csmock - Man Page
run static analysis of the given SRPM using mock
Description
usage: csmock [-h] [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install INSTALL]
[-o OUTPUT] [-f] [-j JOBS] [--rpm-build-opts RPM_BUILD_OPTS] [--cswrap-timeout CSWRAP_TIMEOUT] [-U EMBED_CONTEXT] [--warning-rate-limit WARNING_RATE_LIMIT] [--limit-msg-len LIMIT_MSG_LEN] [-k] [--skip-init] [--skip-build] [--use-ldpwrap] [--no-clean | --scrub-on-exit] [--no-scan] [--run-check] [--no-run-check] [--print-defects] [--no-print-defects] [--base-srpm BASE_SRPM] [--base-root BASE_MOCK_PROFILE] [--root-override MOCK_ROOT_OVERRIDE] [--skip-patches | --diff-patches | -c SHELL_CMD] [--known-false-positives KNOWN_FALSE_POSITIVES] [--use-login-shell] [--no-use-login-shell] [--version] [--bandit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install] [--no-bandit-scan-install] [--bandit-evt-filter BANDIT_EVT_FILTER] [--bandit-severity-filter {LOW,MEDIUM,HIGH}] [--cbmc-add-flag CBMC_ADD_FLAG] [--cbmc-timeout CBMC_TIMEOUT] [--clang-add-flag CLANG_ADD_FLAG] [--use-host-cppcheck] [--cppcheck-add-flag CPPCHECK_ADD_FLAG] [--divine-add-flag DIVINE_ADD_FLAG] [--divine-timeout DIVINE_TIMEOUT] [--symbiotic-add-flag SYMBIOTIC_ADD_FLAG] [--symbiotic-timeout SYMBIOTIC_TIMEOUT] [--valgrind-add-flag VALGRIND_ADD_FLAG] [--valgrind-timeout VALGRIND_TIMEOUT] [--strace-add-flag STRACE_ADD_FLAG] [--gitleaks-bin-url GITLEAKS_BIN_URL] [--gitleaks-cache-dir GITLEAKS_CACHE_DIR] [--gitleaks-config GITLEAKS_CONFIG] [--gitleaks-rate-limit GITLEAKS_RATE_LIMIT] [--gitleaks-limit-msg-len GITLEAKS_LIMIT_MSG_LEN] [--gitleaks-refresh] [--infer-analyze-add-flag INFER_ANALYZE_ADD_FLAG] [--infer-archive-path INFER_ARCHIVE_PATH] [--infer-filter] [--no-infer-filter] [--infer-biabduction-filter] [--no-infer-biabduction-filter] [--infer-inferbo-filter] [--no-infer-inferbo-filter] [--infer-uninit-filter] [--no-infer-uninit-filter] [--infer-dead-store-severity] [--no-infer-dead-store-severity] [--infer-timeout INFER_TIMEOUT] [--pylint-scan-build] [--no-pylint-scan-build] [--pylint-scan-install] [--no-pylint-scan-install] [--pylint-evt-filter PYLINT_EVT_FILTER] [--semgrep-metrics SEMGREP_METRICS] [--semgrep-rules-repo SEMGREP_RULES_REPO] [--semgrep-verbose] [--semgrep-scan-opts SEMGREP_SCAN_OPTS] [--shellcheck-scan-build] [--no-shellcheck-scan-build] [--shellcheck-scan-install] [--no-shellcheck-scan-install] [--shellcheck-batch SHELLCHECK_BATCH] [--shellcheck-timeout SHELLCHECK_TIMEOUT] [--snyk-bin-url SNYK_BIN_URL] [--snyk-auth SNYK_AUTH] [--snyk-cache-dir SNYK_CACHE_DIR] [--snyk-refresh] [--snyk-timeout SNYK_TIMEOUT] [--snyk-code-test-opts SNYK_CODE_TEST_OPTS] [--unicontrol-bidi-only] [--unicontrol-notests] [-w GCC_WARNING_LEVEL] [--gcc-analyze] [--gcc-analyzer-bin GCC_ANALYZER_BIN] [--gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG] [--gcc-set-env] [--gcc-sanitize-address | --gcc-sanitize-leak | --gcc-sanitize-thread | --gcc-sanitize-undefined] [--gcc-add-flag GCC_ADD_FLAG] [--gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG] [--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag GCC_DEL_FLAG] [SRPM]
positional arguments
- SRPM
source RPM package to be scanned by static analyzers
options
- -h, --help
show this help message and exit
- -r, --root MOCK_PROFILE
mock profile to use (defaults to mock's default)
- -t, --tools TOOLS
comma-separated list of tools to enable (use --listavailable-tools to see the list of available tools)
- -a, --all-tools
