1CSMOCK(1)                        User Commands                       CSMOCK(1)
2
3
4

NAME

6       csmock - run static analysis of the given SRPM using mock
7

DESCRIPTION

9       usage:  csmock  [-h]  [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install
10       INSTALL]
11
12              [-o OUTPUT] [-f]  [-j  JOBS]  [--rpm-build-opts  RPM_BUILD_OPTS]
13              [--cswrap-timeout  CSWRAP_TIMEOUT]  [-U  EMBED_CONTEXT] [--warn‐
14              ing-rate-limit       WARNING_RATE_LIMIT]        [--limit-msg-len
15              LIMIT_MSG_LEN] [-k] [--skip-init] [--skip-build] [--use-ldpwrap]
16              [--no-clean]    [--no-scan]    [--run-check]    [--no-run-check]
17              [--print-defects]  [--no-print-defects]  [--base-srpm BASE_SRPM]
18              [--base-root BASE_MOCK_PROFILE] [--root-override MOCK_ROOT_OVER‐
19              RIDE]   [--skip-patches   |   --diff-patches   |  -c  SHELL_CMD]
20              [--known-false-positives    KNOWN_FALSE_POSITIVES]    [--use-lo‐
21              gin-shell]     [--no-use-login-shell]     [--version]    [--ban‐
22              dit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install]
23              [--no-bandit-scan-install]  [--bandit-evt-filter BANDIT_EVT_FIL‐
24              TER]        [--bandit-severity-filter         {LOW,MEDIUM,HIGH}]
25              [--cbmc-add-flag  CBMC_ADD_FLAG]  [--cbmc-timeout  CBMC_TIMEOUT]
26              [--clang-add-flag CLANG_ADD_FLAG]  [--use-host-cppcheck]  [--cp‐
27              pcheck-add-flag    CPPCHECK_ADD_FLAG]   [--divine-add-flag   DI‐
28              VINE_ADD_FLAG]   [--divine-timeout    DIVINE_TIMEOUT]    [--val‐
29              grind-add-flag   VALGRIND_ADD_FLAG]   [--valgrind-timeout   VAL‐
30              GRIND_TIMEOUT] [--symbiotic-add-flag SYMBIOTIC_ADD_FLAG] [--sym‐
31              biotic-timeout       SYMBIOTIC_TIMEOUT]       [--strace-add-flag
32              STRACE_ADD_FLAG]      [--gitleaks-bin-url      GITLEAKS_BIN_URL]
33              [--gitleaks-cache-dir   GITLEAKS_CACHE_DIR]   [--gitleaks-config
34              GITLEAKS_CONFIG]   [--gitleaks-rate-limit   GITLEAKS_RATE_LIMIT]
35              [--gitleaks-limit-msg-len                GITLEAKS_LIMIT_MSG_LEN]
36              [--gitleaks-refresh]    [--infer-analyze-add-flag     INFER_ANA‐
37              LYZE_ADD_FLAG]  [--infer-archive-path INFER_ARCHIVE_PATH] [--in‐
38              fer-filter]   [--no-infer-filter]   [--infer-biabduction-filter]
39              [--no-infer-biabduction-filter]         [--infer-inferbo-filter]
40              [--no-infer-inferbo-filter]  [--infer-uninit-filter]   [--no-in‐
41              fer-uninit-filter]    [--infer-dead-store-severity]    [--no-in‐
42              fer-dead-store-severity]     [--infer-timeout     INFER_TIMEOUT]
43              [--pylint-scan-build]                   [--no-pylint-scan-build]
44              [--pylint-scan-install]               [--no-pylint-scan-install]
45              [--pylint-evt-filter                          PYLINT_EVT_FILTER]
46              [--shellcheck-scan-build]           [--no-shellcheck-scan-build]
47              [--shellcheck-scan-install]       [--no-shellcheck-scan-install]
48              [--snyk-bin-url    SNYK_BIN_URL]     [--snyk-auth     SNYK_AUTH]
49              [--snyk-cache-dir SNYK_CACHE_DIR] [--snyk-refresh] [--snyk-time‐
50              out    SNYK_TIMEOUT]     [--unicontrol-bidi-only]     [--unicon‐
51              trol-notests] [-w GCC_WARNING_LEVEL] [--gcc-analyze] [--gcc-ana‐
52              lyzer-bin  GCC_ANALYZER_BIN]  [--gcc-analyze-add-flag   GCC_ANA‐
53              LYZE_ADD_FLAG]    [--gcc-set-env]    [--gcc-sanitize-address   |
54              --gcc-sanitize-leak | --gcc-sanitize-thread | --gcc-sanitize-un‐
55              defined]  [--gcc-add-flag  GCC_ADD_FLAG]  [--gcc-add-c-only-flag
56              GCC_ADD_C_ONLY_FLAG]                    [--gcc-add-cxx-only-flag
57              GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag GCC_DEL_FLAG] [SRPM]
58
59   positional arguments:
60       SRPM   source RPM package to be scanned by static analyzers
61
62   options:
63       -h, --help
64              show this help message and exit
65
66       -r MOCK_PROFILE, --root MOCK_PROFILE
67              mock profile to use (defaults to mock's default)
68
69       -t TOOLS, --tools TOOLS
70              comma-separated  list  of  tools  to  enable  (use  --listavail‐
71              able-tools to see the list of available tools)
72
73       -a, --all-tools
74              enable all stable csmock plug-ins (use --listavailable-tools  to
