scan-build (Clang Static Analyzer)

scan-build is a command line utility that enables a user to run the static analyzer over their codebase as part of performing a regular build (from the command line).

Version

clang 5.0.0

Runtime

Alpine Linux 3.7

Supported Languages

C C++

Official Documentation

http://clang-analyzer.llvm.org/scan-build.html

YAML Configuration

scan-build:

  • input:

    Patterns to include in reports.

    Note: The input patterns are not applied when running scan-build since scan-build performs a regular build to analyze and the files excluded by the patterns may be required for the build. Therefore, the files excluded by the patterns are always processed and you may even see logs related to the excluded files in the job console. However, Inspecode eventually ignores any issues detected on the excluded files when generating job reports.

  • ignore:

    Patterns to exclude from reports.

    Note: Just like input:, the ignore patterns are not applied when running scan-build.

  • options:

    Below is the list of options that are supported:

    OPTIONS:
    
     -analyze-headers
    
       Also analyze functions in #included files.  By default, such functions
       are skipped unless they are called by functions within the main source file.
    
     --force-analyze-debug-code
    
       Tells analyzer to enable assertions in code even if they were disabled
       during compilation to enable more precise results.
    
     -k
     --keep-going
    
       Add a "keep on going" option to the specified build command. This option
       currently supports make and xcodebuild. This is a convenience option; one
       can specify this behavior directly using build options.
    
    ADVANCED OPTIONS:
    
     -maxloop <loop count>
    
       Specify the number of times a block can be visited before giving up.
       Default is 4. Increase for more comprehensive coverage at a cost of speed.
    
    CONTROLLING CHECKERS:
    
     A default group of checkers are always run unless explicitly disabled.
     Checkers may be enabled/disabled using the following options:
    
     -enable-checker [checker name]
     -disable-checker [checker name]

    In addition, -- option is also supported to specify your build commands.

  • thresholds:

    • num-issues:

      No tool specific severity levels are available.

  • experimental:

    • incremental:

      N/A

      Note: The incremental analysis cannot be supported for scan-build. This is because scan-build performs a regular build with requiring all build dependencies and the results on unchanged files can be affected by changed files.

YAML Examples

  • With default options:

    inspecode:
      scan-build: default
  • With custom machine:

    inspecode:
      scan-build:
        machine:
          cpu: 1.5 # 1.5 CPU, 5760 MiB RAM
  • With custom options:

    inspecode:
      scan-build:
        options:
          - -k
          - --: ./configure
          - --: [make, mytarget]

    With the above configuration, Inspecode runs scan-build twice as shown below:

    scan-build -k ./configure
    scan-build -k make mytarget

Available Toolchain

  • autoconf (GNU Autoconf) 2.69
  • automake (GNU automake) 1.15.1
  • clang 5.0.0
  • cmake 3.9.5
  • gcc 6.4.0
  • g++ 6.4.0
  • make (GNU Make) 4.2.1
  • musl 1.1.18
  • linux-headers 4.4.6

Build Command Detection

If no build commands are explicitly specified via -- option such as when using default built-in configuration, Inspecode recursively scans your repository to detect project directories enabling one of the following build systems, and then run build commands at each directory accordingly.

  • CMake (build commands: cmake . && make)
  • ./configure (build commands: ./configure && make)
  • Make (build commands: make)

If the automatic detection does not suit your project, explicitly specify build commands via -- option.

Resolving Dependencies

scan-build requires all build dependencies to run, so Inspecode tries to download dependencies before running scan-build:

As of now, Inspecode can download:

  • submodules available to the public
  • submodules provided from your private repositories which:
    • belong to the same GitHub organization or Bitbucket team as the repository on which scan-build runs
    • have been already registered to Inspecode
    • can be accessed via http://<hostname>/<path>, https://<hostname>/<path>, ssh://git@<hostname>/<path> or git@<hostname>:<path>

Note: If resolving dependencies fails due to some reasons, you can see the error log, however, Inspecode continues the process unless running scan-build itself fails.

results matching ""

    No results matching ""