enable all stable csmock plug-ins (use --listavailable-tools to see the list of available tools)
- -l, --list-available-tools
list available tools and exit
- --install INSTALL
space-separated list of packages to install into the chroot
- -o, --output OUTPUT
name of the tarball or directory to put the results to
- -f, --force
overwrite the resulting file or directory if it exists already
- -j, --jobs JOBS
maximal number of jobs running in parallel (passed to 'make')
- --rpm-build-opts RPM_BUILD_OPTS
shell-quoted options passed to rpm-build
- --cswrap-timeout CSWRAP_TIMEOUT
maximal amount of time taken by analysis of a single module [s]
- -U, --embed-context EMBED_CONTEXT
embed a number of lines of context from the source file for the key event (defaults to 3).
- --warning-rate-limit WARNING_RATE_LIMIT
stop processing a warning if the count of its occurrences exceeds the specified limit (defaults to 1024).
- --limit-msg-len LIMIT_MSG_LEN
limit length of diagnostic messages by the specified number of chars (defaults to 512).
- -k, --keep-going
continue as much as possible after an error
- --skip-init
do not run 'mock --init' before the scan (may lead to unpredictable scan results)
- --skip-build
do not run %build and %install sections [EXPERIMENTAL]
- --use-ldpwrap
use ldpwrap instead of csexec-loader [EXPERIMENTAL]
- --no-clean
do not clean chroot when it becomes unused
- --scrub-on-exit
scrub all caches after the scan
- --no-scan
do not analyze any package, just check versions of the analyzers
- --run-check
run the %check section of specfile (disabled by default)
- --no-run-check
disables --run-check
- --print-defects
print the resulting list of defects (default if connected to a tty)
- --no-print-defects
disables --print-defects
- --base-srpm BASE_SRPM
perform a differential scan against the specified base package
- --base-root BASE_MOCK_PROFILE
mock profile to use for the base scan (use only with --base-srpm)
- --root-override MOCK_ROOT_OVERRIDE
override the build root directory for mock (disables yum and root cache)
- --skip-patches
skip patches not annotated by %{?_rawbuild} (vanilla build)
- --diff-patches
scan with/without patches and diff the lists of defects
- -c, --shell-cmd SHELL_CMD
use shell command to build the given tarball (instead of SRPM)
- --known-false-positives KNOWN_FALSE_POSITIVES
suppress known false positives loaded from the given file (defaults to "/usr/share/csmock/known-falsepositives.js" if available)
- --use-login-shell
use login shell for build (default)
- --no-use-login-shell
disables --use-login-shell
- --version
print the version of csmock and exit
- --bandit-scan-build
make bandit scan files in the build directory (disabled by default)
- --no-bandit-scan-build
disables --bandit-scan-build
- --bandit-scan-install
make bandit scan files in the install directory (enabled by default)
- --no-bandit-scan-install
disables --bandit-scan-install
- --bandit-evt-filter BANDIT_EVT_FILTER
report only Bandit defects whose key event matches the given regex (defaults to '^B[0-9]+')
- --bandit-severity-filter {LOW,MEDIUM,HIGH}
suppress Bandit defects whose severity level is below given level (default 'LOW')
- --cbmc-add-flag CBMC_ADD_FLAG
append the given flag when invoking cbmc (can be used multiple times)
- --cbmc-timeout CBMC_TIMEOUT
maximal amount of time taken by analysis of a single process [s]
- --clang-add-flag CLANG_ADD_FLAG
append the given flag when invoking clang static analyzer (can be used multiple times)
