github-ci: add more scan-build checks

Explicitly disable:
security.insecureAPI.DeprecatedOrUnsafeBufferHandling
optin.performance.Padding

diff --git a/.github/workflows/scan-build.yml b/.github/workflows/scan-build.yml
index d7bb1f6c26d7fb0906a7a6b1200c3741a8505be4..a56b1634a143bd1f038f9970f9a4a6798cf9f21f 100644 (file)
--- a/.github/workflows/scan-build.yml
+++ b/.github/workflows/scan-build.yml
@@ -66,6 +66,27 @@ jobs:
         env:
           CC: clang-16
       # exclude libhtp from the analysis
-      - run: scan-build-16 --status-bugs --exclude libhtp/ make
+      - run: |
+          scan-build-16 --status-bugs --exclude libhtp/ \
+                -enable-checker valist.Uninitialized \
+                -enable-checker valist.CopyToSelf \
+                -enable-checker valist.Unterminated \
+                -enable-checker security.insecureAPI.bcmp \
+                -enable-checker security.insecureAPI.bcopy \
+                -enable-checker security.insecureAPI.bzero \
+                -enable-checker security.insecureAPI.rand \
+                -enable-checker security.insecureAPI.strcpy \
+                -enable-checker security.insecureAPI.decodeValueOfObjCType \
+                -enable-checker security.FloatLoopCounter \
+                -enable-checker optin.portability.UnixAPI \
+                -enable-checker optin.performance.GCDAntipattern \
+                -enable-checker nullability.NullableReturnedFromNonnull \
+                -enable-checker nullability.NullablePassedToNonnull \
+                -enable-checker nullability.NullableDereferenced \
+                \
+                -disable-checker security.insecureAPI.DeprecatedOrUnsafeBufferHandling \
+                -disable-checker optin.performance.Padding \
+                \
+                make
         env:
           CC: clang-16