security: Add compiler static analysis support

Enable GCC builtin static analysis in Zephyr's static code analysis (SCA) infra. When this option is enabled GCC performs a static analysis and can point problems like: sample.c + int *j; + + if (j != NULL) { + printf("j != NULL\n"); output: ${ZEPHYR_BASE}/samples/userspace/hello_world_user/src/main.c:30:12: warning: use of uninitialized value 'j' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 30 | if (j != NULL) { | ^ 'main': events 1-2 | | 25 | int *j; | | ^ | | | | | (1) region created on stack here |...... | 30 | if (j != NULL) { | | ~ | | | | | (2) use of uninitialized value 'j' here Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
2023-10-30 13:39:41 -07:00 · 2023-10-30 13:39:41 -07:00 · 3fc5d971fe
commit 3fc5d971fe
parent b27494b7ed
3 changed files with 24 additions and 0 deletions
--- a/cmake/sca/gcc/sca.cmake
+++ b/cmake/sca/gcc/sca.cmake
@ -0,0 +1,5 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (c) 2024 Intel Corporation
+
+list(APPEND TOOLCHAIN_C_FLAGS -fanalyzer)
--- a/doc/develop/sca/gcc.rst
+++ b/doc/develop/sca/gcc.rst
@ -0,0 +1,18 @@
+.. _gcc:
+
+GCC static analysis support
+###########################
+
+Static analysis was introduced in `GCC <https://gcc.gnu.org/>`__ 10 and it is enabled
+with the option ``-fanalyzer``. This option performs a much more expensive and thorough
+analysis of the code than traditional warnings.
+
+Run GCC static analysis
+***********************
+
+To run GCC static analysis, :ref:`west build <west-building>` should be
+called with a ``-DZEPHYR_SCA_VARIANT=gcc`` parameter, e.g.
+
+.. code-block:: shell
+
+    west build -b qemu_x86 samples/userspace/hello_world_user -- -DZEPHYR_SCA_VARIANT=gcc
--- a/doc/develop/sca/index.rst
+++ b/doc/develop/sca/index.rst
@ -63,3 +63,4 @@ The following is a list of SCA tools natively supported by Zephyr build system.

   codechecker
   sparse
+   gcc