csmock - Man Page

run static analysis of the given SRPM using mock

Description

usage: csmock [-h] [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install INSTALL]

[-o OUTPUT] [-f] [-j JOBS] [--rpm-build-opts RPM_BUILD_OPTS] [--cswrap-timeout CSWRAP_TIMEOUT] [-U EMBED_CONTEXT] [-k] [--skip-init] [--skip-build] [--no-clean] [--no-scan] [--run-check] [--no-run-check] [--print-defects] [--no-print-defects] [--base-srpm BASE_SRPM] [--base-root BASE_MOCK_PROFILE] [--skip-patches | --diff-patches | -c SHELL_CMD] [--known-false-positives KNOWN_FALSE_POSITIVES] [--use-login-shell] [--no-use-login-shell] [--version] [--bandit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install] [--no-bandit-scan-install] [--bandit-evt-filter BANDIT_EVT_FILTER] [--bandit-severity-filter {LOW,MEDIUM,HIGH}] [--cbmc-add-flag CBMC_ADD_FLAG] [--cbmc-timeout CBMC_TIMEOUT] [--clang-add-flag CLANG_ADD_FLAG] [--use-host-cppcheck] [--cppcheck-add-flag CPPCHECK_ADD_FLAG] [--divine-add-flag DIVINE_ADD_FLAG] [--divine-timeout DIVINE_TIMEOUT] [--strace-add-flag STRACE_ADD_FLAG] [--symbiotic-add-flag SYMBIOTIC_ADD_FLAG] [--symbiotic-timeout SYMBIOTIC_TIMEOUT] [--valgrind-add-flag VALGRIND_ADD_FLAG] [--valgrind-timeout VALGRIND_TIMEOUT] [--gitleaks-bin-url GITLEAKS_BIN_URL] [--gitleaks-config GITLEAKS_CONFIG] [--pylint-scan-build] [--no-pylint-scan-build] [--pylint-scan-install] [--no-pylint-scan-install] [--pylint-evt-filter PYLINT_EVT_FILTER] [--shellcheck-scan-build] [--no-shellcheck-scan-build] [--shellcheck-scan-install] [--no-shellcheck-scan-install] [--unicontrol-bidi-only] [--unicontrol-notests] [-w GCC_WARNING_LEVEL] [--gcc-analyze] [--gcc-analyzer-bin GCC_ANALYZER_BIN] [--gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG] [--gcc-set-env] [--gcc-sanitize-address | --gcc-sanitize-leak | --gcc-sanitize-thread] [--gcc-sanitize-undefined] [--gcc-add-flag GCC_ADD_FLAG] [--gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG] [--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag GCC_DEL_FLAG] [SRPM]

positional arguments

SRPM

source RPM package to be scanned by static analyzers

options

-h,  --help

show this help message and exit

-r MOCK_PROFILE, --root MOCK_PROFILE

mock profile to use (defaults to mock's default)

-t TOOLS, --tools TOOLS

comma-separated list of tools to enable (use --listavailable-tools to see the list of available tools)

-a,  --all-tools

enable all stable csmock plug-ins (use --listavailable-tools to see the list of available tools)

-l,  --list-available-tools

list available tools and exit

--install INSTALL

space-separated list of packages to install into the chroot

-o OUTPUT, --output OUTPUT

name of the tarball or directory to put the results to

-f,  --force

overwrite the resulting file or directory if it exists already

-j JOBS, --jobs JOBS

maximal number of jobs running in parallel (passed to 'make')

--rpm-build-opts RPM_BUILD_OPTS

shell-quoted options passed to rpm-build

--cswrap-timeout CSWRAP_TIMEOUT

maximal amount of time taken by analysis of a single module [s]

-U EMBED_CONTEXT, --embed-context EMBED_CONTEXT

embed a number of lines of context from the source file for the key event (defaults to 3).

-k,  --keep-going

continue as much as possible after an error

--skip-init

do not run 'mock --init' before the scan (may lead to unpredictable scan results)

--skip-build

do not run %build and %install sections [EXPERIMENTAL]

--no-clean

do not clean chroot when it becomes unused

--no-scan

do not analyze any package, just check versions of the analyzers

--run-check

run the %check section of specfile (disabled by default)

--no-run-check

disables --run-check

--print-defects

print the resulting list of defects (default if connected to a tty)

--no-print-defects

disables --print-defects

--base-srpm BASE_SRPM

perform a differential scan against the specified base pacakge

--base-root BASE_MOCK_PROFILE

mock profile to use for the base scan (use only with --base-srpm)

--skip-patches

skip patches not annotated by %{?_rawbuild} (vanilla build)

--diff-patches

scan with/without patches and diff the lists of defects

-c SHELL_CMD, --shell-cmd SHELL_CMD

use shell command to build the given tarball (instead of SRPM)

--known-false-positives KNOWN_FALSE_POSITIVES

suppress known false positives loaded from the given file (defaults to "/usr/share/csmock/known-falsepositives.js" if available)

--use-login-shell

use login shell for build (default)

--no-use-login-shell

disables --use-login-shell

--version

print the version of csmock and exit

--bandit-scan-build

make bandit scan files in the build directory (disabled by default)

