Add scan build github action

.github/workflows/static-analysis.yml

@@ -63,6 +63,37 @@ jobs:
         echo "❌ Static analysis failed - errors or warnings were found"
         exit 1
 
+  scan-build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout wolfHSM
+      uses: actions/checkout@v4
+      with:
+        path: wolfHSM
+
+    - name: Checkout wolfssl
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y clang build-essential clang-tools
+
+    - name: Run scan-build
+      id: scan-build
+      run:
+        cd wolfHSM && make scan
+
+    - name: Fail if scan-build issues found
+      if: steps.scan-build.outcome == 'failure'
+      run: |
+        echo "❌ scan-build analysis failed - errors or warnings were found"
+        exit 1
+
   clang-tidy:
     runs-on: ubuntu-latest
 
@@ -106,7 +137,6 @@ jobs:
             echo ""
             # Show first 50 issues to avoid overwhelming output
             head -50 tools/static-analysis/reports/clang_tidy_summary.txt
-
             TOTAL_ISSUES=$((ERROR_COUNT + WARNING_COUNT))
             if [ "$TOTAL_ISSUES" -gt 50 ]; then
               echo ""

Makefile

@@ -15,6 +15,41 @@ tools:
 examples:
 	make -C examples
 
+SCAN_DIR = ./scan_out
+
+scan_result_check:
+	@err=$$(grep -h -o 'error: .*' ./$(SCAN_DIR)/*.log | wc -l); \
+	if [ -z "$$err" ]; then \
+		err=0; \
+	fi; \
+	wrn=$$(grep -h -o '^[0-9]\+ warnings\? generated' ./$(SCAN_DIR)/*.log | grep -o '^[0-9]\+' | awk '{s+=$$1} END {print s}');\
+	if [ -z "$$wrn" ]; then \
+		wrn=0; \
+	fi; \
+	if [ $$err -eq 0 -a $$wrn -eq 0 ]; then \
+		echo "no errors or warnings found";\
+		exit 0; \
+	else\
+		echo "scan-build detected $$err errors and $$wrn warnings";\
+		for f in $(SCAN_DIR)/*.log; do \
+			echo "---- $$f ----"; \
+			cat $$f; \
+			echo ""; \
+		done; \
+		exit 1; \
+	fi;
+
+scan:
+	@echo "Running scan-build static analysis"
+	@rm -rf $(SCAN_DIR)
+	@mkdir -p $(SCAN_DIR)
+	@make clean
+	-@make SCAN=1 -C test scan
+	-@make SCAN=1 -C benchmark scan
+	-@make NOCRYPTO=1 SCAN=1 -C tools/whnvmtool scan
+	-@make NOCRYPTO=1 SCAN=1 -C examples
+	@$(MAKE) scan_result_check
+
 clean:
 	make -C test clean
 	make -C benchmark clean

benchmark/Makefile

@@ -103,6 +103,12 @@ ifeq ($(NOCRYPTO),1)
 	DEF += -DWOLFHSM_CFG_NO_CRYPTO
 endif
 
+ifeq ($(SCAN),1)
+	SCAN_LOG = scan_benchmark.log
+	# Default target
+	.DEFAULT_GOAL := scan
+endif
+
 # Support a DMA-capable build
 ifeq ($(DMA),1)
 	DEF += -DWOLFHSM_CFG_DMA
@@ -161,6 +167,13 @@ build_static: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).a
 	@echo ""
 	$(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).a
 
+analyze: $(OBJS_ASM) $(OBJS_C)
+
+scan:$(BUILD_DIR)
+	@echo "Running scan-build static analysis"
+	@mkdir -p $(WOLFHSM_DIR)/scan_out/
+	@scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG)
+
 $(BUILD_DIR):
 	$(CMD_ECHO) mkdir -p $(BUILD_DIR)
 

benchmark/bench_modules/wh_bench_mod_aes.c

@@ -21,10 +21,9 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/aes.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(WOLFHSM_CFG_DMA) && defined(WOLFHSM_CFG_TEST_POSIX)
 #include "port/posix/posix_transport_shm.h"
 #endif /* WOLFHSM_CFG_DMA && WOLFHSM_CFG_TEST_POSIX */
@@ -832,4 +831,4 @@ int wh_Bench_Mod_Aes256GCMDecryptDma(whClientContext*  client,
 
