Add clang-tidy CI action (#167)

* add clang-tidy with fixes to resolve warnings

* Change clang-tidy-builder script to ingnore .clang-tidy and CLANG_TIDY_ARGS

* Fix to exclude wolfssl files

* Fix to only run clang-tidy for src/ and wolfhsm/

* removed supression text and unnecessary return check

---------

Co-authored-by: Brett Nicholas <7547222+bigbrett@users.noreply.github.com>

Author: jackctj117

.github/workflows/static-analysis.yml

@@ -14,6 +14,13 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v3
 
+    - name: Checkout wolfssl
+      uses: actions/checkout@v3
+      with:
+        repository: wolfssl/wolfssl
+        ref: v5.6.4-stable
+        path: wolfssl
+
     - name: Install cppcheck
       run: |
         sudo apt-get update
@@ -55,3 +62,63 @@ jobs:
       run: |
         echo "❌ Static analysis failed - errors or warnings were found"
         exit 1
+
+  clang-tidy:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Checkout wolfssl
+      uses: actions/checkout@v3
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y clang clang-tidy build-essential
+
+    - name: Run clang-tidy
+      id: clang-tidy
+      run: |
+        chmod +x tools/static-analysis/run_clang_tidy_make.sh
+        chmod +x tools/static-analysis/clang-tidy-builder.sh
+        tools/static-analysis/run_clang_tidy_make.sh
+
+    - name: Display errors and warnings
+      if: always()
+      run: |
+        if [ -f tools/static-analysis/reports/clang_tidy_summary.txt ]; then
+          # Count issues from clang-tidy output
+          ERROR_COUNT=$(grep -c "error:" tools/static-analysis/reports/clang_tidy_summary.txt 2>/dev/null) || ERROR_COUNT=0
+          WARNING_COUNT=$(grep -c "warning:" tools/static-analysis/reports/clang_tidy_summary.txt 2>/dev/null) || WARNING_COUNT=0
+
+          echo "## Clang-Tidy Analysis Summary"
+          echo "- Errors: $ERROR_COUNT"
+          echo "- Warnings: $WARNING_COUNT"
+
+          if [ "$ERROR_COUNT" -gt 0 ] || [ "$WARNING_COUNT" -gt 0 ]; then
+            echo ""
+            echo "### Issues found:"
+            echo ""
+            # Show first 50 issues to avoid overwhelming output
+            head -50 tools/static-analysis/reports/clang_tidy_summary.txt
+            
+            TOTAL_ISSUES=$((ERROR_COUNT + WARNING_COUNT))
+            if [ "$TOTAL_ISSUES" -gt 50 ]; then
+              echo ""
+              echo "... and $((TOTAL_ISSUES - 50)) more issues. See full report for details."
+            fi
+          fi
+        else
+          echo "⚠️ No clang-tidy summary file found"
+        fi
+
+    - name: Fail if issues found
+      if: steps.clang-tidy.outcome == 'failure'
+      run: |
+        echo "❌ Clang-tidy analysis failed - errors or warnings were found"
+        exit 1

.gitignore

@@ -8,9 +8,9 @@ tools/testcertgen/ca/
 tools/testcertgen/*.der
 *.code-workspace
 .vscode
+compile_commands.json
 
-# Static analysis reports
+# Static analysis
 tools/static-analysis/reports/
 *.xml
 *.html
-

src/wh_crypto.c

@@ -211,23 +211,23 @@ int wh_Crypto_EccUpdatePrivateOnlyKeyDer(ecc_key* key, uint16_t pub_size,
 
 /* Store a curve25519_key to a byte sequence in DER format */
 int wh_Crypto_Curve25519SerializeKey(curve25519_key* key, uint8_t* buffer,
-                                     uint16_t* derSize)
+                                     uint16_t* outDerSize)
 {
     int ret = 0;
     /* We must include the algorithm identifier in the DER encoding, or we will
      * not be able to deserialize it properly in the public key only case*/
     const int WITH_ALG_ENABLE_SUBJECT_PUBLIC_KEY_INFO = 1;
 
-    if ((key == NULL) || (buffer == NULL) || (derSize == NULL)) {
+    if ((key == NULL) || (buffer == NULL) || (outDerSize == NULL)) {
         return WH_ERROR_BADARGS;
     }
 
-    ret = wc_Curve25519KeyToDer(key, buffer, *derSize,
+    ret = wc_Curve25519KeyToDer(key, buffer, *outDerSize,
                                 WITH_ALG_ENABLE_SUBJECT_PUBLIC_KEY_INFO);
 