--no-bandit-scan-build

disables --bandit-scan-build

--bandit-scan-install

make bandit scan files in the install directory (enabled by default)

--no-bandit-scan-install

disables --bandit-scan-install

--bandit-evt-filter BANDIT_EVT_FILTER

report only Bandit defects whose key event matches the given regex (defaults to '^B[0-9]+')

--bandit-severity-filter {LOW,MEDIUM,HIGH}

suppress Bandit defects whose severity level is below given level (default 'LOW')

--cbmc-add-flag CBMC_ADD_FLAG

append the given flag when invoking cbmc (can be used multiple times)

--cbmc-timeout CBMC_TIMEOUT

maximal amount of time taken by analysis of a single process [s]

--clang-add-flag CLANG_ADD_FLAG

append the given flag when invoking clang static analyzer (can be used multiple times)

--use-host-cppcheck

use host's Cppcheck instead of the one in chroot (automatically enables the Cppcheck plug-in)

--cppcheck-add-flag CPPCHECK_ADD_FLAG

append the given flag when invoking cppcheck (can be used multiple times)

--divine-add-flag DIVINE_ADD_FLAG

append the given flag when invoking divine (can be used multiple times)

--divine-timeout DIVINE_TIMEOUT

maximal amount of time taken by analysis of a single process [s]

--strace-add-flag STRACE_ADD_FLAG

append the given flag when invoking strace (can be used multiple times)

--symbiotic-add-flag SYMBIOTIC_ADD_FLAG

append the given flag when invoking symbiotic (can be used multiple times)

--symbiotic-timeout SYMBIOTIC_TIMEOUT

maximal amount of time taken by analysis of a single process [s]

--valgrind-add-flag VALGRIND_ADD_FLAG

append the given flag when invoking valgrind (can be used multiple times)

--valgrind-timeout VALGRIND_TIMEOUT

maximal amount of time taken by analysis of a single process [s]

--gitleaks-bin-url GITLEAKS_BIN_URL

URL to download gitleaks binary executable from

--gitleaks-config GITLEAKS_CONFIG

local configuration file to be used for gitleaks

--pylint-scan-build

make pylint scan files in the build directory (disabled by default)

--no-pylint-scan-build

disables --pylint-scan-build

--pylint-scan-install

make pylint scan files in the install directory (enabled by default)

--no-pylint-scan-install

disables --pylint-scan-install

--pylint-evt-filter PYLINT_EVT_FILTER

filter out Pylint defects whose key event matches the given regex (defaults to '^W[0-9]+', use '.*' to get all defects detected by Pylint)

--shellcheck-scan-build

make shellcheck scan files in the build directory (disabled by default)

--no-shellcheck-scan-build

disables --shellcheck-scan-build

--shellcheck-scan-install

make shellcheck scan files in the install directory (enabled by default)

--no-shellcheck-scan-install

disables --shellcheck-scan-install

--unicontrol-bidi-only

look for bidirectional control characters only

--unicontrol-notests

exclude tests (basically test.* as a component of path)

-w GCC_WARNING_LEVEL, --gcc-warning-level GCC_WARNING_LEVEL

Adjust GCC warning level. -w0 means default flags, -w1 appends -Wall and -Wextra, and -w2 enables some other useful warnings. (automatically enables the GCC plugin)

--gcc-analyze

run `gcc -fanalyzer` in a separate process

--gcc-analyzer-bin GCC_ANALYZER_BIN

Use custom build of gcc to perform scan. Absolute path to the binary must be provided.

--gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG

append the given flag when invoking `gcc -fanalyzer` (can be used multiple times)

--gcc-set-env

set $CC and $CXX to gcc and g++, respectively, for build

--gcc-sanitize-address

enable %check and compile with -fsanitize=address

--gcc-sanitize-leak

enable %check and compile with -fsanitize=leak

--gcc-sanitize-thread

enable %check and compile with -fsanitize=thread

--gcc-sanitize-undefined

enable %check and compile with -fsanitize=undefined

--gcc-add-flag GCC_ADD_FLAG

append the given compiler flag when invoking gcc (can be used multiple times)

--gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG

append the given compiler flag when invoking gcc for C (can be used multiple times)

--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG

append the given compiler flag when invoking gcc for C++ (can be used multiple times)

--gcc-del-flag GCC_DEL_FLAG

drop the given compiler flag when invoking gcc (can be used multiple times)

Output Format

If not overridden by the --output option, csmock creates an archive NVR.tar.xz in the current directory for an SRPM named NVR.src.rpm (or NVR.tar.* if the --shell-cmd option is used).  The archive contains a directory named NVR as the only top-level directory, containing the following items:

scan-results.err - scan results encoded as plain-text (for source code editors)

scan-results.html - scan results encoded as HTML (suitable for web browsers)

scan-results.js - scan results, including scan metadata, encoded using JSON

scan-results-summary.txt - total count of defects found by particular checkers

scan.ini - scan metadata encoded in the INI format

scan.log - scan log file (useful for debugging scan failures)

debug - a directory containing additional data (intended for csmock debugging)

Note that external plug-ins of csmock may create additional files (not covered by this man page) in the directory with results.

Referenced By

rebase-helper(1).

November 2021 csmock csmock-3.1.0-1.fc36