ci: Use CodeChecker as static analysis tool

CodeChecker combines multiple static code analysis tools including
`clang-sa`. Moreover it is simpler to use.
It could eventually replace `clang-sa` completely in the pipeline.

.github/workflows/codechecker.yaml

@@ -0,0 +1,30 @@
+name: Clang Static Analyzer
+
+on: [push, pull_request]
+
+jobs:
+  clang_static_analyzer:
+    runs-on: ubuntu-22.04
+
+    steps:
+    - name: Checkout code including full history and submodules
+      uses: actions/checkout@v3
+      with:
+        submodules: true
+        fetch-depth: 0
+
+    - name: Install CodeChecker
+      run:  |
+        sudo apt-get update
+        sudo apt-get install clang-tools-14 cmake cppcheck libcunit1-dev ninja-build unzip wget
+        pip3 install codechecker
+
+    - name: Run CodeChecker
+      run: |
+        run: tools/ci/run_ci.sh --run-build --run-code-checker
+
+    - name: Upload CodeChecker reports
+      uses: actions/upload-artifact@v1
+      with:
+        name: CodeChecker Reports
+        path: build-wakaama/codechecker_report

README.md

@@ -133,12 +133,12 @@ Wakaama provides a simple CLI library. It can be enabled with:
   - Unit testing: CUnit
 
 On Ubuntu 24.04, used in CI, the dependencies can be installed as such:
-- `apt install build-essential clang-format clang-format-18 clang-tools-18 cmake gcovr git libcunit1-dev ninja-build python3-pip`
+- `apt install build-essential clang-format clang-format-18 clang-tools-18 cmake cppcheck gcovr git libcunit1-dev ninja-build python3-pip`
 - `pip3 install -r tools/requirements-compliance.txt`
 
 For macOS the development dependencies can be installed as such:
 
-`brew install automake clang-format cmake cunit gcc gitlint gnu-getopt make ninja`
+`brew install automake clang-format cmake cppcheck cunit gcc gitlint make ninja gnu-getopt`
 
 ### Code formatting
 #### C

tools/ci/run_ci.sh

@@ -40,6 +40,7 @@ RUN_CMAKE_FORMAT=0
 RUN_GITLINT=0
 RUN_GIT_BLAME_IGNORE=0
 RUN_TESTS=0
+RUN_CODE_CHECKER=0
 RUN_DOXYGEN=0
 
 HELP_MSG="usage: ${SCRIPT_NAME} <OPTIONS>...
@@ -84,6 +85,7 @@ Available steps (executed by --all):
   --run-cmake-format       Check CMake files formatting
   --run-build              Build all targets
   --run-tests              Execute tests (works only for top level project)
+  --run-code-checker       Run the CodeChecker code analyzer
   --run-doxygen            Build the Doxygen documentation of the code
 "
 
@@ -224,11 +226,31 @@ function run_tests() {
   find "${REPO_ROOT_DIR}" -name \*.gcov -exec rm {} \;
 }
 
+function run_codechecker() {
+  readonly config_file="${REPO_ROOT_DIR}/tools/codechecker/config.json"
+  readonly ignore_file="${REPO_ROOT_DIR}/tools/codechecker/ignore.txt"
+  readonly codechecker_result_dir="build-wakaama/codechecker_result/"
+  readonly codechecker_report="build-wakaama/codechecker_report/"
+  codechecker check --logfile build-wakaama/compile_commands.json \
+                    --config $config_file \
+                    --ignore $ignore_file \
+                    --output $codechecker_result_dir \
+                    || true  # Currently failing with found issues
+
+  codechecker parse -e html \
+                    -o  $codechecker_report \
+                    --config $config_file \
+                    --ignore $ignore_file \
+                    --trim-path-prefix="${REPO_ROOT_DIR}" \
+                    $codechecker_result_dir
+}
+
 function run_doxygen() {
   mkdir -p build-wakaama/doxygen
     GIT_REVISION=$(git rev-parse @) WORKING_DIR=$(pwd) DOXYGEN_OUT_DIR=build-wakaama/doxygen \
       doxygen doc/doxygen/Doxyfile
 }
+
 # Parse Options
 
 if [[ "$OSTYPE" == "darwin"* ]]; then
@@ -259,6 +281,7 @@ if ! PARSED_OPTS=$($getopt -o vah \
                           -l run-gitlint \
                           -l run-git-blame-ignore \
                           -l run-tests \
+                          -l run-code-checker \
                           -l run-doxygen \
                           -l sanitizer: \
                           -l scan-build: \
@@ -324,6 +347,10 @@ while true; do
       RUN_TESTS=1
       shift
       ;;
+    --run-code-checker)
+      RUN_CODE_CHECKER=1
+      # Analyzing works only when code gets actually built
+      RUN_CLEAN=1
     --run-doxygen)
       RUN_DOXYGEN=1
       shift
@@ -411,6 +438,11 @@ if [ -n "${OPT_SCAN_BUILD}" ] && [ -n "${OPT_SONARQUBE}" ]; then
   exit 1
 fi
 
+if [ "${RUN_CODE_CHECKER}" = "1" ] && [ -n "${OPT_SONARQUBE}" ]; then
+  echo "--sonarqube and --code-checker can not be enabled at the same time"
+  exit 1
+fi
+
 if [ -n "${OPT_SONARQUBE}" ]; then
   OPT_TEST_COVERAGE_REPORT="${OPT_TEST_COVERAGE_REPORT:-none}"
   OPT_WRAPPER_CMD="${OPT_SONARQUBE} \
@@ -431,6 +463,10 @@ if [ -n "${OPT_SCAN_BUILD}" ]; then
     --exclude examples/shared/tinydtls"
 fi
 
+if [ "${RUN_CODE_CHECKER}" = "1" ]; then
+  CMAKE_ARGS="${CMAKE_ARGS} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=Debug"
+fi
+
 # Run Steps
 
 if [ "${RUN_GITLINT}" -eq 1 ]; then
@@ -461,6 +497,8 @@ if [ "${RUN_TESTS}" -eq 1 ]; then
   run_tests
 fi
 
+if [ "${RUN_CODE_CHECKER}" = "1" ]; then
+  run_codechecker
 if [ "${RUN_DOXYGEN}" -eq 1 ]; then
   run_doxygen
 fi

tools/codechecker/config.json

@@ -0,0 +1,12 @@
+{
+  "analyze": [
+    "--disable=cplusplus",
+    "--disable=cppcheck-exceptDeallocThrow",
+    "--disable=cppcheck-exceptThrowInDestructor",
+    "--disable=cppcheck-leakUnsafeArgAlloc",
+    "--disable=cppcheck-rethrowNoCurrentException",
+    "--disable=cppcheck-thisSubtraction",
+    "--disable=cppcheck-throwInNoexceptFunction",
+    "--clean"
+  ]
+}

tools/codechecker/ignore.txt

@@ -0,0 +1,2 @@
+-*/examples/shared/tinydtls/*
+-*/tests/*