 #endif /* !defined(NO_AES) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_cmac.c

@@ -21,10 +21,9 @@
 #include "wolfhsm/wh_error.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/cmac.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
 
 static const uint8_t key128[] = {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae,
@@ -184,4 +183,4 @@ int wh_Bench_Mod_CmacAes256Dma(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* WOLFSSL_CMAC && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_curve25519.c

@@ -21,12 +21,12 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/settings.h"
 #include "wolfssl/wolfcrypt/random.h"
 #include "wolfssl/wolfcrypt/curve25519.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(HAVE_CURVE25519)
 
 uint8_t key1_der[] = {
@@ -252,4 +252,4 @@ int wh_Bench_Mod_Curve25519SharedSecret(whClientContext*  client,
 
 #endif /* HAVE_CURVE25519 */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_ecc.c

@@ -21,11 +21,12 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
+
 #include "wolfssl/wolfcrypt/ecc.h"
 #include "wolfssl/wolfcrypt/random.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(HAVE_ECC)
 
 /* hardcoded DER-encoded ECC keys for benchmarking */
@@ -566,4 +567,4 @@ int wh_Bench_Mod_EccP256Ecdh(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* HAVE_ECC */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_hkdf.c

@@ -20,12 +20,11 @@
 #include "wh_bench_mod.h"
 #include "wolfhsm/wh_error.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/hmac.h"
 #include "wolfssl/wolfcrypt/kdf.h"
 #include "wolfssl/wolfcrypt/sha256.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(HAVE_HKDF)
 
 
@@ -93,4 +92,4 @@ int wh_Bench_Mod_HkdfSha256(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* defined(HAVE_HKDF) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_hmac.c

@@ -19,11 +19,10 @@
 #include "wh_bench_mod.h"
 #include "wolfhsm/wh_error.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/hmac.h"
 #include "wolfssl/wolfcrypt/sha256.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if !defined(NO_HMAC)
 
 #if !defined(NO_SHA256)
@@ -176,4 +175,4 @@ int wh_Bench_Mod_HmacSha3256Dma(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* !defined(NO_HMAC) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_mldsa.c

@@ -21,11 +21,11 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/dilithium.h"
 #include "wolfssl/wolfcrypt/random.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(HAVE_DILITHIUM)
 
 #if !defined(WOLFSSL_DILITHIUM_NO_SIGN)
@@ -1193,4 +1193,4 @@ int wh_Bench_Mod_MlDsa87KeyGenDma(whClientContext*  client,
 
 #endif /* HAVE_DILITHIUM */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_rng.c

@@ -18,9 +18,10 @@
  */
 #include "wh_bench_mod.h"
 #include "wolfhsm/wh_error.h"
-#include "wolfssl/wolfcrypt/random.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
+
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
+#include "wolfssl/wolfcrypt/random.h"
 
 #if !defined(WC_NO_RNG)
 
@@ -93,4 +94,4 @@ int wh_Bench_Mod_Rng(whClientContext* client, whBenchOpContext* ctx, int id,
 
 #endif /* !defined(WC_NO_RNG) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_rsa.c

@@ -21,11 +21,10 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/rsa.h"
 #include "wolfssl/wolfcrypt/random.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if !defined(NO_RSA)
 
 /* RSA 2048-bit key in DER format for benchmarking */
@@ -1116,4 +1115,4 @@ int wh_Bench_Mod_Rsa4096KeyGenDma(whClientContext*  client,
 
