GHA: enable more options in static analyzer jobs

This is an effort to pass more code through clang-tidt and scan-build
static analyzers. Following CodeQL Linux jobs.

GHA/codeql:
- also build with libssh.
- disable verbose output in build steps.

GHA/linux:
- enable more build options for the clang-tidy and scan-build jobs:
  libidn2, nghttp2, ldap, kerberos, rtmp, gnutls, gsasl, rustls,
  mbedtls, wolfssl
  Use Linuxbrew where necessary.
- also enable ECH, gssapi in the scan-build job.
- fix 'scanbuild' to be 'scan-build' in the job name.

GHA/macos:
- build with Rustls in the clang-tidy job.
- add a new clang-tidy job to test HTTP/3 (with openssl + ngtcp2).
- build with libssh in one of the clang-tidy jobs.
- build with LibreSSL in the MultiSSL clang-tidy job.
- build with heimdal and kerberos in the clang-tidy jobs respectively.
- build with OpenLDAP in one clang-tidy job.
- add support for `skipall`, `skiprun` job options, and use it.

Closes #18660

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 808ee0b63a918b9388e24fa78d1656a1634c1278..97b0ddd42c5ce15629f4a2733d6103316bf59beb 100644 (file)
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -75,7 +75,7 @@ jobs:
           sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
           sudo apt-get -o Dpkg::Use-Pty=0 update
           sudo rm -f /var/lib/man-db/auto-update
-          sudo apt-get -o Dpkg::Use-Pty=0 install libpsl-dev libbrotli-dev libidn2-dev libssh2-1-dev \
+          sudo apt-get -o Dpkg::Use-Pty=0 install libpsl-dev libbrotli-dev libidn2-dev libssh2-1-dev libssh-dev \
             libnghttp2-dev libldap-dev heimdal-dev librtmp-dev libgnutls28-dev libwolfssl-dev
           /home/linuxbrew/.linuxbrew/bin/brew install c-ares gsasl libnghttp3 libngtcp2 mbedtls rustls-ffi
 
@@ -108,19 +108,20 @@ jobs:
             cmake -B _bld1 -G Ninja -DENABLE_DEBUG=ON \
               -DCURL_USE_GNUTLS=ON -DCURL_USE_MBEDTLS=ON -DCURL_USE_RUSTLS=ON -DCURL_USE_WOLFSSL=ON \
               -DUSE_LIBRTMP=ON -DCURL_USE_GSASL=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON -DUSE_ECH=ON -DENABLE_ARES=ON
-            cmake --build _bld1 --verbose
-            cmake --build _bld1 --verbose --target curlinfo
-            cmake --build _bld1 --verbose --target servers
-            cmake --build _bld1 --verbose --target tunits
-            cmake --build _bld1 --verbose --target curl-examples-build
+            cmake --build _bld1
+            cmake --build _bld1 --target curlinfo
+            cmake --build _bld1 --target servers
+            cmake --build _bld1 --target tunits
+            cmake --build _bld1 --target curl-examples-build
 
             # HTTP/3
             export PKG_CONFIG_PATH; PKG_CONFIG_PATH="$(brew --prefix libnghttp3)/lib/pkgconfig:$(brew --prefix libngtcp2)/lib/pkgconfig:$(brew --prefix gsasl)/lib/pkgconfig"
             cmake -B _bld2 -G Ninja \
               -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR="$(brew --prefix openssl)" -DUSE_NGTCP2=ON \
+              -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON \
               -DUSE_LIBRTMP=ON -DCURL_USE_GSASL=ON -DCURL_USE_GSSAPI=ON -DUSE_SSLS_EXPORT=ON
-            cmake --build _bld2 --verbose
-            cmake --build _bld2 --verbose --target servers
+            cmake --build _bld2
+            cmake --build _bld2 --target servers
 
             _bld1/src/curl --disable --version
             _bld2/src/curl --disable --version

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 7aa7bc5707f4f8d0383b65156c28edac7667160a..969b460d1dd41023032a5971734487b8ce9badb4 100644 (file)
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -215,18 +215,31 @@ jobs:
             configure: --without-ssl --enable-debug --disable-http --disable-smtp --disable-imap --disable-unity
 
