Skip to content

feat(cpp): expand coverage with tooling, security, and dependency analysis#50

Merged
alxxjohn merged 2 commits into
mainfrom
feat(cpp)-coverage-parity
Jul 17, 2026
Merged

feat(cpp): expand coverage with tooling, security, and dependency analysis#50
alxxjohn merged 2 commits into
mainfrom
feat(cpp)-coverage-parity

Conversation

@alxxjohn

Copy link
Copy Markdown
Contributor

Summary

This PR substantially expands CodeGuard’s C++ coverage, bringing it closer to the coverage currently available for Go
across quality, design, performance, security, CI/CD, contracts, and supply-chain checks.

It also adds opt-in native Clang tooling, safe compile_commands.json support, bounded C++ taint/SSRF analysis, and
static dependency extraction from CMake and conanfile.py.

What changed

C++ quality and native tooling

  • Applies maintainability checks across C++ sources, headers, templates, and module files.
  • Adds optional clang-format validation.
  • Adds optional clang++ -fsyntax-only compiler validation.
  • Supports off, auto, and required modes.
  • Keeps native tooling disabled by default to preserve existing behavior.
  • Adds automatic compile_commands.json discovery from:
    • Target root
    • build/
    • cmake-build-debug/
    • cmake-build-release/
  • Supports an explicitly configured target-relative compilation database path.

Safe compilation-database handling

Compilation databases are treated as untrusted metadata.

CodeGuard does not execute:

  • The compiler or wrapper named by the database
  • Response files
  • Compiler plugins
  • Output directives
  • Arbitrary database-provided flags

Instead, CodeGuard constructs a fixed clang++ -fsyntax-only invocation using only:

  • The target-local source file
  • The configured C++ standard
  • Target-contained include directories
  • -D and -U preprocessor metadata

External and ambiguous include paths are ignored. Symlink containment is also enforced and covered by regression
tests.

Configured executable overrides remain protected by CodeGuard’s existing config-command trust gate.

C++ dependency and design analysis

  • Builds a target-local include and C++20 named-module graph.
  • Detects include and module cycles.
  • Adds graph-impact and high-impact-change analysis.
  • Detects generic C++ filenames.
  • Detects excessive qualified out-of-line methods for a type.
  • Uses compilation-database include roots to improve dependency resolution when safely available.

C++ performance coverage

Adds or expands checks for:

  • Allocation-heavy string growth inside loops
  • Regex compilation inside loops
  • Polling sleeps inside loops
  • Accumulated or detached threads/tasks inside loops
  • Hot headers with many direct dependents
  • Headers or modules that amplify transitive rebuilds

The rebuild-cascade analysis uses the same configurable thresholds as the existing Go package analysis.

C++ security analysis

Adds checks for:

  • Insecure TLS configuration across common C++ networking libraries
  • Shell and process execution
  • Unsafe unbounded C string APIs
  • Tainted input reaching process-execution sinks
  • Tainted input reaching outbound-network destinations

Recognized taint sources include:

  • Environment variables
  • argv and envp
  • Standard input
  • Recognized request inputs

Recognized SSRF sinks include common APIs from:

  • libcurl
  • cpr
  • Boost resolver
  • cpprestsdk
  • Poco

New security rules include:

  • security.taint.cpp, mapped to OWASP A03 Injection
  • security.ssrf.cpp, mapped to OWASP A10 SSRF

The analysis is deliberately conservative and bounded to same-file assignments and function summaries.

C++ contract checks

  • Adds public C++ API compatibility checks against the diff base.
  • Detects removed or renamed public types and aliases.
  • Detects removed or changed public function declarations.
  • Restricts analysis to public headers under directories such as:
    • include/
    • public/
    • api/
  • Ignores private implementation headers outside public roots.

Contract checks run in diff mode and follow the existing contracts-family defaults.

C++ CI and test-quality checks

  • Detects C++ test files outside configured test directories.
  • Adds assertion-quality analysis for:
    • GoogleTest
    • Catch2
    • doctest
    • Boost.Test
    • Conventional assert calls

C++ supply-chain analysis

Expands manifest normalization and dependency analysis for:

  • vcpkg.json
  • conanfile.txt
  • conanfile.py
  • CMakeLists.txt
  • Dependency-bearing *.cmake files
  • Conan 1 and Conan 2 lockfiles

CMake

Statically recognizes:

  • find_package
  • FetchContent_Declare
  • ExternalProject_Add
  • CPMAddPackage
  • Same-file set() variable indirection
  • Multiline declarations
  • Exact revisions, hashes, and versioned URLs

Conan Python

Statically recognizes:

  • Literal dependency strings
  • Lists and tuples
  • Constants
  • Class-level requires and tool_requires
  • self.requires() and self.tool_requires() calls

CMake and Python files are never executed or imported during analysis.

Dynamic expressions, custom wrappers, cross-file variable propagation, and imported helpers are not evaluated.
Unresolved declarations are exposed through the supply-chain artifact’s analysis_limitations field.

Configuration and documentation

  • Adds quality_rules.cpp_tooling.
  • Adds the default-on security_rules.taint_cpp toggle.
  • Updates example configuration.
  • Updates the checks, features, and security documentation.
  • Adds rule catalog entries, fix templates, and OWASP mappings.
  • Updates SDK configuration types.

Safety and compatibility

  • Clang tooling is opt-in and defaults to off.
  • compile_commands.json is never treated as an executable command source.
  • Compiler arguments are rebuilt from a strict allowlist.
  • Include and source paths must remain inside the target.
  • CMake and conanfile.py analysis is static and never executes repository code.
  • C++ taint analysis does not claim pointer/field aliasing, macro expansion, or cross-file call-graph support.

Known limitations

  • C++ taint analysis is bounded to obvious same-file flows.
  • Pointer and field aliasing are not modeled.
  • Macro expansion is not modeled.
  • Cross-file function summaries are not currently built.
  • Dynamic CMake and Python expressions are reported as analysis limitations rather than evaluated.
  • Custom CMake wrappers and imported helpers are not resolved.

Verification

  • make ci passes.
  • Strict golangci-lint passes with 0 issues.
  • Full Go test suite passes.
  • Focused C++ tooling, taint/SSRF, CMake, Conan, contracts, dependency-graph, and CI test-quality tests pass.
  • CodeGuard repository self-scan passes:
    • Code Quality
    • Performance
    • Design Patterns
    • CI/CD
    • Supply Chain
    • Agent Context
  • Self-scan reports 0 findings.
  • Repository legibility score remains 100.
  • git diff --check passes.

Release impact

This is a feature-level change and uses Conventional Commit formatting so Release Please can include it in the next
release.

@alxxjohn
alxxjohn merged commit 16e8146 into main Jul 17, 2026
14 checks passed
alxxjohn added a commit that referenced this pull request Jul 17, 2026
🤖 I have created a release *beep* *boop*
---


##
[1.1.0](v1.0.0...v1.1.0)
(2026-07-17)


### Features

* **cpp:** add tooling and security analysis
([b93d681](b93d681))
* **cpp:** expand checks across all categories
([29ea77e](29ea77e))
* **cpp:** expand coverage with tooling, security, and dependency
analysis ([#50](#50))
([16e8146](16e8146))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
@alxxjohn
alxxjohn deleted the feat(cpp)-coverage-parity branch July 17, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant