add scan build github action

Author: miyazakh

.github/workflows/static-analysis.yml

@@ -63,6 +63,37 @@ jobs:
         echo "❌ Static analysis failed - errors or warnings were found"
         exit 1
 
+  scan-build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout wolfHSM
+      uses: actions/checkout@v4
+      with:
+        path: wolfHSM
+
+    - name: Checkout wolfssl
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y clang build-essential clang-tools
+
+    - name: Run scan-build
+      id: scan-build
+      run:
+        cd wolfHSM && make scan
+
+    - name: Fail if scan-build issues found
+      if: steps.scan-build.outcome == 'failure'
+      run: |
+        echo "❌ scan-build analysis failed - errors or warnings were found"
+        exit 1
+
   clang-tidy:
     runs-on: ubuntu-latest
 
@@ -106,7 +137,6 @@ jobs:
             echo ""
             # Show first 50 issues to avoid overwhelming output
             head -50 tools/static-analysis/reports/clang_tidy_summary.txt
-            
             TOTAL_ISSUES=$((ERROR_COUNT + WARNING_COUNT))
             if [ "$TOTAL_ISSUES" -gt 50 ]; then
               echo ""

Makefile

@@ -15,6 +15,35 @@ tools:
 examples:
 	make -C examples
 
+SCAN_DIR = ./scan_out
+
+scan_result_check:
+	@num=$$(grep -h -o '^[0-9]\+ warnings\? generated' ./$(SCAN_DIR)/*.log | grep -o '^[0-9]\+' | awk '{s+=$$1} END {print s}');\
+	if [ -z "$$num" ]; then \
+		echo "no warnings found";\
+		exit 0; \
+	fi; \
+	if [ $$num -ne 0 ]; then \
+		echo "scan-build found $$num warnings";\
+		for f in $(SCAN_DIR)/*.log; do \
+			echo "---- $$f ----"; \
+			cat $$f; \
+			echo ""; \
+		done; \
+		exit 1; \
+	fi;
+
+scan:
+	@echo "Running scan-build static analysis"
+	@rm -rf $(SCAN_DIR)
+	@mkdir -p $(SCAN_DIR)
+	@make clean
+	-@make SCAN=1 -C test scan
+	-@make SCAN=1 -C benchmark scan
+	-@make NOCRYPTO=1 SCAN=1 -C tools/whnvmtool scan
+	-@make NOCRYPTO=1 SCAN=1 -C examples
+	@$(MAKE) scan_result_check
+
 clean:
 	make -C test clean
 	make -C benchmark clean

benchmark/Makefile

@@ -103,6 +103,12 @@ ifeq ($(NOCRYPTO),1)
 	DEF += -DWOLFHSM_CFG_NO_CRYPTO
 endif
 
+ifeq ($(SCAN),1)
+	SCAN_LOG = scan_benchmark.log
+	# Default target
+	.DEFAULT_GOAL := scan
+endif
+
 # Support a DMA-capable build
 ifeq ($(DMA),1)
 	DEF += -DWOLFHSM_CFG_DMA
@@ -161,6 +167,13 @@ build_static: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).a
 	@echo ""
 	$(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).a
 
+analyze: $(OBJS_ASM) $(OBJS_C)
+
+scan:$(BUILD_DIR)
+	@echo "Running scan-build static analysis"
+	@mkdir -p $(WOLFHSM_DIR)/scan_out/
+	@scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG)
+
 $(BUILD_DIR):
 	$(CMD_ECHO) mkdir -p $(BUILD_DIR)
 

examples/demo/client/wh_demo_client_crypto.c

@@ -40,6 +40,8 @@
 
 #include "wh_demo_client_crypto.h"
 
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+
 #if !defined(NO_RSA)
 
 /*
@@ -1357,3 +1359,4 @@ int wh_DemoClient_CryptoCmacOneshotImport(whClientContext* clientContext)
     return ret;
 }
 #endif /* WOLFSSL_CMAC && !NO_AES */
+#endif /* WOLFHSM_CFG_NO_CRYPTO */

examples/demo/client/wh_demo_client_keystore.c

@@ -121,7 +121,7 @@ int wh_DemoClient_KeystoreCommitKey(whClientContext* clientContext)
     return WH_ERROR_OK;
 }
 