           - name: 'clang-tidy'
-            install_packages: clang-tidy libkrb5-dev
-            install_steps: skipall wolfssl-opensslextra wolfssh
-            configure: LDFLAGS=-Wl,-rpath,/home/runner/wolfssl-opensslextra/lib --with-wolfssl=/home/runner/wolfssl-opensslextra --with-wolfssh=/home/runner/wolfssh --with-openssl --enable-ech --with-gssapi --enable-ssls-export
+            install_packages: clang-tidy libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev librtmp-dev libgnutls28-dev
+            install_steps: skipall mbedtls rustls wolfssl-opensslextra
+            install_steps_brew: gsasl
             make-custom-target: tidy
-
-          - name: 'scanbuild'
-            install_packages: clang-tools clang libssl-dev libssh2-1-dev
-            install_steps: skipall
-            configure: --with-openssl --enable-debug --with-libssh2 --disable-unity
+            PKG_CONFIG_PATH: /home/linuxbrew/.linuxbrew/opt/gsasl/lib/pkgconfig
+            LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/gsasl/lib
+            configure: >-
+              --with-wolfssl=/home/runner/wolfssl-opensslextra --with-openssl --with-rustls --with-mbedtls=/home/runner/mbedtls --with-gnutls --with-libgsasl
+              --with-librtmp --with-libssh2 --with-libidn2
+              --enable-ech --with-gssapi --enable-ssls-export
+
+          - name: 'scan-build'
+            install_packages: clang-tools clang libssl-dev libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev libkrb5-dev librtmp-dev libgnutls28-dev
+            install_steps: skipall mbedtls rustls wolfssl-opensslextra
+            install_steps_brew: gsasl
             CC: clang
             configure-prefix: scan-build
             make-prefix: scan-build --status-bugs
+            PKG_CONFIG_PATH: /home/linuxbrew/.linuxbrew/opt/gsasl/lib/pkgconfig
+            LDFLAGS: -Wl,-rpath,/home/runner/wolfssl-opensslextra/lib -Wl,-rpath,/home/linuxbrew/.linuxbrew/opt/gsasl/lib
+            configure: >-
+              --with-wolfssl=/home/runner/wolfssl-opensslextra --with-openssl --with-rustls --with-mbedtls=/home/runner/mbedtls --with-gnutls --with-libgsasl
+              --with-librtmp --with-libssh2 --with-libidn2
+              --enable-ech --with-gssapi --enable-ssls-export
+              --disable-debug --disable-unity
 
           - name: 'address-sanitizer'
             install_packages: libssh2-1-dev clang libssl-dev libubsan1 libasan8 libtsan2
@@ -296,6 +309,7 @@ jobs:
       - name: 'install prereqs'
         if: ${{ matrix.build.container == null && !contains(matrix.build.name, 'i686') }}
         env:
+          INSTALL_PACKAGES_BREW: '${{ matrix.build.install_steps_brew }}'
           INSTALL_PACKAGES: >-
             ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') && 'stunnel4' || '' }}
             ${{ contains(matrix.build.install_steps, 'pytest') && 'apache2 apache2-dev libnghttp2-dev vsftpd dante-server' || '' }}
@@ -309,6 +323,7 @@ jobs:
             libpsl-dev zlib1g-dev libbrotli-dev libzstd-dev \
             ${INSTALL_PACKAGES} \
             ${MATRIX_INSTALL_PACKAGES}
+          [ -n "${INSTALL_PACKAGES_BREW}" ] && /home/linuxbrew/.linuxbrew/bin/brew install ${INSTALL_PACKAGES_BREW}
           python3 -m venv ~/venv
 
       - name: 'install prereqs'

