CI: add a codechecker workflow

There is also a 'make analyze' to run this locally. Signed-off-by: Edwin Török <[email protected]>
xapi-project · edwintorok · Mar 5, 2025 · Apr 25, 2024 · Feb 21, 2025 · Feb 21, 2025
commit b97788bf5126a51c2b5300d3b3fbe9079c21f839
diff --git a/.codechecker.json b/.codechecker.json
@@ -0,0 +1,6 @@
+{
+  "analyze": [
+    "--disable=misc-header-include-cycle",
+    "--disable=clang-diagnostic-unused-parameter"
+  ]
+}
diff --git a/.github/workflows/codechecker.yml b/.github/workflows/codechecker.yml
@@ -0,0 +1,96 @@
+name: Run CodeChecker static analyzer on XAPI's C stubs
+permissions: {}
+
+on:
+  push:
+  pull_request:
+    branches:
+      - master
+      - 'feature/**'
+      - '*-lcm'
+
+concurrency: # On new push, cancel old workflows from the same PR, branch or tag:
+  group: ${{ github.workflow }}-${{github.event_name}}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  staticanalyzer:
+    name: Static analyzer for OCaml C stubs
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    env:
+      XAPI_VERSION: "v0.0.0-${{ github.sha }}"
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Restore cache for compile_commands.json
+        uses: actions/cache/restore@v4
+        id: cache-cmds
+        with:
+          path: compile_commands.json
+          key: compile_commands.json-v1-${{ hashFiles('**/dune') }}
+
+      - name: Setup XenAPI environment
+        if: steps.cache-cmds.outputs.cache-hit != 'true'
+        uses: ./.github/workflows/setup-xapi-environment
+        with:
+          xapi_version: ${{ env.XAPI_VERSION }}
+
+      - name: Install dune-compiledb to generate compile_commands.json
+        if: steps.cache-cmds.outputs.cache-hit != 'true'
+        run: |
+          opam pin add -y ezjsonm https://github.com/mirage/ezjsonm/releases/download/v1.3.0/ezjsonm-1.3.0.tbz
+          opam pin add -y dune-compiledb https://github.com/edwintorok/dune-compiledb/releases/download/0.6.0/dune-compiledb-0.6.0.tbz
+
+      - name: Trim dune cache
+        if: steps.cache-cmds.outputs.cache-hit != 'true'
+        run: opam exec -- dune cache trim --size=2GiB         
+
+      - name: Generate compile_commands.json
+        if: steps.cache-cmds.outputs.cache-hit != 'true'
+        run: opam exec -- make compile_commands.json
+
+      - name: Save cache for cmds.json
+        uses: actions/cache/save@v4
+        with:
+          path: compile_commands.json
+          key: ${{ steps.cache-cmds.outputs.cache-primary-key }}
+
+      - name: Upload compile commands json
+        uses: actions/upload-artifact@v4
+        with:
+          path: ${{ github.workspace }}/compile_commands.json
+
+      - uses: whisperity/codechecker-analysis-action@v1
+        id: codechecker
+        with:
+          ctu: true
+          logfile: ${{ github.workspace }}/compile_commands.json
+          analyze-output: "codechecker_results"
+
+      - name: Upload CodeChecker report
+        uses: actions/upload-artifact@v4
+        with:
+          name: codechecker_results
+          path: "${{ steps.codechecker.outputs.result-html-dir }}"
+
+      # cppcheck even for other analyzers apparently, this is
+      # codechecker's output
+      - name: convert to SARIF
+        shell: bash
+        run: report-converter "codechecker_results" --type cppcheck --output codechecker.sarif --export sarif
+
+      - name: Upload CodeChecker SARIF report
+        uses: actions/upload-artifact@v4
+        with:
+          name: codechecker_sarif
+          path: codechecker.sarif
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+         sarif_file: codechecker.sarif
diff --git a/Makefile b/Makefile
@@ -6,7 +6,7 @@ JOBS = $(shell getconf _NPROCESSORS_ONLN)
 PROFILE=release
 OPTMANDIR ?= $(OPTDIR)/man/man1/
 
-.PHONY: build clean test doc python format install uninstall coverage
+.PHONY: build clean test doc python format install uninstall coverage analyze
 
 # if we have XAPI_VERSION set then set it in dune-project so we use that version number instead of the one obtained from git
 # this is typically used when we're not building from a git repo
@@ -196,6 +196,17 @@ uninstall:
 	dune uninstall $(DUNE_IU_PACKAGES3)
 	dune uninstall $(DUNE_IU_PACKAGES4)
 
+# An approximation, we actually depend on all dune files recursively
+# Also fixup the directory paths to remove _build
+# (we must refer to paths that exist in the repository for static analysis results)
+compile_commands.json: Makefile dune
+	mkdir -p _build/
+	dune rules | dune-compiledb -o _build/
+	sed -e 's/"directory".*/"directory": ".",/' <_build/$@ >$@
+
+analyze: compile_commands.json Makefile .codechecker.json
+	CodeChecker check --config .codechecker.json -l compile_commands.json
+
 compile_flags.txt: Makefile
 	(ocamlc -config-var ocamlc_cflags;\
 	ocamlc -config-var ocamlc_cppflags;\