adding a New Host Platform: for_contributors/adding_host_platform.md
     - Adding a New Cryptographic Functionality Provider: for_contributors/adding_cfp.md
   - FAQ: faq.md

scripts/codechecker/README.md

@@ -3,7 +3,10 @@
 +*/libtropic/cal/*
 +*/libtropic/hal/*
 +*/libtropic/include/*
-+*/libtropic/examples/*
+
+# Disable checking of source codes of examples,
+# as we intentionally omit some checks and patterns for simplicity.
+# +*/libtropic/examples/*/main.c
 
 # Skip everything else (vendor libs, CMake internal libs...)
 -*

scripts/codechecker/codechecker.skip

@@ -1,10 +1,4 @@
 analyzer:
-    ################################################
-    # Configure skipfile to select which sources
-    # to check.
-    ################################################
-    - --skip=scripts/codechecker/codechecker.skip
-
     ################################################
     # Enable / disable checks
     ################################################
@@ -48,11 +42,6 @@ analyzer:
     ################################################
     - --ctu-all
 
-    ################################################
-    # Export setup
-    ################################################
-    - --output=.codechecker/reports
-
     ################################################
     # Checker selection
     ################################################

scripts/codechecker/codechecker_build.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# This script builds Libtropic in multiple configurations for CodeChecker evaluation.
+#
+# Majority of platforms are built using examples, as they are quicker to build,
+# the model is built using tests, as they allow to change CAL, which has
+# to be done for one target.
+
+set -eo pipefail
+
+LT_ROOT_DIR="."
+
+if [ -z "$1" ]; then
+    echo "Assuming Libtropic root directory is a current working directory."
+    echo "To change the Libtropic root directory, pass it as the first argument:"
+    echo "  $0 <path_to_libtropic>"
+else
+    LT_ROOT_DIR="${1%/}" # Remove last trailing slash (if any present)
+    echo "Libtropic root directory set to: $LT_ROOT_DIR"
+fi
+
+echo "Checking dependencies..."
+if ! command -v CodeChecker >/dev/null 2>&1; then
+    echo "Missing CodeChecker! Install and try again."
+    exit 1
+fi
+if ! command -v jq >/dev/null 2>&1; then
+    echo "Missing jq! Install and try again."
+    exit 1
+fi
+if ! command -v cmake >/dev/null 2>&1; then  
+    echo "Missing cmake! Install and try again."  
+    exit 1  
+fi  
+if ! command -v make >/dev/null 2>&1; then  
+    echo "Missing make! Install and try again."  
+    exit 1  
+fi  
+
+# Recreating directories
+rm -fr "$LT_ROOT_DIR/.codechecker/"
+mkdir -p "$LT_ROOT_DIR/.codechecker/compile_commands"
+mkdir -p "$LT_ROOT_DIR/.codechecker/reports"
+mkdir -p "$LT_ROOT_DIR/.codechecker/reports_html"
+
+# Linux USB DevKit + MbedTLSv4
+CodeChecker log -b "cd \"$LT_ROOT_DIR/examples/linux/usb_devkit/hello_world\" && rm -rf build && mkdir build && cd build && cmake .. && make -j" \
+                -o "$LT_ROOT_DIR/.codechecker/compile_commands/usb_devkit_compile_commands.json"
+
+# Linux SPI + MbedTLSv4
+CodeChecker log -b "cd \"$LT_ROOT_DIR/examples/linux/spi/hello_world\" && rm -rf build && mkdir build && cd build && cmake .. && make -j" \
+                -o "$LT_ROOT_DIR/.codechecker/compile_commands/linux_spi_compile_commands.json"
+
+# Model + all CALs
+CALS=("trezor_crypto" "mbedtls_v4" "openssl" "wolfcrypt")
+for CURRENT_CAL in "${CALS[@]}"; do
+    CodeChecker log -b "cd \"$LT_ROOT_DIR/tests/functional/model\" && rm -rf build && mkdir build && cd build && cmake -DLT_CAL=$CURRENT_CAL .. && make -j" \
+                    -o "$LT_ROOT_DIR/.codechecker/compile_commands/model_${CURRENT_CAL}_compile_commands.json"
+done
+
+# Merge compile_commands.json files
+# Change temporarily to the directory, so we support
+# also special symbols in the path specified by $LT_ROOT_DIR.
+(cd "$LT_ROOT_DIR/.codechecker/compile_commands" && \
+    jq -s 'add' ./*_compile_commands.json \
+    > "../merged_compile_commands.json")
+
+set +e
+# Run analysis on merged compilation database
+CodeChecker analyze "$LT_ROOT_DIR/.codechecker/merged_compile_commands.json" \
+                    --config "$LT_ROOT_DIR/scripts/codechecker/codechecker_config.yml" \
+                    --skip "$LT_ROOT_DIR/scripts/codechecker/codechecker.skip" \
+                    -o "$LT_ROOT_DIR/.codechecker/reports"
+set -e
+
+CodeChecker parse "$LT_ROOT_DIR/.codechecker/reports" \
+                  -e html \
+                  -o "$LT_ROOT_DIR/.codechecker/reports_html"