1CSMOCK(1) User Commands CSMOCK(1)
2
3
4
6 csmock - run static analysis of the given SRPM using mock
7
9 usage: csmock [-h] [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install
10 INSTALL]
11
12 [-o OUTPUT] [-f] [-j JOBS] [--rpm-build-opts RPM_BUILD_OPTS]
13 [--cswrap-timeout CSWRAP_TIMEOUT] [-U EMBED_CONTEXT] [-k]
14 [--skip-init] [--no-clean] [--no-scan] [--run-check]
15 [--no-run-check] [--print-defects] [--no-print-defects]
16 [--base-srpm BASE_SRPM] [--base-root BASE_MOCK_PROFILE]
17 [--skip-patches | --diff-patches | -c SHELL_CMD]
18 [--defect-blacklist DEFECT_BLACKLIST] [--version] [-w GCC_WARN‐
19 ING_LEVEL] [--gcc-sanitize-address | --gcc-sanitize-leak |
20 --gcc-sanitize-thread] [--gcc-sanitize-undefined]
21 [--gcc-add-flag GCC_ADD_FLAG] [--gcc-add-c-only-flag
22 GCC_ADD_C_ONLY_FLAG] [--gcc-add-cxx-only-flag
23 GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag GCC_DEL_FLAG]
24 [--use-host-cppcheck] [--clang-add-flag CLANG_ADD_FLAG] [--ban‐
25 dit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install]
26 [--no-bandit-scan-install] [--bandit-evt-filter BANDIT_EVT_FIL‐
27 TER] [--bandit-severity-filter {LOW,MEDIUM,HIGH}]
28 [--pylint-scan-build] [--no-pylint-scan-build]
29 [--pylint-scan-install] [--no-pylint-scan-install]
30 [--pylint-evt-filter PYLINT_EVT_FILTER]
31 [--shellcheck-scan-build] [--no-shellcheck-scan-build]
32 [--shellcheck-scan-install] [--no-shellcheck-scan-install]
33 [SRPM]
34
35 positional arguments:
36 SRPM source RPM package to be scanned by static analyzers
37
38 optional arguments:
39 -h, --help
40 show this help message and exit
41
42 -r MOCK_PROFILE, --root MOCK_PROFILE
43 mock profile to use (defaults to mock's default)
44
45 -t TOOLS, --tools TOOLS
46 comma-spearated list of tools to enable (use --listavail‐
47 able-tools to see the list of available tools)
48
49 -a, --all-tools
50 enable all available tools (use --list-available-tools to see
51 the list of available tools)
52
53 -l, --list-available-tools
54 list available tools and exit
55
56 --install INSTALL
57 space-separated list of packages to install into the chroot
58
59 -o OUTPUT, --output OUTPUT
60 name of the tarball or directory to put the results to
61
62 -f, --force
63 overwrite the resulting file or directory if it exists already
64
65 -j JOBS, --jobs JOBS
66 maximal number of jobs running in parallel (passed to 'make')
67
68 --rpm-build-opts RPM_BUILD_OPTS
69 shell-quoted options passed to rpm-build
70
71 --cswrap-timeout CSWRAP_TIMEOUT
72 maximal amount of time taken by analysis of a single module [s]
73
74 -U EMBED_CONTEXT, --embed-context EMBED_CONTEXT
75 embed a number of lines of context from the source file for the
76 key event (defaults to 3).
77
78 -k, --keep-going
79 continue as much as possible after an error
80
81 --skip-init
82 do not run 'mock --init' before the scan (may lead to unpre‐
83 dictable scan results)
84
85 --no-clean
86 do not clean chroot when it becomes unused
87
88 --no-scan
89 do not analyze any package, just check versions of the analyzers
90
91 --run-check
92 run the %check section of specfile (disabled by default)
93
94 --no-run-check
95 disables --run-check
96
97 --print-defects
98 print the resulting list of defects (default if connected to a
99 tty)
100
101 --no-print-defects
102 disables --print-defects
103
104 --base-srpm BASE_SRPM
105 perform a differential scan against the specified base pacakge
106
107 --base-root BASE_MOCK_PROFILE
108 mock profile to use for the base scan (use only with
109 --base-srpm)
110
111 --skip-patches
112 skip patches not annotated by %{?_rawbuild} (vanilla build)
113
114 --diff-patches
115 scan with/without patches and diff the lists of defects
116
117 -c SHELL_CMD, --shell-cmd SHELL_CMD
118 use shell command to build the given tarball (instead of SRPM)
119
120 --defect-blacklist DEFECT_BLACKLIST
121 suppress known false positives loaded from the given file
122 (defaults to "/usr/share/csmock/defectblacklist.err" if avail‐
123 able)
124
125 --version
126 print the version of csmock and exit
127
128 -w GCC_WARNING_LEVEL, --gcc-warning-level GCC_WARNING_LEVEL
129 Adjust GCC warning level. -w0 means default flags, -w1 appends
130 -Wall and -Wextra, and -w2 enables some other useful warnings.
