name: Scan-build

on:
  push:
    paths-ignore:
      - "doc/**"
  pull_request:
    paths-ignore:
      - "doc/**"

permissions: read-all

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  scan-build:
    name: Scan-build
    runs-on: ubuntu-latest
    container: ubuntu:24.04
    steps:
      - name: Cache scan-build
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
        with:
          path: ~/.cargo
          key: scan-build

      - name: Install system packages
        run: |
          apt update
          apt -y install \
                libpcre2-dev \
                build-essential \
                autoconf \
                automake \
                cargo \
                cbindgen \
                clang-18 \
                clang-tools-18 \
                dpdk-dev \
                git \
                libtool \
                libpcap-dev \
                libnet1-dev \
                libyaml-0-2 \
                libyaml-dev \
                libcap-ng-dev \
                libcap-ng0 \
                libmagic-dev \
                libnetfilter-log-dev \
                libnetfilter-queue-dev \
                libnetfilter-queue1 \
                libnfnetlink-dev \
                libnfnetlink0 \
                libnuma-dev \
                libhiredis-dev \
                libhyperscan-dev \
                libjansson-dev \
                libevent-dev \
                libevent-pthreads-2.1-7 \
                liblz4-dev \
                llvm-18-dev \
                make \
                python3-yaml \
                rustc \
                software-properties-common \
                zlib1g \
                zlib1g-dev
      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
      - run: git config --global --add safe.directory /__w/suricata/suricata
      - run: ./scripts/bundle.sh
      - run: ./autogen.sh
      - run: scan-build-18 ./configure --enable-warnings --enable-dpdk --enable-nfqueue --enable-nflog
        env:
          CC: clang-18
      # exclude libhtp from the analysis
      # disable security.insecureAPI.DeprecatedOrUnsafeBufferHandling explicitly as
      # this will require significant effort to address.
      - run: |
          scan-build-18 --status-bugs --exclude libhtp/ --exclude rust \
                -enable-checker valist.Uninitialized \
                -enable-checker valist.CopyToSelf \
                -enable-checker valist.Unterminated \
                -enable-checker security.insecureAPI.bcmp \
                -enable-checker security.insecureAPI.bcopy \
                -enable-checker security.insecureAPI.bzero \
                -enable-checker security.insecureAPI.rand \
                -enable-checker security.insecureAPI.strcpy \
                -enable-checker security.insecureAPI.decodeValueOfObjCType \
                -enable-checker security.FloatLoopCounter \
                -enable-checker optin.portability.UnixAPI \
                -enable-checker optin.performance.GCDAntipattern \
                -enable-checker nullability.NullableReturnedFromNonnull \
                -enable-checker nullability.NullablePassedToNonnull \
                -enable-checker nullability.NullableDereferenced \
                -enable-checker optin.performance.Padding \
                \
                -disable-checker security.insecureAPI.DeprecatedOrUnsafeBufferHandling \
                \
                make
        env:
          CC: clang-18