Consider running cppcheck on the CI

[gilles-peskine-arm]

Cppcheck is a static analysis tool for C (and C++). We should run it on our CI.

In my limited experience, Cppcheck doesn't find much compared to other tools we're already using, in particular ASan+UBSan and Coverity. But those tools only analyze a specific compile-time configuration (Coverity) or only cases that are hit by test code in a few compile-time configurations (ASan+UBSan). Cppcheck is a rare tool that tries analyzes all possible preprocessor configurations. It can find issues in “exotic” or untested configurations such as #3310.

There's an Ubuntu package so we could fairly easily arrange to run it on Travis, however it may be a little too CPU-hungry. It's not at all expensive by the standards of what we run on Jenkins, but installing an additional package is a bit more of a hassle there.

[mpg]

Does it have a low enough rate of false positives? That's usually the issue with static analysis tools that makes it hard to run them as part of the CI.