75              see the list of available tools)
76
77       -l, --list-available-tools
78              list available tools and exit
79
80       --install INSTALL
81              space-separated list of packages to install into the chroot
82
83       -o OUTPUT, --output OUTPUT
84              name of the tarball or directory to put the results to
85
86       -f, --force
87              overwrite the resulting file or directory if it exists already
88
89       -j JOBS, --jobs JOBS
90              maximal number of jobs running in parallel (passed to 'make')
91
92       --rpm-build-opts RPM_BUILD_OPTS
93              shell-quoted options passed to rpm-build
94
95       --cswrap-timeout CSWRAP_TIMEOUT
96              maximal amount of time taken by analysis of a single module [s]
97
98       -U EMBED_CONTEXT, --embed-context EMBED_CONTEXT
99              embed  a number of lines of context from the source file for the
100              key event (defaults to 3).
101
102       --warning-rate-limit WARNING_RATE_LIMIT
103              stop processing a warning if the count of  its  occurrences  ex‐
104              ceeds the specified limit (defaults to 1024).
105
106       --limit-msg-len LIMIT_MSG_LEN
107              limit  length  of diagnostic messages by the specified number of
108              chars (defaults to 512).
109
110       -k, --keep-going
111              continue as much as possible after an error
112
113       --skip-init
114              do not run 'mock --init' before the scan  (may  lead  to  unpre‐
115              dictable scan results)
116
117       --skip-build
118              do not run %build and %install sections [EXPERIMENTAL]
119
120       --use-ldpwrap
121              use ldpwrap instead of csexec-loader [EXPERIMENTAL]
122
123       --no-clean
124              do not clean chroot when it becomes unused
125
126       --no-scan
127              do not analyze any package, just check versions of the analyzers
128
129       --run-check
130              run the %check section of specfile (disabled by default)
131
132       --no-run-check
133              disables --run-check
134
135       --print-defects
136              print  the  resulting list of defects (default if connected to a
137              tty)
138
139       --no-print-defects
140              disables --print-defects
141
142       --base-srpm BASE_SRPM
143              perform a differential scan against the specified base package
144
145       --base-root BASE_MOCK_PROFILE
146              mock  profile  to  use  for  the  base  scan  (use   only   with
147              --base-srpm)
148
149       --root-override MOCK_ROOT_OVERRIDE
150              override  the  build  root  directory for mock (disables yum and
151              root cache)
152
153       --skip-patches
154              skip patches not annotated by %{?_rawbuild} (vanilla build)
155
156       --diff-patches
157              scan with/without patches and diff the lists of defects
158
159       -c SHELL_CMD, --shell-cmd SHELL_CMD
160              use shell command to build the given tarball (instead of SRPM)
161
162       --known-false-positives KNOWN_FALSE_POSITIVES
163              suppress known false positives loaded from the given  file  (de‐
164              faults  to "/usr/share/csmock/known-falsepositives.js" if avail‐
165              able)
166
167       --use-login-shell
168              use login shell for build (default)
169
170       --no-use-login-shell
171              disables --use-login-shell
172
173       --version
174              print the version of csmock and exit
175
176       --bandit-scan-build
177              make bandit scan files in the build directory (disabled  by  de‐
178              fault)
179
180       --no-bandit-scan-build
181              disables --bandit-scan-build
182
183       --bandit-scan-install
184              make  bandit scan files in the install directory (enabled by de‐
185              fault)
186
187       --no-bandit-scan-install
188              disables --bandit-scan-install
189
190       --bandit-evt-filter BANDIT_EVT_FILTER
191              report only Bandit defects whose key  event  matches  the  given
192              regex (defaults to '^B[0-9]+')
193
194       --bandit-severity-filter {LOW,MEDIUM,HIGH}
195              suppress  Bandit  defects  whose  severity  level is below given
196              level (default 'LOW')
197
198       --cbmc-add-flag CBMC_ADD_FLAG
199              append the given flag when invoking cbmc (can be  used  multiple
200              times)
