.github/workflows/static-analysis.yml

name: "Static Analysis"

on:
  push:
    branches: [ "main", "master" ]
  schedule:
    - cron: '0 0 * * *'
  pull_request:
    branches: '*'

jobs:
  codeql:
    name: GitHub CodeQL
    runs-on: ubuntu-latest
    
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
    - name: Checkout repository
      uses: actions/checkout@v3
      with:
        submodules: recursive

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}
        queries: security-and-quality

    - name: Install Deps, Configure and Build
      run: |
        ./.github/workflows/codeql-buildscript.sh

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
      with:
        category: "/language:cpp"
        upload: false
      id: step1

    # Filter out rules with low severity or high false positve rate
    # Also filter out warnings in third-party code
    - name: Filter out unwanted errors and warnings
      uses: advanced-security/filter-sarif@v1
      with:
        patterns: |
          -**:cpp/path-injection
          -**:cpp/world-writable-file-creation
          -**:cpp/poorly-documented-function
          -**:cpp/potentially-dangerous-function
          -**:cpp/use-of-goto
          -**:cpp/integer-multiplication-cast-to-long
          -**:cpp/comparison-with-wider-type
          -**:cpp/leap-year/*
          -**:cpp/ambiguously-signed-bit-field
          -**:cpp/suspicious-pointer-scaling
          -**:cpp/suspicious-pointer-scaling-void
          -**:cpp/unsigned-comparison-zero
          -**/cmake*/Modules/**
        input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
        output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif

    - name: Upload CodeQL results to code scanning
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: ${{ steps.step1.outputs.sarif-output }}
        category: "/language:cpp"

    - name: Upload CodeQL results as an artifact
      if: success() || failure()
      uses: actions/upload-artifact@v3
      with:
        name: codeql-results
        path: ${{ steps.step1.outputs.sarif-output }}
        retention-days: 5

    - name: Fail if a warning is found
      run: |
        ./.github/workflows/fail_on_warning.py \
          ${{ steps.step1.outputs.sarif-output }}/cpp.sarif

  scan-build:
    name: Clang scan-build
    runs-on: ubuntu-latest

    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
    - name: Checkout repository
      uses: actions/checkout@v3
      with:
        submodules: recursive

    - name: Install Deps, Configure and Build
      env:
        WRAPPER: "scan-build --use-cc=cc --use-c++=c++ -sarif -o build/sarif"
      run: |
        ./.github/workflows/codeql-buildscript.sh
    
    - name: Install Deps, Configure and Build
      env:
        WRAPPER: "scan-build --use-cc=cc --use-c++=c++ -o build/scan-build-html"
      run: |
        ./.github/workflows/codeql-buildscript.sh

    - uses: actions/upload-artifact@v2
      with:
        name: "Scan-Build Bug Reports"
        path: ${{ github.workspace }}/build/scan-build-html

    - name: Bundle sarif
      run: |
        npx -y @microsoft/sarif-multitool merge build/sarif/*/*.sarif -o build/sarif/

    - name: Upload results to code scanning
      uses: github/codeql-action/upload-sarif@v2
      with:
        category: "scan-build"
        sarif_file: build/sarif/merged.sarif

    - name: Fail if a warning is found
      run: |
        ./.github/workflows/fail_on_warning.py build/sarif/merged.sarif
  
  codechecker:
    name: CodeChecker
    runs-on: ubuntu-latest

    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
    - name: Checkout repository
      uses: actions/checkout@v3
      with:
        submodules: recursive

    - name: Install Deps, Configure and Build
      run: |
        ./.github/workflows/codeql-buildscript.sh

    - name: Run CodeChecker
      uses: whisperity/codechecker-analysis-action@v1
      id: codechecker
      with:
        ctu: true
        logfile: ${{ github.workspace }}/build/compile_commands.json

    - uses: actions/upload-artifact@v2
      with:
        name: "CodeChecker Bug Reports"
        path: ${{ steps.codechecker.outputs.result-html-dir }}

    - name: Fail if a warning is found
      if: ${{ steps.codechecker.outputs.warnings == 'true' }}
      run: exit 1