1CSMOCK(1) User Commands CSMOCK(1)
2
3
4
6 csmock - run static analysis of the given SRPM using mock
7
9 usage: csmock [-h] [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install
10 INSTALL]
11
12 [-o OUTPUT] [-f] [-j JOBS] [--rpm-build-opts RPM_BUILD_OPTS]
13 [--cswrap-timeout CSWRAP_TIMEOUT] [-U EMBED_CONTEXT] [-k]
14 [--skip-init] [--no-clean] [--no-scan] [--run-check]
15 [--no-run-check] [--print-defects] [--no-print-defects]
16 [--base-srpm BASE_SRPM] [--base-root BASE_MOCK_PROFILE]
17 [--skip-patches | --diff-patches | -c SHELL_CMD]
18 [--known-false-positives KNOWN_FALSE_POSITIVES]
19 [--use-login-shell] [--no-use-login-shell] [--version] [--val‐
20 grind-add-flag VALGRIND_ADD_FLAG] [--valgrind-timeout VAL‐
21 GRIND_TIMEOUT] [--strace-add-flag STRACE_ADD_FLAG] [-w GCC_WARN‐
22 ING_LEVEL] [--gcc-analyze] [--gcc-analyze-add-flag GCC_ANA‐
23 LYZE_ADD_FLAG] [--gcc-set-env] [--gcc-sanitize-address |
24 --gcc-sanitize-leak | --gcc-sanitize-thread] [--gcc-sani‐
25 tize-undefined] [--gcc-add-flag GCC_ADD_FLAG]
26 [--gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG]
27 [--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag
28 GCC_DEL_FLAG] [--use-host-cppcheck] [--cppcheck-add-flag
29 CPPCHECK_ADD_FLAG] [--clang-add-flag CLANG_ADD_FLAG] [--ban‐
30 dit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install]
31 [--no-bandit-scan-install] [--bandit-evt-filter BANDIT_EVT_FIL‐
32 TER] [--bandit-severity-filter {LOW,MEDIUM,HIGH}]
33 [--pylint-scan-build] [--no-pylint-scan-build]
34 [--pylint-scan-install] [--no-pylint-scan-install]
35 [--pylint-evt-filter PYLINT_EVT_FILTER]
36 [--shellcheck-scan-build] [--no-shellcheck-scan-build]
37 [--shellcheck-scan-install] [--no-shellcheck-scan-install]
38 [SRPM]
39
40 positional arguments:
41 SRPM source RPM package to be scanned by static analyzers
42
43 optional arguments:
44 -h, --help
45 show this help message and exit
46
47 -r MOCK_PROFILE, --root MOCK_PROFILE
48 mock profile to use (defaults to mock's default)
49
50 -t TOOLS, --tools TOOLS
51 comma-spearated list of tools to enable (use --listavail‐
52 able-tools to see the list of available tools)
53
54 -a, --all-tools
55 enable all available tools (use --list-available-tools to see
56 the list of available tools)
57
58 -l, --list-available-tools
59 list available tools and exit
60
61 --install INSTALL
62 space-separated list of packages to install into the chroot
63
64 -o OUTPUT, --output OUTPUT
65 name of the tarball or directory to put the results to
66
67 -f, --force
68 overwrite the resulting file or directory if it exists already
69
70 -j JOBS, --jobs JOBS
71 maximal number of jobs running in parallel (passed to 'make')
72
73 --rpm-build-opts RPM_BUILD_OPTS
74 shell-quoted options passed to rpm-build
75
76 --cswrap-timeout CSWRAP_TIMEOUT
77 maximal amount of time taken by analysis of a single module [s]
78
79 -U EMBED_CONTEXT, --embed-context EMBED_CONTEXT
80 embed a number of lines of context from the source file for the
81 key event (defaults to 3).
82
83 -k, --keep-going
84 continue as much as possible after an error
85
86 --skip-init
87 do not run 'mock --init' before the scan (may lead to unpre‐
88 dictable scan results)
89
90 --no-clean
91 do not clean chroot when it becomes unused
92
93 --no-scan
94 do not analyze any package, just check versions of the analyzers
95
96 --run-check
97 run the %check section of specfile (disabled by default)
98
99 --no-run-check
100 disables --run-check
101
102 --print-defects
103 print the resulting list of defects (default if connected to a
104 tty)
105
106 --no-print-defects
107 disables --print-defects
108
109 --base-srpm BASE_SRPM
110 perform a differential scan against the specified base pacakge
111
112 --base-root BASE_MOCK_PROFILE
113 mock profile to use for the base scan (use only with
114 --base-srpm)
115
116 --skip-patches
117 skip patches not annotated by %{?_rawbuild} (vanilla build)
118
119 --diff-patches
120 scan with/without patches and diff the lists of defects
121
122 -c SHELL_CMD, --shell-cmd SHELL_CMD
123 use shell command to build the given tarball (instead of SRPM)
124
125 --known-false-positives KNOWN_FALSE_POSITIVES
126 suppress known false positives loaded from the given file
127 (defaults to "/usr/share/csmock/known-falsepositives.js" if
128 available)
129
130 --use-login-shell
131 use login shell for build (default)
132
133 --no-use-login-shell
134 disables --use-login-shell
135
136 --version
137 print the version of csmock and exit
138
139 --valgrind-add-flag VALGRIND_ADD_FLAG
140 append the given flag when invoking valgrind (can be used multi‐
141 ple times)
142
143 --valgrind-timeout VALGRIND_TIMEOUT
144 maximal amount of time taken by analysis of a single process [s]
145
146 --strace-add-flag STRACE_ADD_FLAG
147 append the given flag when invoking strace (can be used multiple
148 times)
149
150 -w GCC_WARNING_LEVEL, --gcc-warning-level GCC_WARNING_LEVEL
151 Adjust GCC warning level. -w0 means default flags, -w1 appends
152 -Wall and -Wextra, and -w2 enables some other useful warnings.