201
202       --cbmc-timeout CBMC_TIMEOUT
203              maximal amount of time taken by analysis of a single process [s]
204
205       --clang-add-flag CLANG_ADD_FLAG
206              append  the  given flag when invoking clang static analyzer (can
207              be used multiple times)
208
209       --use-host-cppcheck
210              use host's Cppcheck instead of the one in chroot  (automatically
211              enables the Cppcheck plug-in)
212
213       --cppcheck-add-flag CPPCHECK_ADD_FLAG
214              append the given flag when invoking cppcheck (can be used multi‐
215              ple times)
216
217       --divine-add-flag DIVINE_ADD_FLAG
218              append the given flag when invoking divine (can be used multiple
219              times)
220
221       --divine-timeout DIVINE_TIMEOUT
222              maximal amount of time taken by analysis of a single process [s]
223
224       --valgrind-add-flag VALGRIND_ADD_FLAG
225              append the given flag when invoking valgrind (can be used multi‐
226              ple times)
227
228       --valgrind-timeout VALGRIND_TIMEOUT
229              maximal amount of time taken by analysis of a single process [s]
230
231       --symbiotic-add-flag SYMBIOTIC_ADD_FLAG
232              append the given flag when invoking symbiotic (can be used  mul‐
233              tiple times)
234
235       --symbiotic-timeout SYMBIOTIC_TIMEOUT
236              maximal amount of time taken by analysis of a single process [s]
237
238       --strace-add-flag STRACE_ADD_FLAG
239              append the given flag when invoking strace (can be used multiple
240              times)
241
242       --gitleaks-bin-url GITLEAKS_BIN_URL
243              URL to download gitleaks binary executable (in a .tar.gz) from
244
245       --gitleaks-cache-dir GITLEAKS_CACHE_DIR
246              directory where downloaded Gitleaks tarballs are  cached  across
247              runs
248
249       --gitleaks-config GITLEAKS_CONFIG
250              local configuration file to be used for gitleaks
251
252       --gitleaks-rate-limit GITLEAKS_RATE_LIMIT
253              drop warnings if their count exceeds the specified limit
254
255       --gitleaks-limit-msg-len GITLEAKS_LIMIT_MSG_LEN
256              trim message if it exceeds max message length
257
258       --gitleaks-refresh
259              force download of gitleaks binary executable (in a .tar.gz) from
260
261       --infer-analyze-add-flag INFER_ANALYZE_ADD_FLAG
262              appends  the  given flag (except '-o') when invoking 'infer ana‐
263              lyze' (can be used multiple times)(default flags  '--bufferover‐
264              run', '--pulse')
265
266       --infer-archive-path INFER_ARCHIVE_PATH
267              use  the  given  archive  to  install Infer (default is /opt/in‐
268              fer-linux*.tar.xz)
269
270       --infer-filter
271              apply false positive filter (enabled by default)
272
273       --no-infer-filter
274              disables --infer-filter
275
276       --infer-biabduction-filter
277              apply false positive bi-abduction filter (enabled by default)
278
279       --no-infer-biabduction-filter
280              disables --infer-biabduction-filter
281
282       --infer-inferbo-filter
283              apply false positive inferbo filter (enabled by default)
284
285       --no-infer-inferbo-filter
286              disables --infer-inferbo-filter
287
288       --infer-uninit-filter
289              apply false positive uninit filter (enabled by default)
290
291       --no-infer-uninit-filter
292              disables --infer-uninit-filter
293
294       --infer-dead-store-severity
295              lower dead store severity (enabled by default)
296
297       --no-infer-dead-store-severity
298              disables --infer-dead-store-severity
299
300       --infer-timeout INFER_TIMEOUT
301              maximal amount of time taken by Infer's analysis phase [s]  (de‐
302              fault 300)
303
304       --pylint-scan-build
305              make  pylint  scan files in the build directory (disabled by de‐
306              fault)
307
308       --no-pylint-scan-build
309              disables --pylint-scan-build
310
311       --pylint-scan-install
312              make pylint scan files in the install directory (enabled by  de‐
313              fault)
314
315       --no-pylint-scan-install
316              disables --pylint-scan-install
317
318       --pylint-evt-filter PYLINT_EVT_FILTER
319              filter  out  Pylint  defects  whose  key event matches the given
