suricata/.github/workflows/scan-build.yml

name: Scan-build

on:
  - push
  - pull_request

jobs:
  scan-build:
    name: Scan-build
    runs-on: ubuntu-latest
    container: ubuntu:23.04
    steps:
      - name: Cache scan-build
        uses: actions/cache@v3.3.1
        with:
          path: ~/.cargo
          key: scan-build

      - name: Install system packages
        run: |
          apt update
          apt -y install \
                libpcre2-dev \
                build-essential \
                autoconf \
                automake \
                cargo \
                cbindgen \
                clang-16 \
                clang-tools-16 \
                dpdk-dev \
                git \
                libtool \
                libpcap-dev \
                libnet1-dev \
                libyaml-0-2 \
                libyaml-dev \
                libcap-ng-dev \
                libcap-ng0 \
                libmagic-dev \
                libnetfilter-log-dev \
                libnetfilter-queue-dev \
                libnetfilter-queue1 \
                libnfnetlink-dev \
                libnfnetlink0 \
                libnuma-dev \
                libhiredis-dev \
                libhyperscan-dev \
                liblua5.1-dev \
                libjansson-dev \
                libevent-dev \
                libevent-pthreads-2.1-7 \
                libjansson-dev \
                liblz4-dev \
                llvm-16-dev \
                make \
                python3-yaml \
                rustc \
                software-properties-common \
                zlib1g \
                zlib1g-dev
      - uses: actions/checkout@v3.5.3
      - run: ./scripts/bundle.sh
      - run: ./autogen.sh
      - run: scan-build-16 ./configure --enable-dpdk --enable-nfqueue --enable-nflog
        env:
          CC: clang-16
      # exclude libhtp from the analysis
      # disable security.insecureAPI.DeprecatedOrUnsafeBufferHandling explicitly as
      # this will require significant effort to address.
      - run: |
          scan-build-16 --status-bugs --exclude libhtp/ \
                -enable-checker valist.Uninitialized \
                -enable-checker valist.CopyToSelf \
                -enable-checker valist.Unterminated \
                -enable-checker security.insecureAPI.bcmp \
                -enable-checker security.insecureAPI.bcopy \
                -enable-checker security.insecureAPI.bzero \
                -enable-checker security.insecureAPI.rand \
                -enable-checker security.insecureAPI.strcpy \
                -enable-checker security.insecureAPI.decodeValueOfObjCType \
                -enable-checker security.FloatLoopCounter \
                -enable-checker optin.portability.UnixAPI \
                -enable-checker optin.performance.GCDAntipattern \
                -enable-checker nullability.NullableReturnedFromNonnull \
                -enable-checker nullability.NullablePassedToNonnull \
                -enable-checker nullability.NullableDereferenced \
                -enable-checker optin.performance.Padding \
                \
                -disable-checker security.insecureAPI.DeprecatedOrUnsafeBufferHandling \
                \
                make
        env:
          CC: clang-16
github: add scan-build workflow Add scan-build workflow that fails on any warning. Exclude libhtp as there is still one open issue there. 2 years ago			`name: Scan-build`

			`on:`
			`- push`
			`- pull_request`

			`jobs:`
			`scan-build:`
			`name: Scan-build`
			`runs-on: ubuntu-latest`
			`container: ubuntu:23.04`
			`steps:`
			`- name: Cache scan-build`
github-ci: update actions/cache to v3.3.1 2 years ago			`uses: actions/cache@v3.3.1`
github: add scan-build workflow Add scan-build workflow that fails on any warning. Exclude libhtp as there is still one open issue there. 2 years ago			`with:`
			`path: ~/.cargo`
			`key: scan-build`