153 (automatically enables the GCC plugin)
154
155 --gcc-analyze
156 run `gcc -fanalyzer` in a separate process
157
158 --gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG
159 append the given flag when invoking `gcc -fanalyzer` (can be
160 used multiple times)
161
162 --gcc-set-env
163 set $CC and $CXX to gcc and g++, respectively, for build
164
165 --gcc-sanitize-address
166 enable %check and compile with -fsanitize=address
167
168 --gcc-sanitize-leak
169 enable %check and compile with -fsanitize=leak
170
171 --gcc-sanitize-thread
172 enable %check and compile with -fsanitize=thread
173
174 --gcc-sanitize-undefined
175 enable %check and compile with -fsanitize=undefined
176
177 --gcc-add-flag GCC_ADD_FLAG
178 append the given compiler flag when invoking gcc (can be used
179 multiple times)
180
181 --gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG
182 append the given compiler flag when invoking gcc for C (can be
183 used multiple times)
184
185 --gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG
186 append the given compiler flag when invoking gcc for C++ (can be
187 used multiple times)
188
189 --gcc-del-flag GCC_DEL_FLAG
190 drop the given compiler flag when invoking gcc (can be used mul‐
191 tiple times)
192
193 --use-host-cppcheck
194 use host's Cppcheck instead of the one in chroot (automatically
195 enables the Cppcheck plug-in)
196
197 --cppcheck-add-flag CPPCHECK_ADD_FLAG
198 append the given flag when invoking cppcheck (can be used multi‐
199 ple times)
200
201 --clang-add-flag CLANG_ADD_FLAG
202 append the given flag when invoking clang static analyzer (can
203 be used multiple times)
204
205 --bandit-scan-build
206 make bandit scan files in the build directory (disabled by
207 default)
208
209 --no-bandit-scan-build
210 disables --bandit-scan-build
211
212 --bandit-scan-install
213 make bandit scan files in the install directory (enabled by
214 default)
215
216 --no-bandit-scan-install
217 disables --bandit-scan-install
218
219 --bandit-evt-filter BANDIT_EVT_FILTER
220 report only Bandit defects whose key event matches the given
221 regex (defaults to '^B[0-9]+')
222
223 --bandit-severity-filter {LOW,MEDIUM,HIGH}
224 suppress Bandit defects whose severity level is below given
225 level (default 'LOW')
226
227 --pylint-scan-build
228 make pylint scan files in the build directory (disabled by
229 default)
230
231 --no-pylint-scan-build
232 disables --pylint-scan-build
233
234 --pylint-scan-install
235 make pylint scan files in the install directory (enabled by
236 default)
237
238 --no-pylint-scan-install
239 disables --pylint-scan-install
240
241 --pylint-evt-filter PYLINT_EVT_FILTER
242 filter out Pylint defects whose key event matches the given
243 regex (defaults to '^W[0-9]+', use '.*' to get all defects
244 detected by Pylint)
245
246 --shellcheck-scan-build
247 make shellcheck scan files in the build directory (disabled by
248 default)
249
250 --no-shellcheck-scan-build
251 disables --shellcheck-scan-build
252
253 --shellcheck-scan-install
254 make shellcheck scan files in the install directory (enabled by
255 default)
256
257 --no-shellcheck-scan-install
258 disables --shellcheck-scan-install
259
261 If not overridden by the --output option, csmock creates an archive
262 NVR.tar.xz in the current directory for an SRPM named NVR.src.rpm (or
263 NVR.tar.* if the --shell-cmd option is used). The archive contains a
264 directory named NVR as the only top-level directory, containing the
265 following items:
266
267 scan-results.err - scan results encoded as plain-text (for source code
268 editors)
269
270 scan-results.html - scan results encoded as HTML (suitable for web
271 browsers)
272
273 scan-results.js - scan results, including scan metadata, encoded using
274 JSON
275
276 scan-results-summary.txt - total count of defects found by particular
277 checkers
278
279 scan.ini - scan metadata encoded in the INI format
280
281 scan.log - scan log file (useful for debugging scan failures)
282
283 debug - a directory containing additional data (intended for csmock
284 debugging)
285
286 Note that external plug-ins of csmock may create additional files (not
287 covered by this man page) in the directory with results.
288
289
290
291csmock csmock-2.7.1-1.fc33 February 2021 CSMOCK(1)