     /* ASN.1 functions return the size of the DER encoded key on success */
     if (ret > 0) {
-        *derSize = ret;
+        *outDerSize = ret;
         ret      = WH_ERROR_OK;
     }
     return ret;

src/wh_nvm_flash.c

@@ -950,7 +950,7 @@ int wh_NvmFlash_Cleanup(void* c)
 
 int wh_NvmFlash_List(void* c,
         whNvmAccess access, whNvmFlags flags, whNvmId start_id,
-        whNvmId *out_count, whNvmId *out_id)
+        whNvmId *out_avail_objects, whNvmId *out_id)
 {
     /* TODO: Implement access and flag matching */
     (void)access; (void)flags;
@@ -1008,7 +1008,7 @@ int wh_NvmFlash_List(void* c,
             }
         }
     }
-    if (out_count != NULL) *out_count = this_count;
+    if (out_avail_objects != NULL) *out_avail_objects = this_count;
     if (out_id != NULL) *out_id = this_id;
     return 0;
 }
@@ -1087,7 +1087,7 @@ int wh_NvmFlash_AddObject(void* c, whNvmMetadata *meta,
     }
 
     /* Find existing object so we can increment the epoch */
-    ret = nfMemDirectory_FindObjectIndexById(d, meta->id, &oldentry);
+    (void)nfMemDirectory_FindObjectIndexById(d, meta->id, &oldentry);
     if (oldentry >= 0) {
         epoch = d->objects[oldentry].state.epoch + 1;
     }

