opentelemetry-cpp icon indicating copy to clipboard operation
opentelemetry-cpp copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[CI] Add a C++ static code analyser in the build

Open marcalff opened this issue 1 year ago • 8 comments

This is needed for security audits on the code.

Parent issue: #2282

marcalff avatar Sep 06 '23 20:09 marcalff

/assign

sakshi-1505 avatar Oct 06 '23 13:10 sakshi-1505

@marcalff I am an Outreachy candidate, can you please assign me this issue?

sakshi-1505 avatar Oct 06 '23 13:10 sakshi-1505

@sakshi-1505 - Thanks for the interest on this. I think @marcalff is travelling this week, so mayn't respond. And don't know if he has already done these changes locally. For now. it's assigned to you along with @marcalff. Feel free to come up with draft PR or suggestions to discuss further. @marcalff has some good ideas to enable this, hopefully he can guide you over.

lalitb avatar Oct 06 '23 18:10 lalitb

@sakshi-1505 Thanks for volunteering, and welcome.

First step is to investigate the C++ tooling available, and decide which tool to use.

Second step will be to implement CI scripts to use the tool we decide to pick.

marcalff avatar Oct 07 '23 10:10 marcalff

We took a look into multiple static check tools for cpp, and we had two top contenders: cppcheck & clang static analyser.

Here's the brief comparison b/w both:

I did a comparison b/w clang static analyzer & cppcheck. Few of the difference which I could figure out were:

  • The major difference b/w them is cppcheck uses flow sensitive static checks & clang analyser uses path sensitive. Due to the same no. of false positives are quite less in clang analyser.
  • Now due to the above reason, clang analyser is quite slow in comparision to cppcheck.
  • There are not enough support/community around clang analyser as there are around cppcheck.

I also did take a bit of GPT help here & here's what GPT says:

Cppcheck is a good choice for developers who are looking for a free and easy-to-use static check tool. It is also a good choice for developers who are new to static code analysis. Cppcheck can detect a wide range of bugs and security vulnerabilities, but it may produce some false positives.

Clang Static Analyzer is a good choice for developers who need a static check tool that is highly accurate and can handle large and complex codebases. However, it is important to note that Clang Static Analyzer can be slow and difficult to use. I checked out both & I can integrate either of them in our CI pipeline, although since there is gh-action for cppcheck which will make it's integration more faster.

sakshi-1505 avatar Oct 08 '23 15:10 sakshi-1505

This issue was marked as stale due to lack of activity.

github-actions[bot] avatar Dec 08 '23 01:12 github-actions[bot]

This issue is available for anyone to work on. Make sure to reference this issue in your pull request. :sparkles: Thank you for your contribution! :sparkles:

github-actions[bot] avatar Jan 10 '24 21:01 github-actions[bot]

This issue was marked as stale due to lack of activity.

github-actions[bot] avatar Mar 14 '24 03:03 github-actions[bot]