131 (automatically enables the GCC plugin)
132
133 --gcc-sanitize-address
134 enable %check and compile with -fsanitize=address
135
136 --gcc-sanitize-leak
137 enable %check and compile with -fsanitize=leak
138
139 --gcc-sanitize-thread
140 enable %check and compile with -fsanitize=thread
141
142 --gcc-sanitize-undefined
143 enable %check and compile with -fsanitize=undefined
144
145 --gcc-add-flag GCC_ADD_FLAG
146 append the given compiler flag when invoking gcc (can be used
147 multiple times)
148
149 --gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG
150 append the given compiler flag when invoking gcc for C (can be
151 used multiple times)
152
153 --gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG
154 append the given compiler flag when invoking gcc for C++ (can be
155 used multiple times)
156
157 --gcc-del-flag GCC_DEL_FLAG
158 drop the given compiler flag when invoking gcc (can be used mul‐
159 tiple times)
160
161 --use-host-cppcheck
162 use host's Cppcheck instead of the one in chroot (automatically
163 enables the Cppcheck plug-in)
164
165 --clang-add-flag CLANG_ADD_FLAG
166 append the given flag when invoking clang static analyzer (can
167 be used multiple times)
168
169 --bandit-scan-build
170 make bandit scan files in the build directory (disabled by
171 default)
172
173 --no-bandit-scan-build
174 disables --bandit-scan-build
175
176 --bandit-scan-install
177 make bandit scan files in the install directory (enabled by
178 default)
179
180 --no-bandit-scan-install
181 disables --bandit-scan-install
182
183 --bandit-evt-filter BANDIT_EVT_FILTER
184 report only Bandit defects whose key event matches the given
185 regex (defaults to '^B[0-9]+')
186
187 --bandit-severity-filter {LOW,MEDIUM,HIGH}
188 suppress Bandit defects whose severity level is below given
189 level (default 'LOW')
190
191 --pylint-scan-build
192 make pylint scan files in the build directory (disabled by
193 default)
194
195 --no-pylint-scan-build
196 disables --pylint-scan-build
197
198 --pylint-scan-install
199 make pylint scan files in the install directory (enabled by
200 default)
201
202 --no-pylint-scan-install
203 disables --pylint-scan-install
204
205 --pylint-evt-filter PYLINT_EVT_FILTER
206 filter out Pylint defects whose key event matches the given
207 regex (defaults to '^W[0-9]+', use '.*' to get all defects
208 detected by Pylint)
209
210 --shellcheck-scan-build
211 make shellcheck scan files in the build directory (disabled by
212 default)
213
214 --no-shellcheck-scan-build
215 disables --shellcheck-scan-build
216
217 --shellcheck-scan-install
218 make shellcheck scan files in the install directory (enabled by
219 default)
220
221 --no-shellcheck-scan-install
222 disables --shellcheck-scan-install
223
225 If not overridden by the --output option, csmock creates an archive
226 NVR.tar.xz in the current directory for an SRPM named NVR.src.rpm (or
227 NVR.tar.* if the --shell-cmd option is used). The archive contains a
228 directory named NVR as the only top-level directory, containing the
229 following items:
230
231 scan-results.err - scan results encoded as plain-text (for source code
232 editors)
233
234 scan-results.html - scan results encoded as HTML (suitable for web
235 browsers)
236
237 scan-results.js - scan results, including scan metadata, encoded using
238 JSON
239
240 scan-results-summary.txt - total count of defects found by particular
241 checkers
242
243 scan.ini - scan metadata encoded in the INI format
244
245 scan.log - scan log file (useful for debugging scan failures)
246
247 debug - a directory containing additional data (intended for csmock
248 debugging)
249
250 Note that external plug-ins of csmock may create additional files (not
251 covered by this man page) in the directory with results.
252
253
254
255csmock csmock-2.4.0-1.fc32 February 2020 CSMOCK(1)