add GH action for scan build

add scan target to Makefile

Author: miyazakh

.github/workflows/static-analysis.yml

@@ -63,6 +63,37 @@ jobs:
         echo "❌ Static analysis failed - errors or warnings were found"
         exit 1
 
+  scan-build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout wolfHSM
+      uses: actions/checkout@v4
+      with:
+        path: wolfHSM
+
+    - name: Checkout wolfssl
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y clang build-essential clang-tools
+
+    - name: Run scan-build
+      id: scan-build
+      run:
+        cd wolfHSM && make scan
+
+    - name: Fail if scan-build issues found
+      if: steps.scan-build.outcome == 'failure'
+      run: |
+        echo "❌ scan-build analysis failed - errors or warnings were found"
+        exit 1
+
   clang-tidy:
     runs-on: ubuntu-latest
 
@@ -106,7 +137,6 @@ jobs:
             echo ""
             # Show first 50 issues to avoid overwhelming output
             head -50 tools/static-analysis/reports/clang_tidy_summary.txt
-            
             TOTAL_ISSUES=$((ERROR_COUNT + WARNING_COUNT))
             if [ "$TOTAL_ISSUES" -gt 50 ]; then
               echo ""

Makefile

@@ -15,6 +15,36 @@ tools:
 examples:
 	make -C examples
 
+SCAN_DIR = ./scan_out
+
+scan_result_check:
+	@num=$$(grep -h -o '^[0-9]\+ warnings\? generated' ./$(SCAN_DIR)/*.log | grep -o '^[0-9]\+' | awk '{s+=$$1} END {print s}');\
+	if [ -z "$$num" ]; then \
+		echo "no warnings found";\
+		exit 0; \
+	fi; \
+	if [ $$num -ne 0 ]; then \
+		echo "scan-build found $$num warnings";\
+		for f in $(SCAN_DIR)/*.log; do \
+			echo "---- $$f ----"; \
+			cat $$f; \
+			echo ""; \
+		done; \
+		exit 1; \
+	fi;
+
+
+scan:
+	@echo "Running scan-build static analysis"
+	@rm -rf $(SCAN_DIR)
+	@mkdir -p $(SCAN_DIR)
+	@make clean
+	-@make SCAN=1 -C test scan
+	-@make SCAN=1 -C benchmark scan
+	-@make NOCRYPTO=1 SCAN=1 -C tools/whnvmtool scan
+	-@make NOCRYPTO=1 SCAN=1 -C examples
+	@$(MAKE) scan_result_check
+
 clean:
 	make -C test clean
 	make -C benchmark clean

benchmark/Makefile

@@ -103,6 +103,12 @@ ifeq ($(NOCRYPTO),1)
 	DEF += -DWOLFHSM_CFG_NO_CRYPTO
 endif
 
+ifeq ($(SCAN),1)
+	SCAN_LOG = scan_benchmark.log
+	# Default target
+	.DEFAULT_GOAL := scan
+endif
+
 # Support a DMA-capable build
 ifeq ($(DMA),1)
 	DEF += -DWOLFHSM_CFG_DMA
@@ -161,6 +167,13 @@ build_static: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).a
 	@echo ""
 	$(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).a
 
+analyze: $(OBJS_ASM) $(OBJS_C)
+
+scan:$(BUILD_DIR)
+	@echo "Running scan-build static analysis"
+	@mkdir -p $(WOLFHSM_DIR)/scan_out/
+	@scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG)
+
 $(BUILD_DIR):
 	$(CMD_ECHO) mkdir -p $(BUILD_DIR)
 

examples/demo/client/wh_demo_client_crypto.c

@@ -40,6 +40,8 @@
 
 #include "wh_demo_client_crypto.h"
 
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+
 #if !defined(NO_RSA)
 
 /*
@@ -1359,3 +1361,4 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext)
     return ret;
 }
 #endif /* WOLFSSL_CMAC && !NO_AES */
+#endif /* WOLFHSM_CFG_NO_CRYPTO */

examples/demo/client/wh_demo_client_keystore.c

@@ -121,7 +121,7 @@ int wh_DemoClient_KeystoreCommitKey(whClientContext* clientContext)
     return WH_ERROR_OK;
 }
 
-#ifndef NO_AES
+#if  !defined(NO_AES) && !defined(WOLFHSM_CFG_NO_CRYPTO)
 int wh_DemoClient_KeystoreAes(whClientContext* clientContext)
 {
     int      ret;