csmock - Man Page

run static analysis of the given SRPM using mock

Description

usage: csmock [-h] [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install INSTALL]

[-o OUTPUT] [-f] [-j JOBS] [--rpm-build-opts RPM_BUILD_OPTS] [--cswrap-timeout CSWRAP_TIMEOUT] [-U EMBED_CONTEXT] [--warning-rate-limit WARNING_RATE_LIMIT] [--limit-msg-len LIMIT_MSG_LEN] [-k] [--skip-init] [--skip-build] [--use-ldpwrap] [--no-clean | --scrub-on-exit] [--no-scan] [--run-check] [--no-run-check] [--print-defects] [--no-print-defects] [--base-srpm BASE_SRPM] [--base-root BASE_MOCK_PROFILE] [--root-override MOCK_ROOT_OVERRIDE] [--skip-patches | --diff-patches | -c SHELL_CMD] [--known-false-positives KNOWN_FALSE_POSITIVES] [--use-login-shell] [--no-use-login-shell] [--version] [--bandit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install] [--no-bandit-scan-install] [--bandit-evt-filter BANDIT_EVT_FILTER] [--bandit-severity-filter {LOW,MEDIUM,HIGH}] [--cbmc-add-flag CBMC_ADD_FLAG] [--cbmc-timeout CBMC_TIMEOUT] [--clang-add-flag CLANG_ADD_FLAG] [--use-host-cppcheck] [--cppcheck-add-flag CPPCHECK_ADD_FLAG] [--divine-add-flag DIVINE_ADD_FLAG] [--divine-timeout DIVINE_TIMEOUT] [--symbiotic-add-flag SYMBIOTIC_ADD_FLAG] [--symbiotic-timeout SYMBIOTIC_TIMEOUT] [--valgrind-add-flag VALGRIND_ADD_FLAG] [--valgrind-timeout VALGRIND_TIMEOUT] [--strace-add-flag STRACE_ADD_FLAG] [--gitleaks-bin-url GITLEAKS_BIN_URL] [--gitleaks-cache-dir GITLEAKS_CACHE_DIR] [--gitleaks-config GITLEAKS_CONFIG] [--gitleaks-rate-limit GITLEAKS_RATE_LIMIT] [--gitleaks-limit-msg-len GITLEAKS_LIMIT_MSG_LEN] [--gitleaks-refresh] [--infer-analyze-add-flag INFER_ANALYZE_ADD_FLAG] [--infer-archive-path INFER_ARCHIVE_PATH] [--infer-filter] [--no-infer-filter] [--infer-biabduction-filter] [--no-infer-biabduction-filter] [--infer-inferbo-filter] [--no-infer-inferbo-filter] [--infer-uninit-filter] [--no-infer-uninit-filter] [--infer-dead-store-severity] [--no-infer-dead-store-severity] [--infer-timeout INFER_TIMEOUT] [--pylint-scan-build] [--no-pylint-scan-build] [--pylint-scan-install] [--no-pylint-scan-install] [--pylint-evt-filter PYLINT_EVT_FILTER] [--semgrep-metrics SEMGREP_METRICS] [--semgrep-rules-repo SEMGREP_RULES_REPO] [--semgrep-verbose] [--semgrep-scan-opts SEMGREP_SCAN_OPTS] [--shellcheck-scan-build] [--no-shellcheck-scan-build] [--shellcheck-scan-install] [--no-shellcheck-scan-install] [--shellcheck-batch SHELLCHECK_BATCH] [--shellcheck-timeout SHELLCHECK_TIMEOUT] [--snyk-bin-url SNYK_BIN_URL] [--snyk-auth SNYK_AUTH] [--snyk-cache-dir SNYK_CACHE_DIR] [--snyk-refresh] [--snyk-timeout SNYK_TIMEOUT] [--snyk-code-test-opts SNYK_CODE_TEST_OPTS] [--unicontrol-bidi-only] [--unicontrol-notests] [-w GCC_WARNING_LEVEL] [--gcc-analyze] [--gcc-analyzer-bin GCC_ANALYZER_BIN] [--gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG] [--gcc-set-env] [--gcc-sanitize-address | --gcc-sanitize-leak | --gcc-sanitize-thread | --gcc-sanitize-undefined] [--gcc-add-flag GCC_ADD_FLAG] [--gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG] [--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag GCC_DEL_FLAG] [SRPM]

