Static Analysis

Note

This page describes static analysis tools and practices for Nexus development.

Overview

Static analysis helps catch bugs, security issues, and code quality problems before runtime. Nexus uses multiple static analysis tools to ensure code quality.

Tools

clang-tidy

Purpose: C/C++ linter and static analyzer

Configuration: .clang-tidy in project root

Usage:

# Analyze single file
clang-tidy hal/src/nx_hal_gpio.c

# Analyze all files
python scripts/tools/lint.py

Checks Enabled:

• Modernization checks

• Performance checks

• Readability checks

• Bug-prone pattern detection

cppcheck

Purpose: Static analysis for C/C++

Usage:

# Analyze project
cppcheck --enable=all --inconclusive --std=c11 hal/

Checks:

• Memory leaks

• Null pointer dereferences

• Buffer overflows

• Uninitialized variables

MISRA C Compliance

Purpose: Safety-critical coding standards

Tool: PC-lint Plus or similar

Configuration: Custom rule set based on MISRA C:2012

Coverage:

• Mandatory rules: 100% compliance target

• Required rules: 95% compliance target

• Advisory rules: Best effort

See Coding Standards for MISRA C guidelines.

Compiler Warnings

GCC/Clang Flags:

-Wall
-Wextra
-Werror
-Wpedantic
-Wshadow
-Wconversion
-Wformat=2

Policy: All warnings must be fixed before merge.

Running Static Analysis

Automated (CI/CD)

Static analysis runs automatically on every pull request:

# .github/workflows/static-analysis.yml
- name: Run clang-tidy
  run: python scripts/tools/lint.py

- name: Run cppcheck
  run: cppcheck --enable=all --error-exitcode=1 .

Manual

Run locally before committing:

# Run all static analysis
python scripts/tools/analyze.py

# Run specific tool
python scripts/tools/lint.py --tool clang-tidy

Common Issues

False Positives

Problem: Tool reports issues that aren’t real problems

Solution:

1. Verify it’s actually a false positive

2. Add suppression comment if necessary:

/* cppcheck-suppress nullPointer */
*ptr = value;

3. Update tool configuration if pattern is common

Suppressing Warnings

Use sparingly - only for false positives

clang-tidy:

// NOLINT(check-name)
int value = (int)ptr;  // NOLINT(performance-no-int-to-ptr)

cppcheck:

/* cppcheck-suppress checkName */
code_here();

Best Practices

1. Fix warnings immediately Don’t let them accumulate

2. Understand the warning Don’t blindly suppress

3. Run locally Catch issues before CI

4. Keep tools updated New versions catch more issues

5. Review suppressions Periodically review suppressed warnings

Integration with IDE

VS Code

Install extensions:

• C/C++ (Microsoft)

• clangd

• Clang-Tidy

Configure in .vscode/settings.json:

{
  "C_Cpp.codeAnalysis.clangTidy.enabled": true,
  "C_Cpp.codeAnalysis.clangTidy.path": "clang-tidy"
}

CLion

Built-in clang-tidy support:

1. Settings → Editor → Inspections

2. Enable “Clang-Tidy”

3. Configure checks

Metrics

Track static analysis metrics:

• Number of warnings

• Warning density (warnings per KLOC)

• Time to fix warnings

• False positive rate

Target: Zero warnings in production code.

See Also

• Coding Standards - Coding standards and style guide

• Testing - Testing practices

• Code Review Guidelines - Code review checklist

• CI/CD Integration - CI/CD pipeline

—

Last Updated: 2026-01-25