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index be8565303eb86f253103d33861ba1b295ce984d9..0fd9d20f5b38b042915052d0cd07d8cfe858ef6b 100644 (file)
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -281,10 +281,27 @@ jobs:
             generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl -DCURL_USE_GSASL=ON -DUSE_LIBRTMP=ON -DUSE_APPLE_IDN=ON -DUSE_NGTCP2=ON
           - name: 'MultiSSL AppleIDN clang-tidy +examples'
             compiler: clang
-            install: llvm brotli zstd gnutls nettle mbedtls gsasl rtmpdump fish
-            install_steps: clang-tidy
-            generate: -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl -DCURL_DEFAULT_SSL_BACKEND=openssl -DCURL_USE_GNUTLS=ON -DCURL_USE_MBEDTLS=ON -DENABLE_ARES=ON -DCURL_USE_GSASL=ON -DUSE_LIBRTMP=ON -DUSE_APPLE_IDN=ON -DUSE_SSLS_EXPORT=ON -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/opt/homebrew/opt/llvm/bin/clang-tidy -DCURL_COMPLETION_FISH=ON -DCURL_COMPLETION_ZSH=ON
+            install: llvm brotli zstd gnutls nettle libressl krb5 mbedtls gsasl rustls-ffi rtmpdump libssh fish
+            install_steps: clang-tidy skiprun
             chkprefill: _chkprefill
+            generate: >-
+              -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/libressl -DCURL_DEFAULT_SSL_BACKEND=openssl
+              -DCURL_USE_GNUTLS=ON -DCURL_USE_MBEDTLS=ON -DCURL_USE_RUSTLS=ON -DENABLE_ARES=ON -DCURL_USE_GSASL=ON -DUSE_LIBRTMP=ON
+              -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON -DUSE_APPLE_IDN=ON -DUSE_SSLS_EXPORT=ON
+              -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/krb5
+              -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/opt/homebrew/opt/llvm/bin/clang-tidy
+              -DCURL_COMPLETION_FISH=ON -DCURL_COMPLETION_ZSH=ON
+
+          - name: 'HTTP/3 clang-tidy'
+            compiler: clang
+            install: llvm brotli zstd libnghttp3 libngtcp2 openldap heimdal
+            install_steps: clang-tidy skipall
+            generate: >-
+              -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/openssl -DUSE_NGTCP2=ON
+              -DLDAP_INCLUDE_DIR=/opt/homebrew/opt/openldap/include -DLDAP_LIBRARY=/opt/homebrew/opt/openldap/lib/libldap.dylib -DLDAP_LBER_LIBRARY=/opt/homebrew/opt/openldap/lib/liblber.dylib
+              -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/heimdal
+              -DCURL_CLANG_TIDY=ON -DCLANG_TIDY=/opt/homebrew/opt/llvm/bin/clang-tidy
+
           - name: 'quictls +static libssh +examples'
             install: quictls libssh
             generate: -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/quictls -DBUILD_STATIC_LIBS=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON
@@ -340,7 +357,7 @@ jobs:
         env:
           INSTALL_PACKAGES: >-
             ${{ matrix.build.generate && 'ninja' || 'automake libtool' }}
-            ${{ !contains(matrix.build.install_steps, 'clang-tidy') && 'nghttp2 stunnel' || '' }}
+            ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') && 'nghttp2 stunnel' || '' }}
             ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }}
 
         run: |
@@ -459,6 +476,7 @@ jobs:
           fi
 
       - name: 'build tests'
+        if: ${{ !contains(matrix.build.install_steps, 'skipall') }}
         run: |
           if [ "${MATRIX_BUILD}" = 'cmake' ]; then
             cmake --build bld --verbose --target testdeps
@@ -467,14 +485,14 @@ jobs:
           fi
 
       - name: 'install test prereqs'
-        if: ${{ !contains(matrix.build.install_steps, 'clang-tidy') }}
+        if: ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') }}
         run: |
           python3 -m venv ~/venv
           source ~/venv/bin/activate
           python3 -m pip install -r tests/requirements.txt
 
       - name: 'run tests'
-        if: ${{ !contains(matrix.build.install_steps, 'clang-tidy') }}
+        if: ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') }}
         timeout-minutes: ${{ contains(matrix.build.install_steps, 'torture') && 20 || 10 }}
         env:
           TEST_TARGET: ${{ contains(matrix.build.install_steps, 'torture') && 'test-torture' || 'test-ci' }}
@@ -496,13 +514,13 @@ jobs:
           fi
 
       - name: 'install pytest prereqs'
-        if: ${{ !contains(matrix.build.install_steps, 'clang-tidy') && contains(matrix.build.install_steps, 'pytest') }}
+        if: ${{ contains(matrix.build.install_steps, 'pytest') }}
         run: |
           source ~/venv/bin/activate
           python3 -m pip install -r tests/http/requirements.txt
 
       - name: 'run pytest'
-        if: ${{ !contains(matrix.build.install_steps, 'clang-tidy') && contains(matrix.build.install_steps, 'pytest') }}
+        if: ${{ contains(matrix.build.install_steps, 'pytest') }}
         env:
           PYTEST_ADDOPTS: '--color=yes'
           PYTEST_XDIST_AUTO_NUM_WORKERS: 4