320              regex (defaults to '^W[0-9]+', use '.*' to get all  defects  de‐
321              tected by Pylint)
322
323       --shellcheck-scan-build
324              make  shellcheck  scan files in the build directory (disabled by
325              default)
326
327       --no-shellcheck-scan-build
328              disables --shellcheck-scan-build
329
330       --shellcheck-scan-install
331              make shellcheck scan files in the install directory (enabled  by
332              default)
333
334       --no-shellcheck-scan-install
335              disables --shellcheck-scan-install
336
337       --snyk-bin-url SNYK_BIN_URL
338              URL to download snyk binary executable
339
340       --snyk-auth SNYK_AUTH
341              file containing snyk authentication token
342
343       --snyk-cache-dir SNYK_CACHE_DIR
344              directory where downloaded snyk tarballs are cached across runs
345
346       --snyk-refresh
347              force download of snyk binary executable
348
349       --snyk-timeout SNYK_TIMEOUT
350              maximum amount of time taken by invocation of Snyk [s]
351
352       --unicontrol-bidi-only
353              look for bidirectional control characters only
354
355       --unicontrol-notests
356              exclude tests (basically test.* as a component of path)
357
358       -w GCC_WARNING_LEVEL, --gcc-warning-level GCC_WARNING_LEVEL
359              Adjust  GCC  warning level. -w0 means default flags, -w1 appends
360              -Wall and -Wextra, and -w2 enables some other  useful  warnings.
361              (automatically enables the GCC plugin)
362
363       --gcc-analyze
364              run `gcc -fanalyzer` in a separate process
365
366       --gcc-analyzer-bin GCC_ANALYZER_BIN
367              Use  custom  build  of gcc to perform scan. Absolute path to the
368              binary must be provided.
369
370       --gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG
371              append the given flag when invoking  `gcc  -fanalyzer`  (can  be
372              used multiple times)
373
374       --gcc-set-env
375              set $CC and $CXX to gcc and g++, respectively, for build
376
377       --gcc-sanitize-address
378              enable %check and compile with -fsanitize=address
379
380       --gcc-sanitize-leak
381              enable %check and compile with -fsanitize=leak
382
383       --gcc-sanitize-thread
384              enable %check and compile with -fsanitize=thread
385
386       --gcc-sanitize-undefined
387              enable %check and compile with -fsanitize=undefined
388
389       --gcc-add-flag GCC_ADD_FLAG
390              append  the  given  compiler flag when invoking gcc (can be used
391              multiple times)
392
393       --gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG
394              append the given compiler flag when invoking gcc for C  (can  be
395              used multiple times)
396
397       --gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG
398              append the given compiler flag when invoking gcc for C++ (can be
399              used multiple times)
400
401       --gcc-del-flag GCC_DEL_FLAG
402              drop the given compiler flag when invoking gcc (can be used mul‐
403              tiple times)
404

OUTPUT FORMAT

406       If  not  overridden  by  the --output option, csmock creates an archive
407       NVR.tar.xz in the current directory for an SRPM named  NVR.src.rpm  (or
408       NVR.tar.*  if  the --shell-cmd option is used).  The archive contains a
409       directory named NVR as the only  top-level  directory,  containing  the
410       following items:
411
412       scan-results.err  - scan results encoded as plain-text (for source code
413       editors)
414
415       scan-results.html - scan results encoded  as  HTML  (suitable  for  web
416       browsers)
417
418       scan-results.js  - scan results, including scan metadata, encoded using
419       JSON
420
421       scan-results-summary.txt - total count of defects found  by  particular
422       checkers
423
424       scan.ini - scan metadata encoded in the INI format
425
426       scan.log - scan log file (useful for debugging scan failures)
427
428       debug - a directory containing additional data (intended for csmock de‐
429       bugging)
430
431       Note that external plug-ins of csmock may create additional files  (not
432       covered by this man page) in the directory with results.
433
434
435
436csmock csmock-3.5.0-1.fc39       October 2023                        CSMOCK(1)
Impressum