- --use-host-cppcheck
use statically linked cppcheck installed on the host (automatically enables the Cppcheck plug-in)
- --cppcheck-add-flag CPPCHECK_ADD_FLAG
append the given flag when invoking cppcheck (can be used multiple times)
- --divine-add-flag DIVINE_ADD_FLAG
append the given flag when invoking divine (can be used multiple times)
- --divine-timeout DIVINE_TIMEOUT
maximal amount of time taken by analysis of a single process [s]
- --symbiotic-add-flag SYMBIOTIC_ADD_FLAG
append the given flag when invoking symbiotic (can be used multiple times)
- --symbiotic-timeout SYMBIOTIC_TIMEOUT
maximal amount of time taken by analysis of a single process [s]
- --valgrind-add-flag VALGRIND_ADD_FLAG
append the given flag when invoking valgrind (can be used multiple times)
- --valgrind-timeout VALGRIND_TIMEOUT
maximal amount of time taken by analysis of a single process [s]
- --strace-add-flag STRACE_ADD_FLAG
append the given flag when invoking strace (can be used multiple times)
- --gitleaks-bin-url GITLEAKS_BIN_URL
URL to download gitleaks binary executable (in a .tar.gz) from
- --gitleaks-cache-dir GITLEAKS_CACHE_DIR
directory where downloaded Gitleaks tarballs are cached across runs
- --gitleaks-config GITLEAKS_CONFIG
local configuration file to be used for gitleaks
- --gitleaks-rate-limit GITLEAKS_RATE_LIMIT
drop warnings if their count exceeds the specified limit
- --gitleaks-limit-msg-len GITLEAKS_LIMIT_MSG_LEN
trim message if it exceeds max message length
- --gitleaks-refresh
force download of gitleaks binary executable (in a .tar.gz) from
- --infer-analyze-add-flag INFER_ANALYZE_ADD_FLAG
appends the given flag (except '-o') when invoking 'infer analyze' (can be used multiple times)(default flags '--bufferoverrun', '--pulse')
- --infer-archive-path INFER_ARCHIVE_PATH
use the given archive to install Infer (default is /opt/infer-linux*.tar.xz)
- --infer-filter
apply false positive filter (enabled by default)
- --no-infer-filter
disables --infer-filter
- --infer-biabduction-filter
apply false positive bi-abduction filter (enabled by default)
- --no-infer-biabduction-filter
disables --infer-biabduction-filter
- --infer-inferbo-filter
apply false positive inferbo filter (enabled by default)
- --no-infer-inferbo-filter
disables --infer-inferbo-filter
- --infer-uninit-filter
apply false positive uninit filter (enabled by default)
- --no-infer-uninit-filter
disables --infer-uninit-filter
- --infer-dead-store-severity
lower dead store severity (enabled by default)
- --no-infer-dead-store-severity
disables --infer-dead-store-severity
- --infer-timeout INFER_TIMEOUT
maximal amount of time taken by Infer's analysis phase [s] (default 300)
- --pylint-scan-build
make pylint scan files in the build directory (disabled by default)
- --no-pylint-scan-build
disables --pylint-scan-build
- --pylint-scan-install
make pylint scan files in the install directory (enabled by default)
- --no-pylint-scan-install
disables --pylint-scan-install
- --pylint-evt-filter PYLINT_EVT_FILTER
filter out Pylint defects whose key event matches the given regex (defaults to '^W[0-9]+', use '.*' to get all defects detected by Pylint)
- --semgrep-metrics SEMGREP_METRICS
configure whether usage metrics are sent to the Semgrep server (defaults to off)
- --semgrep-rules-repo SEMGREP_RULES_REPO
semgrep rules repo, assuming rules are located under the 'rules' sub-directory
- --semgrep-verbose
show more details about what rules are running, which files failed to parse, etc.
