To met these OpenSSF Best Practices suggestions on Static code analysis:
At least one static code analysis tool (beyond compiler warnings and "safe" language modes) MUST be applied to any proposed major production release of the software before its release, if there is at least one FLOSS tool that implements this criterion in the selected language. [static_analysis]
It is SUGGESTED that at least one of the static analysis tools used for the static_analysis criterion include rules or approaches to look for common vulnerabilities in the analyzed language or environment. [static_analysis_common_vulnerabilities]
Apart from the static code analysis of the generator code (shacl2code) itself, (additional) static code analysis may also be needed for the generated bindings for C++, Go, Python, and Rust.
Suggested tools in the table below. Note that JSON Schema is not relevant for OpenSSF security context but added here for completeness.
| Language |
Current |
Suggested tools for static analysis |
Suggested tools for static analysis common vulnerabilities |
| C++ |
Compile with -Wall -Werror - but OpenSSF says "beyond compiler warnings", so this alone likely doesn't satisfy. |
cppcheck or clang-tidy (clang-tidy wouldn't work smoothly, since we use GNU g++) - PR #128 |
cppcheck or clang-tidy (with cert-* or clang-analyzer-security.* checks) |
| Go |
None |
go vet and staticcheck - PR #126 |
gosec |
| JSON Schema |
None |
ajv compile for JSON Schema spec compatibility check |
N/A |
| Python |
mypy, pyrefly, pyright |
Already covered |
bandit |
| Rust |
None |
cargo clippy - PR #127 |
cargo audit |
To met these OpenSSF Best Practices suggestions on Static code analysis:
Apart from the static code analysis of the generator code (shacl2code) itself, (additional) static code analysis may also be needed for the generated bindings for C++, Go, Python, and Rust.
Suggested tools in the table below. Note that JSON Schema is not relevant for OpenSSF security context but added here for completeness.
-Wall -Werror- but OpenSSF says "beyond compiler warnings", so this alone likely doesn't satisfy.cppcheckor(clang-tidy wouldn't work smoothly, since we use GNU g++) - PR #128clang-tidycppcheckorclang-tidy(with cert-* or clang-analyzer-security.* checks)go vetandstaticcheck- PR #126gosecajv compilefor JSON Schema spec compatibility checkmypy,pyrefly,pyrightbanditcargo clippy- PR #127cargo audit