 #endif /* !(NO_RSA) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_sha2.c

@@ -21,11 +21,10 @@
 #include "wolfhsm/wh_error.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/hash.h"
 #include "wolfssl/wolfcrypt/sha256.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(WOLFHSM_CFG_DMA) && defined(WOLFHSM_CFG_TEST_POSIX)
 #include "port/posix/posix_transport_shm.h"
 #endif /* WOLFHSM_CFG_DMA && WOLFHSM_CFG_POSIX_TRANSPORT */
@@ -550,4 +549,4 @@ int wh_Bench_Mod_Sha512Dma(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* WOLFSSL_SHA512 */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_sha3.c

@@ -19,7 +19,7 @@
 #include "wh_bench_mod.h"
 #include "wolfhsm/wh_error.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 
 #if defined(WOLFSSL_SHA3)
 
@@ -45,4 +45,4 @@ int wh_Bench_Mod_Sha3256Dma(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* WOLFSSL_SHA3 */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/wh_bench.c

@@ -73,7 +73,7 @@ typedef struct BenchModule {
  * of the array will be BENCH_MODULE_IDX_COUNT */
 typedef enum BenchModuleIdx {
     BENCH_MODULE_IDX_ECHO = 0,
-
+#if !defined(WOLFHSM_CFG_NO_CRYPTO)
 /* RNG */
 #if !defined(WC_NO_RNG)
     BENCH_MODULE_IDX_RNG,
@@ -233,7 +233,7 @@ typedef enum BenchModuleIdx {
     BENCH_MODULE_IDX_ML_DSA_87_KEY_GEN_DMA,
 #endif /* !(WOLFSSL_NO_ML_DSA_87) */
 #endif /* HAVE_DILITHIUM */
-
+#endif /* !(WOLFHSM_CFG_NO_CRYPTO) */
     /* number of modules. This must be the last entry and will be used as the
      * size of the global modules array */
     BENCH_MODULE_IDX_COUNT
@@ -246,7 +246,7 @@ WH_UTILS_STATIC_ASSERT(MAX_BENCH_OPS > BENCH_MODULE_IDX_COUNT,
 /* clang-format off */
 static BenchModule g_benchModules[] = {
     [BENCH_MODULE_IDX_ECHO]                    = {"ECHO",                         wh_Bench_Mod_Echo,                 BENCH_THROUGHPUT_XBPS, 0, NULL},
-
+#if !defined(WOLFHSM_CFG_NO_CRYPTO)
     /* RNG */
 #if !defined(WC_NO_RNG)
     [BENCH_MODULE_IDX_RNG]                     = {"RNG",                          wh_Bench_Mod_Rng,                  BENCH_THROUGHPUT_XBPS, 0, NULL},
@@ -402,6 +402,7 @@ static BenchModule g_benchModules[] = {
     [BENCH_MODULE_IDX_ML_DSA_87_KEY_GEN_DMA]   = {"ML-DSA-87-KEY-GEN-DMA",        wh_Bench_Mod_MlDsa87KeyGenDma,        BENCH_THROUGHPUT_OPS, 0, NULL},
 #endif /* !(WOLFSSL_NO_ML_DSA_87) */
 #endif /* HAVE_DILITHIUM */
+#endif /* !(WOLFHSM_CFG_NO_CRYPTO) */
 };
 /* clang-format on */
 

benchmark/wh_bench_main.c

@@ -25,6 +25,7 @@
 
 #include <wolfssl/version.h>
 #include <string.h>
+#include <stdlib.h>
 
 void Usage(const char* exeName)
 {

examples/demo/client/wh_demo_client_all.c

@@ -39,7 +39,8 @@ int wh_DemoClient_All(whClientContext* clientContext)
     if (rc != 0) {
         return rc;
     }
-#ifndef NO_AES
+
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_AES)
     rc = wh_DemoClient_KeystoreAes(clientContext);
     if (rc != 0) {
         return rc;
@@ -54,7 +55,7 @@ int wh_DemoClient_All(whClientContext* clientContext)
 #endif /* WOLFHSM_CFG_KEYWRAP */
 
     /**Crypto demos */
-#ifndef NO_RSA
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && !defined(NO_RSA)
     rc = wh_DemoClient_CryptoRsa(clientContext);
     if (rc != 0) {
         return rc;