tools/static-analysis/clang-tidy-builder.sh

@@ -0,0 +1,246 @@
+#!/bin/bash
+
+set -o noclobber -o nounset || exit $?
+shopt -s extglob || exit $?
+
+retval=0
+
+if [[ -v CLANG_TIDY ]]; then
+
+    while :; do
+
+	for arg in "$@"; do
+	    case "$arg" in
+		*.c) source_file="$arg"
+		     ;;
+	    esac
+	done
+	unset arg
+
+	if [[ ! -v source_file ]]; then
+	    retval=0
+	    break
+	fi
+
+	if [[ ! "$source_file" =~ (^|/)src/[^/]+\.c$ ]] && [[ ! "$source_file" =~ (^|/)wolfhsm/[^/]+\.c$ ]]; then
+	    if [[ -v CLANG_OVERRIDE_CFLAGS ]]; then
+		read -a CLANG_OVERRIDE_CFLAGS_a < <(echo "${CLANG_OVERRIDE_CFLAGS-}")
+	    else
+		CLANG_OVERRIDE_CFLAGS_a=()
+	    fi
+	    exec "$CLANG" "$@" "${CLANG_OVERRIDE_CFLAGS_a[@]}"
+	fi
+
+	if [[ -v CLANG_TIDY_ARGS ]]; then
+	    read -r -a clang_tidy_args_array < <(echo "$CLANG_TIDY_ARGS") || exit $?
+	else
+	    clang_tidy_args_array=()
+	fi
+
+	if [[ -v CLANG_TIDY_PER_FILE_CHECKS ]]; then
+	    per_file_checks=()
+	    read -r -a clang_tidy_per_file_checks < <(echo "$CLANG_TIDY_PER_FILE_CHECKS") || exit $?
+	    for check in "${clang_tidy_per_file_checks[@]}"; do
+		if [[ "$source_file" =~ ${check%:*} ]]; then
+		    per_file_checks+=("${check#*:}")
+		fi
+	    done
+	    unset check
+	fi
+
+	if [[ -v per_file_checks ]]; then
+	    declare -i i=0
+	    while [[ $i -lt ${#clang_tidy_args_array[@]} ]]; do
+		if [[ "${clang_tidy_args_array[i]}" =~ ^-checks ]]; then
+		    SAVE_IFS="$IFS"
+		    IFS=,
+		    clang_tidy_args_array[i]="${clang_tidy_args_array[i]},${per_file_checks[*]}"
+		    IFS="$SAVE_IFS"
+		    added_to_existing_checks=
+		    break
+		fi
+		: $((++i))
+	    done
+	    if [[ ! -v added_to_existing_checks ]]; then
+		SAVE_IFS="$IFS"
+		IFS=,
+		clang_tidy_args_array+=("-checks=${per_file_checks[*]}")
+		IFS="$SAVE_IFS"
+	    fi
+	fi
+
+	if [[ -v CLANG_TIDY_PER_FILE_ARGS ]]; then
+	    read -r -a clang_tidy_per_file_args < <(echo "$CLANG_TIDY_PER_FILE_ARGS") || exit $?
+	    for arg in "${clang_tidy_per_file_args[@]}"; do
+		if [[ "$source_file" =~ ${arg%:*} ]]; then
+		    clang_tidy_args_array+=("${arg#*:}")
+		fi
+	    done
+	    unset arg
+	fi
+
+	if [[ -v CLANG_TIDY_CONFIG ]]; then
+	    clang_tidy_args_array+=("-config=${CLANG_TIDY_CONFIG}")
+	fi
+
+	if [[ -v CLANG_TIDY_EXTRA_ARGS ]]; then
+	    read -r -a clang_tidy_extra_args < <(echo "$CLANG_TIDY_EXTRA_ARGS") || exit $?
+	    clang_tidy_args_array+=("${clang_tidy_extra_args[@]}")
+	fi
+
+	for arg in "${clang_tidy_args_array[@]}"; do
+	    case "$arg" in
+		--use-color) use_color=
+			     ;;
+	    esac
+	done
+	unset arg
+
+	if [[ -v use_color ]]; then
+	    if text_normal_start="$(tput sgr0)"; then
+		do_style_restore=
+	    fi
+	fi
+
+	while read -r clang_tidy_line; do
+	    case "$clang_tidy_line" in
+		Use\ -header-filter=.*\ to\ display\ errors\ from\ all\ non-system\ headers.\ Use\ -system-headers\ to\ display\ errors\ from\ system\ headers\ as\ well.)
+
+		    [[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    ;;
+
+		+([0-9])\ warning?(s)\ generated.)
+
+		    [[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ NOLINT\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ "${clang_tidy_line_a[3]}" == "${clang_tidy_line_a[1]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ in\ non-user\ code,\ +([0-9])\ NOLINT\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ $((clang_tidy_line_a[3] + clang_tidy_line_a[7])) == "${clang_tidy_line_a[1]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ with\ check\ filters\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ "${clang_tidy_line_a[3]}" == "${clang_tidy_line_a[1]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ in\ non-user\ code,\ +([0-9])\ with\ check\ filters\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ $((clang_tidy_line_a[3] + clang_tidy_line_a[7])) == "${clang_tidy_line_a[1]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ in\ non-user\ code,\ +([0-9])\ NOLINT,\ +([0-9])\ with\ check\ filters\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ $((clang_tidy_line_a[3] + clang_tidy_line_a[7] + clang_tidy_line_a[9])) == "${clang_tidy_line_a[1]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ due\ to\ line\ filter\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ "${clang_tidy_line_a[3]}" == "${clang_tidy_line_a[1]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ in\ non-user\ code,\ +([0-9])\ due\ to\ line\ filter\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ $((clang_tidy_line_a[3] + clang_tidy_line_a[7])) == "${clang_tidy_line_a[1]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ due\ to\ line\ filter,\ +([0-9])\ NOLINT\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ $((clang_tidy_line_a[3] + clang_tidy_line_a[7])) == "${clang_tidy_line_a[1]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ in\ non-user\ code,\ +([0-9])\ due\ to\ line\ filter,\ +([0-9])\ NOLINT\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ $((clang_tidy_line_a[3] + clang_tidy_line_a[7] + clang_tidy_line_a[12])) == "${clang_tidy_line_a[1]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		Suppressed\ +([0-9])\ warnings\ \(+([0-9])\ in\ non-user\ code\).)
+
+		    IFS="[( ]" read -r -a clang_tidy_line_a < <(echo "$clang_tidy_line")
+		    if [[ "${clang_tidy_line_a[1]}" == "${clang_tidy_line_a[3]}" ]]; then
+			[[ -v do_style_restore ]] && echo -n "$text_normal_start" >&2
+		    else
+			echo "$clang_tidy_line" >&2
+		    fi
+		    ;;
+
+		*)
+
+		    echo "$clang_tidy_line" >&2
+		    retval=1
+		    ;;
+
+            esac
+
+        done < <("$CLANG_TIDY" "${clang_tidy_args_array[@]}" "$source_file" -- "$@" 2>&1)
+
+	if [[ "$retval" != '0' && -v do_style_restore ]]; then
+	    echo -n "$text_normal_start" >&2
+	fi
+	break
+    done
+fi
+
+if [[ "$retval" != '0' ]]; then
+    if [[ -v CLANG_TIDY_STATUS_FILE ]]; then
+	# shellcheck disable=SC2320 # noise
+	echo "${source_file} ${retval}" >> "$CLANG_TIDY_STATUS_FILE" || exit $?
+    else
+	exit "$retval"
+    fi
+fi
+
+# shellcheck disable=SC2162 # we want backslashes to be interpreted here.
+read -a CLANG_OVERRIDE_CFLAGS_a < <(echo "${CLANG_OVERRIDE_CFLAGS-}")
+
+exec "$CLANG" "$@" "${CLANG_OVERRIDE_CFLAGS_a[@]}"