positional arguments

SRPM

source RPM package to be scanned by static analyzers

options

-h,  --help

show this help message and exit

-r,  --root MOCK_PROFILE

mock profile to use (defaults to mock's default)

-t,  --tools TOOLS

comma-separated list of tools to enable (use --listavailable-tools to see the list of available tools)

-a,  --all-tools

enable all stable csmock plug-ins (use --listavailable-tools to see the list of available tools)

-l,  --list-available-tools

list available tools and exit

--install INSTALL

space-separated list of packages to install into the chroot

-o,  --output OUTPUT

name of the tarball or directory to put the results to

-f,  --force

overwrite the resulting file or directory if it exists already

-j,  --jobs JOBS

maximal number of jobs running in parallel (passed to 'make')

--rpm-build-opts RPM_BUILD_OPTS

shell-quoted options passed to rpm-build

--cswrap-timeout CSWRAP_TIMEOUT

maximal amount of time taken by analysis of a single module [s]

-U,  --embed-context EMBED_CONTEXT

embed a number of lines of context from the source file for the key event (defaults to 3).

--warning-rate-limit WARNING_RATE_LIMIT

stop processing a warning if the count of its occurrences exceeds the specified limit (defaults to 1024).

--limit-msg-len LIMIT_MSG_LEN

limit length of diagnostic messages by the specified number of chars (defaults to 512).

-k,  --keep-going

continue as much as possible after an error

--skip-init

do not run 'mock --init' before the scan (may lead to unpredictable scan results)

--skip-build

do not run %build and %install sections [EXPERIMENTAL]

--use-ldpwrap

use ldpwrap instead of csexec-loader [EXPERIMENTAL]

--no-clean

do not clean chroot when it becomes unused

--scrub-on-exit

scrub all caches after the scan

--no-scan

do not analyze any package, just check versions of the analyzers

--run-check

run the %check section of specfile (disabled by default)

--no-run-check

disables --run-check

--print-defects

print the resulting list of defects (default if connected to a tty)

--no-print-defects

disables --print-defects

--base-srpm BASE_SRPM

perform a differential scan against the specified base package

--base-root BASE_MOCK_PROFILE

mock profile to use for the base scan (use only with --base-srpm)

--root-override MOCK_ROOT_OVERRIDE

override the build root directory for mock (disables yum and root cache)

--skip-patches

skip patches not annotated by %{?_rawbuild} (vanilla build)

--diff-patches

scan with/without patches and diff the lists of defects

-c,  --shell-cmd SHELL_CMD

use shell command to build the given tarball (instead of SRPM)

--known-false-positives KNOWN_FALSE_POSITIVES

suppress known false positives loaded from the given file (defaults to "/usr/share/csmock/known-falsepositives.js" if available)

--use-login-shell

use login shell for build (default)

--no-use-login-shell

disables --use-login-shell

--version

print the version of csmock and exit

--bandit-scan-build

make bandit scan files in the build directory (disabled by default)

--no-bandit-scan-build

disables --bandit-scan-build

--bandit-scan-install

make bandit scan files in the install directory (enabled by default)

--no-bandit-scan-install

disables --bandit-scan-install

--bandit-evt-filter BANDIT_EVT_FILTER

report only Bandit defects whose key event matches the given regex (defaults to '^B[0-9]+')

--bandit-severity-filter {LOW,MEDIUM,HIGH}

suppress Bandit defects whose severity level is below given level (default 'LOW')

