[-h | --help]
[-v | --verbose]
[-q | --quiet]
[-i | --ignore-unknown]
[-r | --report-unknown]
[-f | --follow-links]
[-I | --ignore-links]
[-p text | --prefix=text]
[-t dir | --tmpdir=dir]
[-u | --use-debuginfod]
[-n | --no-use-debuginfod]
The annocheck program can analyse binary files and report information about them. It is designed to be modular, with a set of self-contained tools providing the checking functionality. Currently the following tools are implemented:
The annocheck program is able to scan inside rpm files and libraries. It will automatically recurse into any directories that are specified on the command line. In addition annocheck knows how to find debug information held in separate debug files, and it will search for these whenever it needs the resources that they contain.
New tools can be added to the annocheck framework by creating a new source file and including it in the Makefile used to build annocheck. The modular nature of annocheck means that nothing else needs to be updated.
New tools must fill out a
struct checker structure (defined in annocheck.h) and they must define a constructor function that calls
annocheck_add_checker to register their presence at program start-up.
The annocheck program supports some generic command line options that are used regardless of which tools are enabled.
Look in file for separate dwarf debug information.
Look in dir for separate dwarf debug information files.
Displays the generic annobin usage information and then exits.
Display the usage information for tool and then exits.
If enabled, unknown file types are reported when they are encountered. This includes non-ELF format files, block devices and so on. Directories are not considered to be unknown and are automatically descended.
The default setting depends upon the file being processed. For rpm files the default is to ignore unknowns, since these often contain non-executable files. For other file types, including directories, the default is to report unknown files.
Specifies whether symbolic links should be followed or ignored.
The default setting depends upon the file being processed. For rpm files the default is to ignore symbolic links, since these often unresolveable. For other file types, including directories, the default is to follow the links.
- -p text
Include text in the output description.
Do not print anything, just return an exit status.
- -t dir
Use dir as a directory for holding temporary files.
Produce informational messages whilst working. Repeat for more information.
Report the version of the tool and then exit.
Enable the use of the debuginfod service to download debuginfo rpms. This feature is enabled by default, but it is only active if support for the debuginfod server has been compiled in to annocheck.
Do not use the debuginfod service, even if it is available.
Enable tool. Most tools are disabled by default and so need to be enabled via this option before they will act.
Disable tool. Normally used to disable the hardening checker, which is enabled by default.
Pass option on to tool.
Any other command line options will be passed to the tools in turn in order to give them a chance to claim and process them.
The built-by tool is disabled by default, but it can be enabled by the command line option --enable-builtby. The tool checks the specified files to see if any information is stored about how the file was built.
Since the hardening checker is enabled by default it may also be useful to add the --disable-hardened option to the command line.
The tool supports a few command line options to customise its behaviour:
Report all builder identification strings. The tool has several different heuristics for determining the builder. By default it will report the information return by the first successful heuristic. If the --all option is enabled then all successful results will be returned.
This option can be used to restrict the output to only those files which were built by a specific tool. This can be useful when scanning a directory full of files searching for those built by a particular compiler.
This option can be used to restrict the output to only those files which were not built by a specific tool. This can be useful when scanning a directory full of files searching for those that were not built by a particular compiler.
Copyright (c) 2018 - 2023 Red Hat.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.