- --semgrep-scan-opts SEMGREP_SCAN_OPTS
space-separated list of additional options passed to the 'semgrep scan' command
- --shellcheck-scan-build
make shellcheck scan files in the build directory (disabled by default)
- --no-shellcheck-scan-build
disables --shellcheck-scan-build
- --shellcheck-scan-install
make shellcheck scan files in the install directory (enabled by default)
- --no-shellcheck-scan-install
disables --shellcheck-scan-install
- --shellcheck-batch SHELLCHECK_BATCH
maximum number of scripts scanned by a single shellcheck process (defaults to 1)
- --shellcheck-timeout SHELLCHECK_TIMEOUT
maximum amount of wall-clock time taken by a single shellcheck process [s] (defaults to 30)
- --snyk-bin-url SNYK_BIN_URL
URL to download snyk binary executable
- --snyk-auth SNYK_AUTH
file containing snyk authentication token
- --snyk-cache-dir SNYK_CACHE_DIR
directory where downloaded snyk tarballs are cached across runs
- --snyk-refresh
force download of snyk binary executable
- --snyk-timeout SNYK_TIMEOUT
maximum amount of time taken by invocation of Snyk [s]
- --snyk-code-test-opts SNYK_CODE_TEST_OPTS
space-separated list of additional options passed to the 'snyk code test' command
- --unicontrol-bidi-only
look for bidirectional control characters only
- --unicontrol-notests
exclude tests (basically test.* as a component of path)
- -w, --gcc-warning-level GCC_WARNING_LEVEL
Adjust GCC warning level. -w0 means default flags, -w1 appends -Wall and -Wextra, and -w2 enables some other useful warnings. (automatically enables the GCC plugin)
- --gcc-analyze
run `gcc -fanalyzer` in a separate process
- --gcc-analyzer-bin GCC_ANALYZER_BIN
Use custom build of gcc to perform scan. Absolute path to the binary must be provided.
- --gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG
append the given flag when invoking `gcc -fanalyzer` (can be used multiple times)
- --gcc-set-env
set $CC and $CXX to gcc and g++, respectively, for build
- --gcc-sanitize-address
enable %check and compile with -fsanitize=address
- --gcc-sanitize-leak
enable %check and compile with -fsanitize=leak
- --gcc-sanitize-thread
enable %check and compile with -fsanitize=thread
- --gcc-sanitize-undefined
enable %check and compile with -fsanitize=undefined
- --gcc-add-flag GCC_ADD_FLAG
append the given compiler flag when invoking gcc (can be used multiple times)
- --gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG
append the given compiler flag when invoking gcc for C (can be used multiple times)
- --gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG
append the given compiler flag when invoking gcc for C++ (can be used multiple times)
- --gcc-del-flag GCC_DEL_FLAG
drop the given compiler flag when invoking gcc (can be used multiple times)
Output Format
If not overridden by the --output option, csmock creates an archive NVR.tar.xz in the current directory for an SRPM named NVR.src.rpm (or NVR.tar.* if the --shell-cmd option is used). The archive contains a directory named NVR as the only top-level directory, containing the following items:
scan-results.err - scan results encoded as plain-text (for source code editors)
scan-results.html - scan results encoded as HTML (suitable for web browsers)
scan-results.js - scan results, including scan metadata, encoded using JSON
scan-results-summary.txt - total count of defects found by particular checkers
scan.ini - scan metadata encoded in the INI format
scan.log - scan log file (useful for debugging scan failures)
debug - a directory containing additional data (intended for csmock debugging)
Note that external plug-ins of csmock may create additional files (not covered by this man page) in the directory with results.