Add scan build github action (#195)

add scan build github action and necessary code fixes

Author: miyazakh

.github/workflows/static-analysis.yml

@@ -63,6 +63,37 @@ jobs:
         echo "❌ Static analysis failed - errors or warnings were found"
         exit 1
 
+  scan-build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout wolfHSM
+      uses: actions/checkout@v4
+      with:
+        path: wolfHSM
+
+    - name: Checkout wolfssl
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y clang build-essential clang-tools
+
+    - name: Run scan-build
+      id: scan-build
+      run:
+        cd wolfHSM && make scan
+
+    - name: Fail if scan-build issues found
+      if: steps.scan-build.outcome == 'failure'
+      run: |
+        echo "❌ scan-build analysis failed - errors or warnings were found"
+        exit 1
+
   clang-tidy:
     runs-on: ubuntu-latest
 
@@ -106,7 +137,6 @@ jobs:
             echo ""
             # Show first 50 issues to avoid overwhelming output
             head -50 tools/static-analysis/reports/clang_tidy_summary.txt
-            
             TOTAL_ISSUES=$((ERROR_COUNT + WARNING_COUNT))
             if [ "$TOTAL_ISSUES" -gt 50 ]; then
               echo ""

Makefile

@@ -15,6 +15,41 @@ tools:
 examples:
 	make -C examples
 
+SCAN_DIR = ./scan_out
+
+scan_result_check:
+	@err=$$(grep -h -o 'error: .*' ./$(SCAN_DIR)/*.log | wc -l); \
+	if [ -z "$$err" ]; then \
+		err=0; \
+	fi; \
+	wrn=$$(grep -h -o '^[0-9]\+ warnings\? generated' ./$(SCAN_DIR)/*.log | grep -o '^[0-9]\+' | awk '{s+=$$1} END {print s}');\
+	if [ -z "$$wrn" ]; then \
+		wrn=0; \
+	fi; \
+	if [ $$err -eq 0 -a $$wrn -eq 0 ]; then \
+		echo "no errors or warnings found";\
+		exit 0; \
+	else\
+		echo "scan-build detected $$err errors and $$wrn warnings";\
+		for f in $(SCAN_DIR)/*.log; do \
+			echo "---- $$f ----"; \
+			cat $$f; \
+			echo ""; \
+		done; \
+		exit 1; \
+	fi;
+
+scan:
+	@echo "Running scan-build static analysis"
+	@rm -rf $(SCAN_DIR)
+	@mkdir -p $(SCAN_DIR)
+	@make clean
+	-@make SCAN=1 -C test scan
+	-@make SCAN=1 -C benchmark scan
+	-@make NOCRYPTO=1 SCAN=1 -C tools/whnvmtool scan
+	-@make NOCRYPTO=1 SCAN=1 -C examples
+	@$(MAKE) scan_result_check
+
 clean:
 	make -C test clean
 	make -C benchmark clean

benchmark/Makefile

@@ -103,6 +103,12 @@ ifeq ($(NOCRYPTO),1)
 	DEF += -DWOLFHSM_CFG_NO_CRYPTO
 endif
 
+ifeq ($(SCAN),1)
+	SCAN_LOG = scan_benchmark.log
+	# Default target
+	.DEFAULT_GOAL := scan
+endif
+
 # Support a DMA-capable build
 ifeq ($(DMA),1)
 	DEF += -DWOLFHSM_CFG_DMA
@@ -161,6 +167,13 @@ build_static: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).a
 	@echo ""
 	$(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).a
 
+analyze: $(OBJS_ASM) $(OBJS_C)
+
+scan:$(BUILD_DIR)
+	@echo "Running scan-build static analysis"
+	@mkdir -p $(WOLFHSM_DIR)/scan_out/
+	@scan-build --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG)
+
 $(BUILD_DIR):
 	$(CMD_ECHO) mkdir -p $(BUILD_DIR)
 

benchmark/bench_modules/wh_bench_mod_aes.c

@@ -21,10 +21,9 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/aes.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(WOLFHSM_CFG_DMA) && defined(WOLFHSM_CFG_TEST_POSIX)
 #include "port/posix/posix_transport_shm.h"
 #endif /* WOLFHSM_CFG_DMA && WOLFHSM_CFG_TEST_POSIX */
@@ -832,4 +831,4 @@ int wh_Bench_Mod_Aes256GCMDecryptDma(whClientContext*  client,
 
 #endif /* !defined(NO_AES) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_cmac.c

@@ -21,10 +21,9 @@
 #include "wolfhsm/wh_error.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/cmac.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
 
 static const uint8_t key128[] = {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae,
@@ -184,4 +183,4 @@ int wh_Bench_Mod_CmacAes256Dma(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* WOLFSSL_CMAC && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_curve25519.c

@@ -21,12 +21,12 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/settings.h"
 #include "wolfssl/wolfcrypt/random.h"
 #include "wolfssl/wolfcrypt/curve25519.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(HAVE_CURVE25519)
 
 uint8_t key1_der[] = {
@@ -252,4 +252,4 @@ int wh_Bench_Mod_Curve25519SharedSecret(whClientContext*  client,
 
 #endif /* HAVE_CURVE25519 */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_ecc.c

@@ -21,11 +21,12 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
+
 #include "wolfssl/wolfcrypt/ecc.h"
 #include "wolfssl/wolfcrypt/random.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(HAVE_ECC)
 
 /* hardcoded DER-encoded ECC keys for benchmarking */
@@ -566,4 +567,4 @@ int wh_Bench_Mod_EccP256Ecdh(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* HAVE_ECC */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_hkdf.c

@@ -20,12 +20,11 @@
 #include "wh_bench_mod.h"
 #include "wolfhsm/wh_error.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/hmac.h"
 #include "wolfssl/wolfcrypt/kdf.h"
 #include "wolfssl/wolfcrypt/sha256.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(HAVE_HKDF)
 
 
@@ -93,4 +92,4 @@ int wh_Bench_Mod_HkdfSha256(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* defined(HAVE_HKDF) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_hmac.c

@@ -19,11 +19,10 @@
 #include "wh_bench_mod.h"
 #include "wolfhsm/wh_error.h"
 
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/hmac.h"
 #include "wolfssl/wolfcrypt/sha256.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if !defined(NO_HMAC)
 
 #if !defined(NO_SHA256)
@@ -176,4 +175,4 @@ int wh_Bench_Mod_HmacSha3256Dma(whClientContext* client, whBenchOpContext* ctx,
 
 #endif /* !defined(NO_HMAC) */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */

benchmark/bench_modules/wh_bench_mod_mldsa.c

@@ -21,11 +21,11 @@
 #include "wolfhsm/wh_client.h"
 #include "wolfhsm/wh_client_crypto.h"
 
+
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLFHSM_CFG_BENCH_ENABLE)
 #include "wolfssl/wolfcrypt/dilithium.h"
 #include "wolfssl/wolfcrypt/random.h"
 
-#if defined(WOLFHSM_CFG_BENCH_ENABLE)
-
 #if defined(HAVE_DILITHIUM)
 
 #if !defined(WOLFSSL_DILITHIUM_NO_SIGN)
@@ -1193,4 +1193,4 @@ int wh_Bench_Mod_MlDsa87KeyGenDma(whClientContext*  client,
 
 #endif /* HAVE_DILITHIUM */
 
-#endif /* WOLFHSM_CFG_BENCH_ENABLE */
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLFHSM_CFG_BENCH_ENABLE */