nix: add static analysis infrastructure#1
Open
randomizedcoder wants to merge 1 commit intopr/nix-bpf-compat-samplesfrom
Open
nix: add static analysis infrastructure#1randomizedcoder wants to merge 1 commit intopr/nix-bpf-compat-samplesfrom
randomizedcoder wants to merge 1 commit intopr/nix-bpf-compat-samplesfrom
Conversation
Port static analysis framework from the reference Nix implementation, adapted for XDP2's C codebase and Make-based build system. 8 analysis tools at 3 levels: - quick: clang-tidy + cppcheck - standard: + flawfinder, clang-analyzer, gcc-warnings - deep: + gcc-analyzer, semgrep, sanitizers Compilation database generated by parsing `make V=1 VERBOSE=1` output with a custom Python script, since bear's LD_PRELOAD fails in the Nix sandbox and compiledb doesn't recognize Nix wrapper compiler paths. Python triage system aggregates, deduplicates, and prioritizes findings across all tools. Exemptions documented in EXEMPTIONS.md cover cppcheck tool limitations (macro parsing, void pointer arithmetic, container_of patterns) and high-volume style checks (narrowing conversions, reserved identifiers, assignment-in-if) that are intentional in C networking code. Results (analysis-quick): clang-tidy: 18,108 raw → 3,653 after triage cppcheck: 202 raw triage: 14 high-confidence findings Usage: nix build .#analysis-quick nix build .#analysis-standard nix build .#analysis-deep make analysis Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
make V=1 VERBOSE=1output (bear's LD_PRELOAD and compiledb both fail in Nix sandbox)EXEMPTIONS.md)Results (analysis-quick): 18,108 raw clang-tidy + 202 cppcheck → 14 high-confidence findings after triage.
Stacks on top of PR xdp2-dev#13 (
pr/nix-bpf-compat-samples→xdp2-dev:num_args).Test plan
nix evalpasses for all 11 analysis targetsnix build .#analysis-quick— clang-tidy (18,108) + cppcheck (202), 14 high-confidencenix build .#analysis-standard— + flawfinder (305), clang-analyzer (141), gcc-warnings (111)nix build .#analysis-flawfinder— 305 findingsnix build .#analysis-semgrep— 56 findingsnix build .#analysis-sanitizers— builds with ASan+UBSanmake analysisconvenience target🤖 Generated with Claude Code