pavel-kirienko
commented
1 year ago Hey @thirtytwobits what do you make of this?
https://github.com/OpenCyphal/libcanard/security/code-scanning?query=is%3Aopen+pr%3A214
I am yet to enable AUTOSAR scanning but so far it does not look too promising. There is no built-in method for narrowing the scope of analysis to the production code only; thankfully, an external tool is available for this, but its interface is a bit rough. Of the 21 issues reported after the filtering, all are false-positives, of which there are two kinds:
-
Local address escape resulting in a dangling pointer. This is presumably coming from test cases that register stack-allocated sessions with the library (hence the escape) but then diligently unregister them (hence the escape is prevented). Neither the Sonar scanner nor clang-tidy report issues here.
-
The unused static function warnings come from partial test builds, where each build tests only a subset of the library's functionality. I am yet to find ways to coalesce the usage data from different builds into a single report (I suspect it is not possible).
So far I am inclined to pass on CodeQL and perhaps revisit it a year later.
sonarcloud[bot]
No thanks, I'm just looking.