[CI] Add a C++ static code analyser in the build

[marcalff]

This is needed for security audits on the code.

Parent issue: #2282

[sakshi-1505]

/assign

[sakshi-1505]

@marcalff I am an Outreachy candidate, can you please assign me this issue?

[lalitb]

@sakshi-1505 - Thanks for the interest on this. I think @marcalff is travelling this week, so mayn't respond. And don't know if he has already done these changes locally. For now. it's assigned to you along with @marcalff. Feel free to come up with draft PR or suggestions to discuss further. @marcalff has some good ideas to enable this, hopefully he can guide you over.

[marcalff]

@sakshi-1505 Thanks for volunteering, and welcome.

First step is to investigate the C++ tooling available, and decide which tool to use.

Second step will be to implement CI scripts to use the tool we decide to pick.

[sakshi-1505]

We took a look into multiple static check tools for cpp, and we had two top contenders: cppcheck & clang static analyser.

Here's the brief comparison b/w both:

I did a comparison b/w clang static analyzer & cppcheck. Few of the difference which I could figure out were:

• The major difference b/w them is cppcheck uses flow sensitive static checks & clang analyser uses path sensitive. Due to the same no. of false positives are quite less in clang analyser.
• Now due to the above reason, clang analyser is quite slow in comparision to cppcheck.
• There are not enough support/community around clang analyser as there are around cppcheck.

I also did take a bit of GPT help here & here's what GPT says:

Cppcheck is a good choice for developers who are looking for a free and easy-to-use static check tool. It is also a good choice for developers who are new to static code analysis. Cppcheck can detect a wide range of bugs and security vulnerabilities, but it may produce some false positives.

Clang Static Analyzer is a good choice for developers who need a static check tool that is highly accurate and can handle large and complex codebases. However, it is important to note that Clang Static Analyzer can be slow and difficult to use. I checked out both & I can integrate either of them in our CI pipeline, although since there is gh-action for cppcheck which will make it's integration more faster.

[github-actions[bot]]

This issue was marked as stale due to lack of activity.

[github-actions[bot]]

This issue is available for anyone to work on. Make sure to reference this issue in your pull request. :sparkles: Thank you for your contribution! :sparkles:

[github-actions[bot]]

This issue was marked as stale due to lack of activity.