zephyrproject-rtos · dependabot · Jun 10, 2025 · Jun 12, 2025 · Jun 12, 2025 · Jun 12, 2025
diff --git a/.github/workflows/eclair.yaml b/.github/workflows/eclair.yaml
@@ -0,0 +1,154 @@
+name: Eclair Code Scanning
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+      - v*-branch
+      - collab-*
+permissions:
+  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  EclairScanCode:
+    if: github.repository_owner == 'zephyrproject-rtos'
+    runs-on:
+      group: zephyr-runner-v2-linux-x64-4xlarge
+    container:
+      image: ghcr.io/zephyrproject-rtos/ci-repo-cache:v0.28.0.20250523
+      options: '--entrypoint /bin/bash'
+    permissions:
+      pull-requests: write # to create/update pull request comments
+      security-events: write
+    steps:
+      - name: Print cloud service information
+        run: |
+          echo "ZEPHYR_RUNNER_CLOUD_PROVIDER = ${ZEPHYR_RUNNER_CLOUD_PROVIDER}"
+          echo "ZEPHYR_RUNNER_CLOUD_NODE = ${ZEPHYR_RUNNER_CLOUD_NODE}"
+          echo "ZEPHYR_RUNNER_CLOUD_POD = ${ZEPHYR_RUNNER_CLOUD_POD}"
+
+      - name: Apply container owner mismatch workaround
+        run: |
+          # FIXME: The owner UID of the GITHUB_WORKSPACE directory may not
+          #        match the container user UID because of the way GitHub
+          #        Actions runner is implemented. Remove this workaround when
+          #        GitHub comes up with a fundamental fix for this problem.
+          git config --global --add safe.directory ${GITHUB_WORKSPACE}
+
+      - name: Clone cached Zephyr repository
+        continue-on-error: true
+        run: |
+          git clone --shared /repo-cache/zephyrproject/zephyr .
+          git remote set-url origin ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Environment Setup
+        run: |
+          if [ "${{github.event_name}}" = "pull_request" ]; then
+            git config --global user.email "[email protected]"
+            git config --global user.name "Zephyr Builder"
+            rm -fr ".git/rebase-apply"
+            rm -fr ".git/rebase-merge"
+            git rebase origin/${BASE_REF}
+            git clean -f -d
+            git log  --pretty=oneline | head -n 10
+          fi
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+
+          west init -l . || true
+          west config manifest.group-filter -- +ci,+optional
+          west config --global update.narrow true
+          west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || west update --path-cache /repo-cache/zephyrproject 2>&1 1> west.update.log || ( rm -rf ../modules ../bootloader ../tools && west update --path-cache /repo-cache/zephyrproject)
+          west forall -c 'git reset --hard HEAD'
+
+          echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV
+
+      - name: Check Environment
+        run: |
+          cmake --version
+          gcc --version
+          cargo --version
+          rustup target list --installed
+          ls -la
+          echo "github.ref: ${{ github.ref }}"
+          echo "github.base_ref: ${{ github.base_ref }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+
+      - name: SCA Setup
+        uses: zephyrproject-rtos/action-sca-setup@main
+        with:
+          tool-name: eclair
+          install-dir: eclair
+          s3-access-key-id: ${{ secrets.TOOLDIST_ACCESS_KEY }}
+          s3-secret-access-key: ${{ secrets.TOOLDIST_SECRET_ACCESS_KEY }}
+          license-server: ${{ secrets.TOOLDIST_ECLAIR_LICENSE_SERVER }}
+          license-key-ttl: 480
+
+      - name: Set Up Python 3.12
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: 3.12
+          cache: pip