--cbmc-add-flag CBMC_ADD_FLAG

append the given flag when invoking cbmc (can be used multiple times)

--cbmc-timeout CBMC_TIMEOUT

maximal amount of time taken by analysis of a single process [s]

--clang-add-flag CLANG_ADD_FLAG

append the given flag when invoking clang static analyzer (can be used multiple times)

--use-host-cppcheck

use statically linked cppcheck installed on the host (automatically enables the Cppcheck plug-in)

--cppcheck-add-flag CPPCHECK_ADD_FLAG

append the given flag when invoking cppcheck (can be used multiple times)

--divine-add-flag DIVINE_ADD_FLAG

append the given flag when invoking divine (can be used multiple times)

--divine-timeout DIVINE_TIMEOUT

maximal amount of time taken by analysis of a single process [s]

--symbiotic-add-flag SYMBIOTIC_ADD_FLAG

append the given flag when invoking symbiotic (can be used multiple times)

--symbiotic-timeout SYMBIOTIC_TIMEOUT

maximal amount of time taken by analysis of a single process [s]

--valgrind-add-flag VALGRIND_ADD_FLAG

append the given flag when invoking valgrind (can be used multiple times)

--valgrind-timeout VALGRIND_TIMEOUT

maximal amount of time taken by analysis of a single process [s]

--strace-add-flag STRACE_ADD_FLAG

append the given flag when invoking strace (can be used multiple times)

--gitleaks-bin-url GITLEAKS_BIN_URL

URL to download gitleaks binary executable (in a .tar.gz) from

--gitleaks-cache-dir GITLEAKS_CACHE_DIR

directory where downloaded Gitleaks tarballs are cached across runs

--gitleaks-config GITLEAKS_CONFIG

local configuration file to be used for gitleaks

--gitleaks-rate-limit GITLEAKS_RATE_LIMIT

drop warnings if their count exceeds the specified limit

--gitleaks-limit-msg-len GITLEAKS_LIMIT_MSG_LEN

trim message if it exceeds max message length

--gitleaks-refresh

force download of gitleaks binary executable (in a .tar.gz) from

--infer-analyze-add-flag INFER_ANALYZE_ADD_FLAG

appends the given flag (except '-o') when invoking 'infer analyze' (can be used multiple times)(default flags '--bufferoverrun', '--pulse')

--infer-archive-path INFER_ARCHIVE_PATH

use the given archive to install Infer (default is /opt/infer-linux*.tar.xz)

--infer-filter

apply false positive filter (enabled by default)

--no-infer-filter

disables --infer-filter

--infer-biabduction-filter

apply false positive bi-abduction filter (enabled by default)

--no-infer-biabduction-filter

disables --infer-biabduction-filter

--infer-inferbo-filter

apply false positive inferbo filter (enabled by default)

--no-infer-inferbo-filter

disables --infer-inferbo-filter

--infer-uninit-filter

apply false positive uninit filter (enabled by default)

--no-infer-uninit-filter

disables --infer-uninit-filter

--infer-dead-store-severity

lower dead store severity (enabled by default)

--no-infer-dead-store-severity

disables --infer-dead-store-severity

--infer-timeout INFER_TIMEOUT

maximal amount of time taken by Infer's analysis phase [s] (default 300)

--pylint-scan-build

make pylint scan files in the build directory (disabled by default)

--no-pylint-scan-build

disables --pylint-scan-build

--pylint-scan-install

make pylint scan files in the install directory (enabled by default)

--no-pylint-scan-install

disables --pylint-scan-install

--pylint-evt-filter PYLINT_EVT_FILTER

filter out Pylint defects whose key event matches the given regex (defaults to '^W[0-9]+', use '.*' to get all defects detected by Pylint)

--semgrep-metrics SEMGREP_METRICS

configure whether usage metrics are sent to the Semgrep server (defaults to off)

--semgrep-rules-repo SEMGREP_RULES_REPO

semgrep rules repo, assuming rules are located under the 'rules' sub-directory

--semgrep-verbose

show more details about what rules are running, which files failed to parse, etc.

