From: Victor Julien <vjulien@oisf.net>
Date: Wed, 7 May 2025 17:28:28 +0000 (+0200)
Subject: github-ci: bump scan-build to 20 on Ubuntu 25.04
X-Git-Tag: suricata-8.0.0-rc1~329
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=159bacb268d2410e4ee3d310d9931ba609bcacf3;p=thirdparty%2Fsuricata.git

github-ci: bump scan-build to 20 on Ubuntu 25.04
---

diff --git a/.github/workflows/scan-build.yml b/.github/workflows/scan-build.yml
index e3046fffa6..10a50bd1be 100644
--- a/.github/workflows/scan-build.yml
+++ b/.github/workflows/scan-build.yml
@@ -18,7 +18,7 @@ jobs:
   scan-build:
     name: Scan-build
     runs-on: ubuntu-latest
-    container: ubuntu:24.04
+    container: ubuntu:25.04
     steps:
       - name: Cache scan-build
         uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
@@ -36,8 +36,8 @@ jobs:
                 automake \
                 cargo \
                 cbindgen \
-                clang-18 \
-                clang-tools-18 \
+                clang-20 \
+                clang-tools-20 \
                 dpdk-dev \
                 git \
                 libtool \
@@ -60,7 +60,7 @@ jobs:
                 libevent-dev \
                 libevent-pthreads-2.1-7 \
                 liblz4-dev \
-                llvm-18-dev \
+                llvm-20-dev \
                 make \
                 python3-yaml \
                 rustc \
@@ -71,13 +71,13 @@ jobs:
       - run: git config --global --add safe.directory /__w/suricata/suricata
       - run: ./scripts/bundle.sh
       - run: ./autogen.sh
-      - run: scan-build-18 ./configure --enable-warnings --enable-dpdk --enable-nfqueue --enable-nflog
+      - run: scan-build-20 ./configure --enable-warnings --enable-dpdk --enable-nfqueue --enable-nflog
         env:
-          CC: clang-18
+          CC: clang-20
       # disable security.insecureAPI.DeprecatedOrUnsafeBufferHandling explicitly as
       # this will require significant effort to address.
       - run: |
-          scan-build-18 --status-bugs --exclude rust \
+          scan-build-20 --status-bugs --exclude rust \
                 -enable-checker valist.Uninitialized \
                 -enable-checker valist.CopyToSelf \
                 -enable-checker valist.Unterminated \
@@ -94,9 +94,14 @@ jobs:
                 -enable-checker nullability.NullablePassedToNonnull \
                 -enable-checker nullability.NullableDereferenced \
                 -enable-checker optin.performance.Padding \
+                -enable-checker security.MmapWriteExec \
+                -enable-checker security.PointerSub \
+                -enable-checker security.PutenvStackArray \
+                -enable-checker security.SetgidSetuidOrder \
+                -enable-checker security.cert.env.InvalidPtr \
                 \
                 -disable-checker security.insecureAPI.DeprecatedOrUnsafeBufferHandling \
                 \
                 make
         env:
-          CC: clang-18
+          CC: clang-20