+          cache-dependency-path: scripts/requirements-actions.txt
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+          sudo apt-get update
+          sudo apt-get install -y jq
+
+      - name: Scan code with Eclair
+        run: |
+          ./scripts/twister -j 16 -p qemu_x86  -T samples/synchronization -i --build-only -v  -xZEPHYR_SCA_VARIANT=eclair -x=USE_CCACHE=0 -xECLAIR_REPORTS_SARIF=1
+          jq -s '{ "$schema": "https://json.schemastore.org/sarif-2.1.0", "version": "2.1.0", "runs": map(.runs) | add }'  $(find twister-out -name "reports.sarif")  > results.sarif
+          jq --arg basepath "file://${GITHUB_WORKSPACE}/" '
+            .runs[].results[] |= (
+             # Remove partialFingerprints if it exists
+             del(.partialFingerprints)
+             |
+            .locations[]? |= (
+            .physicalLocation.artifactLocation.uri
+            |= if type == "string" then ($basepath + .) else . end
+            )
+            | .relatedLocations[]? |= (
+            .physicalLocation.artifactLocation.uri
+            |= if type == "string" then ($basepath + .) else . end
+            )
+            )
+            ' results.sarif > results_tmp.sarif
+          mv results_tmp.sarif results.sarif
+
+          ver=`git describe`
+          echo "PAYLOAD_VERSION=${ver}" >> $GITHUB_ENV
+          echo "PAYLOAD_DESC=${ver}" >> $GITHUB_ENV
+      - name: Clean up
+        if: always()
+        run: |
+          eclair_licman -c 57350
+
+      - name: Upload SARIF as artifact
+        if: always() && github.event_name == 'push'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: sarif
+          if-no-files-found: ignore
+          path: |
+            results.sarif
+
+      - name: Upload Analysis Results
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/cmake/sca/eclair/ECL/analysis_first_analysis.ecl b/cmake/sca/eclair/ECL/analysis_first_analysis.ecl
@@ -12,10 +12,82 @@
 https://docs.zephyrproject.org/latest/contribute/coding_guidelines/index.html"
 -enable=MC3R1.R8.2
 -enable=MC3R1.R10.2
+-enable=MC3R1.R10.4
 -enable=MC3R1.R10.5
 -enable=MC3R1.R10.6
 -enable=MC3R1.R11.2
 -enable=MC3R1.R12.4
 -enable=MC3R1.R13.4
+-enable=MC3R1.R16.2
+-enable=MC3R1.R16.3
+-enable=MC3R1.R16.4
+-enable=MC3R1.R16.5
+-enable=MC3R1.R16.6
+-enable=MC3R1.R16.7
+-enable=MC3R1.D4.9
+-enable=MC3R1.R7.1
+-enable=MC3R1.R13.5
+-enable=MC3R1.R10.8
+-enable=MC3R1.R3.1
+-enable=MC3R1.R10.4
+-enable=MC3R1.R11.9
+-enable=MC3R1.R11.6
+-enable=MC3R1.R11.8
+-enable=MC3R1.R14.4
+-enable=MC3R1.R13.2
+-enable=MC3R1.R8.4
+-enable=MC3R1.R2.7
+-enable=MC3R1.R12.2
+-enable=MC3R1.R10.6
+-enable=MC3R1.R17.7
+-enable=MC3R1.R18.2
+-enable=MC3R1.D4.13
+-enable=MC3R1.D4.5
+-enable=MC3R1.R17.1
+-enable=MC3R1.R9.1
+-enable=MC3R1.R5.4
 -enable=MC3R1.R16.1
+-enable=MC3R1.R16.3
+-enable=MC3R1.R21.6
+-enable=MC3R1.D4.2
+-enable=MC3R1.R21.18
+-enable=MC3R1.D4.1
+-enable=MC3R1.R6.1
+-enable=MC3R1.R13.3
+-enable=MC3R1.R8.2
+-enable=MC3R1.R15.7
+-enable=MC3R1.R20.9
+-enable=MC3R1.R18.3
+-enable=MC3R1.R19.1
+-enable=MC3R1.R8.9
+-enable=MC3R1.R21.2
+-enable=MC3R1.D4.10
+-enable=MC3R1.R2.2
+-enable=MC3R1.R12.4
+-enable=MC3R1.D4.7
+-enable=MC3R1.R1.3
+-enable=MC3R1.R8.14
+-enable=MC3R1.R21.15
+-enable=MC3R1.R13.4
+-enable=MC3R1.R18.6
+-enable=MC3R1.D4.12
+-enable=MC3R1.R15.3
+-enable=MC3R1.R21.3
+-enable=MC3R1.R22.5
+-enable=MC3R1.D4.4
+-enable=MC3R1.R5.5
+-enable=MC3R1.R10.5
+-enable=MC3R1.R10.7
+-enable=MC3R1.R13.1
+-enable=MC3R1.R5.3
+-enable=MC3R1.R18.8
+-enable=MC3R1.R7.2
+-enable=MC3R1.R7.4
+-enable=MC3R1.R8.12
+-enable=MC3R1.R9.3
+-enable=MC3R1.R10.2
+-enable=MC3R1.R18.1
+-enable=MC3R1.R18.5
+-enable=MC3R1.R21.16
+
 -doc_end