--semgrep-scan-opts SEMGREP_SCAN_OPTS

space-separated list of additional options passed to the 'semgrep scan' command

--shellcheck-scan-build

make shellcheck scan files in the build directory (disabled by default)

--no-shellcheck-scan-build

disables --shellcheck-scan-build

--shellcheck-scan-install

make shellcheck scan files in the install directory (enabled by default)

--no-shellcheck-scan-install

disables --shellcheck-scan-install

--shellcheck-batch SHELLCHECK_BATCH

maximum number of scripts scanned by a single shellcheck process (defaults to 1)

--shellcheck-timeout SHELLCHECK_TIMEOUT

maximum amount of wall-clock time taken by a single shellcheck process [s] (defaults to 30)

--snyk-bin-url SNYK_BIN_URL

URL to download snyk binary executable

--snyk-auth SNYK_AUTH

file containing snyk authentication token

--snyk-cache-dir SNYK_CACHE_DIR

directory where downloaded snyk tarballs are cached across runs

--snyk-refresh

force download of snyk binary executable

--snyk-timeout SNYK_TIMEOUT

maximum amount of time taken by invocation of Snyk [s]

--snyk-code-test-opts SNYK_CODE_TEST_OPTS

space-separated list of additional options passed to the 'snyk code test' command

--unicontrol-bidi-only

look for bidirectional control characters only

--unicontrol-notests

exclude tests (basically test.* as a component of path)

-w,  --gcc-warning-level GCC_WARNING_LEVEL

Adjust GCC warning level. -w0 means default flags, -w1 appends -Wall and -Wextra, and -w2 enables some other useful warnings. (automatically enables the GCC plugin)

--gcc-analyze

run `gcc -fanalyzer` in a separate process

--gcc-analyzer-bin GCC_ANALYZER_BIN

Use custom build of gcc to perform scan. Absolute path to the binary must be provided.

--gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG

append the given flag when invoking `gcc -fanalyzer` (can be used multiple times)

--gcc-set-env

set $CC and $CXX to gcc and g++, respectively, for build

--gcc-sanitize-address

enable %check and compile with -fsanitize=address

--gcc-sanitize-leak

enable %check and compile with -fsanitize=leak

--gcc-sanitize-thread

enable %check and compile with -fsanitize=thread

--gcc-sanitize-undefined

enable %check and compile with -fsanitize=undefined

--gcc-add-flag GCC_ADD_FLAG

append the given compiler flag when invoking gcc (can be used multiple times)

--gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG

append the given compiler flag when invoking gcc for C (can be used multiple times)

--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG

append the given compiler flag when invoking gcc for C++ (can be used multiple times)

--gcc-del-flag GCC_DEL_FLAG

drop the given compiler flag when invoking gcc (can be used multiple times)

Output Format

If not overridden by the --output option, csmock creates an archive NVR.tar.xz in the current directory for an SRPM named NVR.src.rpm (or NVR.tar.* if the --shell-cmd option is used).  The archive contains a directory named NVR as the only top-level directory, containing the following items:

scan-results.err - scan results encoded as plain-text (for source code editors)

scan-results.html - scan results encoded as HTML (suitable for web browsers)

scan-results.js - scan results, including scan metadata, encoded using JSON

scan-results-summary.txt - total count of defects found by particular checkers

scan.ini - scan metadata encoded in the INI format

scan.log - scan log file (useful for debugging scan failures)

debug - a directory containing additional data (intended for csmock debugging)

Note that external plug-ins of csmock may create additional files (not covered by this man page) in the directory with results.

Referenced By

rebase-helper(1).

November 2024 csmock csmock-3.8.0-1.fc42