			`- name: Install system packages`
			`run: \|`
			`apt update`
			`apt -y install \`
			`libpcre2-dev \`
			`build-essential \`
			`autoconf \`
			`automake \`
			`cargo \`
			`cbindgen \`
			`clang-16 \`
			`clang-tools-16 \`
github-ci: add dpdk, nfqueue, nflog to scan-build 2 years ago			`dpdk-dev \`
github: add scan-build workflow Add scan-build workflow that fails on any warning. Exclude libhtp as there is still one open issue there. 2 years ago			`git \`
			`libtool \`
			`libpcap-dev \`
			`libnet1-dev \`
			`libyaml-0-2 \`
			`libyaml-dev \`
			`libcap-ng-dev \`
			`libcap-ng0 \`
			`libmagic-dev \`
github-ci: add dpdk, nfqueue, nflog to scan-build 2 years ago			`libnetfilter-log-dev \`
github: add scan-build workflow Add scan-build workflow that fails on any warning. Exclude libhtp as there is still one open issue there. 2 years ago			`libnetfilter-queue-dev \`
			`libnetfilter-queue1 \`
			`libnfnetlink-dev \`
			`libnfnetlink0 \`
			`libnuma-dev \`
			`libhiredis-dev \`
			`libhyperscan-dev \`
			`liblua5.1-dev \`
			`libjansson-dev \`
			`libevent-dev \`
			`libevent-pthreads-2.1-7 \`
			`libjansson-dev \`
github-ci: add dpdk, nfqueue, nflog to scan-build 2 years ago			`liblz4-dev \`
github: add scan-build workflow Add scan-build workflow that fails on any warning. Exclude libhtp as there is still one open issue there. 2 years ago			`llvm-16-dev \`
			`make \`
			`python3-yaml \`
			`rustc \`
			`software-properties-common \`
			`zlib1g \`
			`zlib1g-dev`
github-ci: update actions/checkout to v3.5.3 2 years ago			`- uses: actions/checkout@v3.5.3`
github: add scan-build workflow Add scan-build workflow that fails on any warning. Exclude libhtp as there is still one open issue there. 2 years ago			`- run: ./scripts/bundle.sh`
			`- run: ./autogen.sh`
github-ci: add dpdk, nfqueue, nflog to scan-build 2 years ago			`- run: scan-build-16 ./configure --enable-dpdk --enable-nfqueue --enable-nflog`
github: add scan-build workflow Add scan-build workflow that fails on any warning. Exclude libhtp as there is still one open issue there. 2 years ago			`env:`
			`CC: clang-16`
			`# exclude libhtp from the analysis`
github-ci: add padding check to scan-build 2 years ago			`# disable security.insecureAPI.DeprecatedOrUnsafeBufferHandling explicitly as`
			`# this will require significant effort to address.`
github-ci: add more scan-build checks Explicitly disable: security.insecureAPI.DeprecatedOrUnsafeBufferHandling optin.performance.Padding 2 years ago			`- run: \|`
			`scan-build-16 --status-bugs --exclude libhtp/ \`
			`-enable-checker valist.Uninitialized \`
			`-enable-checker valist.CopyToSelf \`
			`-enable-checker valist.Unterminated \`
			`-enable-checker security.insecureAPI.bcmp \`
			`-enable-checker security.insecureAPI.bcopy \`
			`-enable-checker security.insecureAPI.bzero \`
			`-enable-checker security.insecureAPI.rand \`
			`-enable-checker security.insecureAPI.strcpy \`
			`-enable-checker security.insecureAPI.decodeValueOfObjCType \`
			`-enable-checker security.FloatLoopCounter \`
			`-enable-checker optin.portability.UnixAPI \`
			`-enable-checker optin.performance.GCDAntipattern \`
			`-enable-checker nullability.NullableReturnedFromNonnull \`
			`-enable-checker nullability.NullablePassedToNonnull \`
			`-enable-checker nullability.NullableDereferenced \`
github-ci: add padding check to scan-build 2 years ago			`-enable-checker optin.performance.Padding \`
github-ci: add more scan-build checks Explicitly disable: security.insecureAPI.DeprecatedOrUnsafeBufferHandling optin.performance.Padding 2 years ago			`\`
			`-disable-checker security.insecureAPI.DeprecatedOrUnsafeBufferHandling \`
			`\`
			`make`
github: add scan-build workflow Add scan-build workflow that fails on any warning. Exclude libhtp as there is still one open issue there. 2 years ago			`env:`
			`CC: clang-16`