Code scanning update 5

Author: Easton97-Jens

.github/security-scan-excludes.txt

@@ -15,6 +15,7 @@ deps
 deps/*
 external
 external/*
+others/*
 
 # VCS / CI
 .git

.github/workflows/ci.yml

@@ -185,30 +185,38 @@ jobs:
  #        run: |
  #          cmake --build build --config Release
 
- 
-  cppcheck:
-    runs-on: [macos-14]
+  cppcheck-macos:
+    name: cppcheck (macOS)
+    runs-on: macos-14
+
     steps:
       - name: Setup Dependencies
         run: |
-          brew install autoconf \
-                       automake \
-                       libtool \
-                       cppcheck \
-                       mbedtls
-      - uses: actions/checkout@v6
+          brew update
+          brew install autoconf automake libtool cppcheck mbedtls
+
+      - name: Checkout (with submodules)
+        uses: actions/checkout@v6
         with:
-          submodules: true
+          submodules: recursive
           fetch-depth: 0
+
+      - name: Ensure submodules are up to date
+        run: |
+          git submodule sync --recursive
+          git submodule update --init --recursive --force
+
       - name: Build-Script ausführbar machen
         run: chmod +x build_on_macos.sh
+
       - name: build_on_macos.sh
         run: ./build_on_macos.sh
+
       - name: configure
         env:
           CPPFLAGS: -I/opt/homebrew/opt/mbedtls/include
           LDFLAGS: -L/opt/homebrew/opt/mbedtls/lib
-        run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes --disable-dependency-tracking
-          ./configure
+        run: ./configure --disable-dependency-tracking
+
       - name: cppcheck
         run: make check-static

.github/workflows/flawfinder.yml

@@ -63,21 +63,34 @@ jobs:
             echo "Files to scan: $(wc -l < /tmp/flawfinder-files.txt)"
           fi
 
-      - name: Run Flawfinder (SARIF)
+      - name: Build Flawfinder file list (headers only)
         shell: bash
         run: |
-          if [[ ! -s /tmp/flawfinder-files.txt ]]; then
-            echo "Skipping flawfinder: no files."
-            echo '{"version":"2.1.0","runs":[]}' > flawfinder.sarif
+          git ls-files headers '*.h' > /tmp/flawfinder-headers-files.txt
+
+      - name: Run Flawfinder (SARIF, headers strict)
+        shell: bash
+        run: |
+          if [[ ! -s /tmp/flawfinder-headers-files.txt ]]; then
+            echo "Skipping flawfinder headers: no files."
+            echo '{"version":"2.1.0","runs":[]}' > flawfinder-headers.sarif
             exit 0
           fi
 
-          flawfinder --sarif --quiet --minlevel=1 $(cat /tmp/flawfinder-files.txt) > flawfinder.sarif
+          flawfinder \
+            --sarif \
+            --quiet \
+            --minlevel=1 \
+            --exclude-dir=vendor,third_party,deps,external,mbedtls \
+            $(cat /tmp/flawfinder-headers-files.txt) \
+            > flawfinder-headers.sarif
+
+
 
 
       - name: Upload SARIF
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
         uses: github/codeql-action/upload-sarif@v4
         with:
-          sarif_file: flawfinder.sarif
-          category: flawfinder
+          sarif_file: flawfinder-headers.sarif
+          category: flawfinder-headers-strict