-#ifndef NO_AES
+#if !defined(NO_AES) && !defined(WOLFHSM_CFG_NO_CRYPTO)
 int wh_DemoClient_KeystoreAes(whClientContext* clientContext)
 {
     int      ret;

examples/demo/client/wh_demo_client_secboot.c

@@ -98,6 +98,7 @@ static int _showNvm(whClientContext* clientContext)
 
 static int _provisionMakeCommitKey(whClientContext* clientContext)
 {
+#ifndef WOLFHSM_CFG_NO_CRYPTO
     int ret;
 
     /* Use the default ECC curve for 32 byte key, likely P256r1 */
@@ -112,10 +113,15 @@ static int _provisionMakeCommitKey(whClientContext* clientContext)
         ret = wh_Client_KeyCommit(clientContext, prov_keyId);
     }
     return ret;
+#else
+    (void)clientContext;
+    return WH_ERROR_NOTIMPL;
+#endif
 }
 
 static int _sha256File(const char* file_to_measure, uint8_t* hash)
 {
+#ifndef WOLFHSM_CFG_NO_CRYPTO
     int ret = 0;
     int fd = open(file_to_measure, O_RDONLY);
     if (fd >= 0) {
@@ -149,11 +155,17 @@ static int _sha256File(const char* file_to_measure, uint8_t* hash)
         ret = WH_ERROR_BADARGS;
     }
     return ret;
+#else
+    (void)file_to_measure;
+    (void)hash;
+    return WH_ERROR_NOTIMPL;
+#endif
 }
 
 static int _signHash(const uint8_t* hash, size_t hash_len, uint8_t* sig,
                      uint16_t* sig_len)
 {
+#ifndef WOLFHSM_CFG_NO_CRYPTO
     ecc_key key[1];
     int ret = wc_ecc_init_ex(key, NULL, WH_DEV_ID);
     if (ret == 0) {
@@ -169,11 +181,19 @@ static int _signHash(const uint8_t* hash, size_t hash_len, uint8_t* sig,
         (void)wc_ecc_free(key);
     }
     return ret;
+#else
+    (void)hash;
+    (void)hash_len;
+    (void)sig;
+    (void)sig_len;
+    return WH_ERROR_NOTIMPL;
+#endif
 }
 
 static int _verifyHash(const uint8_t* hash, size_t hash_len, const uint8_t* sig,
                        uint16_t sig_len, int32_t* rc)
 {
+#ifndef WOLFHSM_CFG_NO_CRYPTO
     ecc_key key[1];
     int ret = wc_ecc_init_ex(key, NULL, WH_DEV_ID);
     if (ret == 0) {
@@ -189,6 +209,14 @@ static int _verifyHash(const uint8_t* hash, size_t hash_len, const uint8_t* sig,
         (void)wc_ecc_free(key);
     }
     return ret;
+#else
+    (void)hash;
+    (void)hash_len;
+    (void)sig;
+    (void)sig_len;
+    (void)rc;
+    return WH_ERROR_NOTIMPL;
+#endif
 }
 
 int wh_DemoClient_SecBoot_Provision(whClientContext* clientContext)

examples/posix/wh_posix_client/Makefile

@@ -79,6 +79,7 @@ endif
 # Assembly source files
 SRC_ASM +=
 
+ifneq ($(NOCRYPTO),1)
 # wolfCrypt source files
 SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/src/*.c)
 
@@ -102,6 +103,16 @@ endif
 SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/test/*.c)
 SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/benchmark/*.c)
 
+else
+DEF += -DWOLFHSM_CFG_NO_CRYPTO
+endif
+
+ifeq ($(SCAN),1)
+SCAN_LOG = scan_posix_client.log
+# Default target
+.DEFAULT_GOAL := scan
+endif
+
 # wolfHSM source files
 SRC_C +=  $(wildcard $(WOLFHSM_DIR)/src/*.c)
 
@@ -163,6 +174,13 @@ $(BUILD_DIR)/$(BIN).a: $(OBJS_ASM) $(OBJS_C)
 	@echo "Building static library: $(notdir $@)"
 	$(CMD_ECHO) $(AR) -r $@ $^
 
+analyze: $(OBJS_ASM) $(OBJS_C)
+
+scan:$(BUILD_DIR)
+	@echo "Running scan-build static analysis"
+	@mkdir -p $(WOLFHSM_DIR)/scan_out/
+	@scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG)
+
 clean:
 	@echo "Cleaning build files"
 	@rm -f 	\
@@ -173,4 +191,3 @@ clean:
 			$(BUILD_DIR)/*.a \
 			$(BUILD_DIR)/*.sym \
 			$(BUILD_DIR)/*.disasm
-

examples/posix/wh_posix_client/wh_posix_client.c

@@ -124,7 +124,7 @@ static int wh_ClientTask(void* cf, const char* type, int test)
             break;
         }
     }
-
+#if defined(DWOLFHSM_CFG_NO_CRYPTO)
     /* Context 1: Client Local Crypto */
     WC_RNG  rng[1];
     uint8_t buffer[128] = {0};
@@ -139,7 +139,7 @@ static int wh_ClientTask(void* cf, const char* type, int test)
     wc_RNG_GenerateBlock(rng, buffer, sizeof(buffer));
     wc_FreeRng(rng);
     wh_Utils_Hexdump("Context 2: Client Remote RNG:\n", buffer, sizeof(buffer));
-
+#endif
 
     (void)wh_Client_CommClose(client);
     (void)wh_Client_Cleanup(client);

examples/posix/wh_posix_server/Makefile

@@ -80,9 +80,19 @@ endif
 SRC_ASM +=
 
 # wolfCrypt source files
+ifneq ($(NOCRYPTO),1)
 SRC_C += $(wildcard $(WOLFSSL_DIR)/wolfcrypt/src/*.c)
 # wolfSSL source files
 SRC_C += $(wildcard $(WOLFSSL_DIR)/src/*.c)
+else
+DEF += -DWOLFHSM_CFG_NO_CRYPTO
+endif
+
+ifeq ($(SCAN),1)
+SCAN_LOG = scan_posix_server.log
+# Default target
+.DEFAULT_GOAL := scan
+endif
 
 # wolfHSM source files
 SRC_C += $(wildcard $(WOLFHSM_DIR)/src/*.c)
@@ -118,6 +128,13 @@ build_static: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).a
 	@echo ""
 	$(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).a
 
+analyze: $(OBJS_ASM) $(OBJS_C)
+
+scan:$(BUILD_DIR)
+	@echo "Running scan-build static analysis"
+	@mkdir -p $(WOLFHSM_DIR)/scan_out/
+	@scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG)
+
 $(BUILD_DIR):
 	$(CMD_ECHO) mkdir -p $(BUILD_DIR)
 

examples/posix/wh_posix_server/wh_posix_server.c

@@ -35,8 +35,9 @@ static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId,
                          int clientId);
 
 static void _sleepMs(long milliseconds);
+#if !defined(WOLFHSM_CFG_NO_CRYPTO)
 static int  _hardwareCryptoCb(int devId, struct wc_CryptoInfo* info, void* ctx);
-
+#endif
 static void _sleepMs(long milliseconds)
 {
     struct timespec req;
@@ -217,7 +218,7 @@ static int wh_ServerTask(void* cf, const char* keyFilePath, int keyId,
     }
     return ret;
 }
-
+#if !defined(WOLFHSM_CFG_NO_CRYPTO)
 static int _hardwareCryptoCb(int devId, struct wc_CryptoInfo* info, void* ctx)
 {
     (void)devId;
@@ -254,7 +255,7 @@ static int _hardwareCryptoCb(int devId, struct wc_CryptoInfo* info, void* ctx)
     }
     return ret;
 }
-
+#endif
 static void Usage(const char* exeName)
 {
     printf("Usage: %s --key <key_file_path> --id <key_id> --client <client_id> "
@@ -342,7 +343,7 @@ int main(int argc, char** argv)
         printf("Failed to initialize NVM: %d\n", rc);
         return rc;
     }
-
+#if !defined(WOLFHSM_CFG_NO_CRYPTO)
     /* Crypto context */
     whServerCryptoContext crypto[1] = {{
         .devId = INVALID_DEVID,
@@ -405,6 +406,11 @@ int main(int argc, char** argv)
         printf("Failed to wolfCrypt_Cleanup: %d\n", rc);
         return rc;
     }
-
+#else
+    (void)keyFilePath;
+    (void)keyId;
+    (void)clientId;
+    (void)wh_ServerTask;
+#endif
     return rc;
 }