1CSMOCK(1) User Commands CSMOCK(1)
2
6 csmock - run static analysis of the given SRPM using mock
7
9 usage: csmock [-h] [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install
10 INSTALL]
11 [-o OUTPUT] [-f] [-j JOBS] [--rpm-build-opts RPM_BUILD_OPTS]
13 [--cswrap-timeout CSWRAP_TIMEOUT] [-U EMBED_CONTEXT] [-k]
14 [--skip-init] [--skip-build] [--no-clean] [--no-scan]
15 [--run-check] [--no-run-check] [--print-defects] [--no-print-de‐
16 fects] [--base-srpm BASE_SRPM] [--base-root BASE_MOCK_PROFILE]
17 [--skip-patches | --diff-patches | -c SHELL_CMD]
18 [--known-false-positives KNOWN_FALSE_POSITIVES] [--use-lo‐
19 gin-shell] [--no-use-login-shell] [--version] [--ban‐
20 dit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install]
21 [--no-bandit-scan-install] [--bandit-evt-filter BANDIT_EVT_FIL‐
22 TER] [--bandit-severity-filter {LOW,MEDIUM,HIGH}]
23 [--cbmc-add-flag CBMC_ADD_FLAG] [--cbmc-timeout CBMC_TIMEOUT]
24 [--clang-add-flag CLANG_ADD_FLAG] [--use-host-cppcheck] [--cp‐
25 pcheck-add-flag CPPCHECK_ADD_FLAG] [--divine-add-flag DI‐
26 VINE_ADD_FLAG] [--divine-timeout DIVINE_TIMEOUT] [--val‐
27 grind-add-flag VALGRIND_ADD_FLAG] [--valgrind-timeout VAL‐
28 GRIND_TIMEOUT] [--strace-add-flag STRACE_ADD_FLAG] [--symbi‐
29 otic-add-flag SYMBIOTIC_ADD_FLAG] [--symbiotic-timeout SYMBI‐
30 OTIC_TIMEOUT] [--gitleaks-bin-url GITLEAKS_BIN_URL]
31 [--gitleaks-config GITLEAKS_CONFIG] [--pylint-scan-build]
32 [--no-pylint-scan-build] [--pylint-scan-install]
33 [--no-pylint-scan-install] [--pylint-evt-filter PYLINT_EVT_FIL‐
34 TER] [--shellcheck-scan-build] [--no-shellcheck-scan-build]
35 [--shellcheck-scan-install] [--no-shellcheck-scan-install]
36 [--unicontrol-bidi-only] [--unicontrol-notests] [-w GCC_WARN‐
37 ING_LEVEL] [--gcc-analyze] [--gcc-analyzer-bin GCC_ANALYZER_BIN]
38 [--gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG] [--gcc-set-env]
39 [--gcc-sanitize-address | --gcc-sanitize-leak | --gcc-sani‐
40 tize-thread] [--gcc-sanitize-undefined] [--gcc-add-flag
41 GCC_ADD_FLAG] [--gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG]
42 [--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag
43 GCC_DEL_FLAG] [SRPM]
44 positional arguments:
46 SRPM source RPM package to be scanned by static analyzers
47 options:
49 -h, --help
50 show this help message and exit
51 -r MOCK_PROFILE, --root MOCK_PROFILE
53 mock profile to use (defaults to mock's default)
54 -t TOOLS, --tools TOOLS
56 comma-separated list of tools to enable (use --listavail‐
57 able-tools to see the list of available tools)
58 -a, --all-tools
60 enable all stable csmock plug-ins (use --listavailable-tools to
61 see the list of available tools)
62 -l, --list-available-tools
64 list available tools and exit
65 --install INSTALL
67 space-separated list of packages to install into the chroot
68 -o OUTPUT, --output OUTPUT
70 name of the tarball or directory to put the results to
71 -f, --force
73 overwrite the resulting file or directory if it exists already
74 -j JOBS, --jobs JOBS
76 maximal number of jobs running in parallel (passed to 'make')
77 --rpm-build-opts RPM_BUILD_OPTS
79 shell-quoted options passed to rpm-build
80 --cswrap-timeout CSWRAP_TIMEOUT
82 maximal amount of time taken by analysis of a single module [s]
83 -U EMBED_CONTEXT, --embed-context EMBED_CONTEXT
85 embed a number of lines of context from the source file for the
86 key event (defaults to 3).
87 -k, --keep-going
89 continue as much as possible after an error
90 --skip-init
92 do not run 'mock --init' before the scan (may lead to unpre‐
93 dictable scan results)
94 --skip-build
96 do not run %build and %install sections [EXPERIMENTAL]
97 --no-clean
99 do not clean chroot when it becomes unused
100 --no-scan
102 do not analyze any package, just check versions of the analyzers
103 --run-check
105 run the %check section of specfile (disabled by default)
106 --no-run-check
108 disables --run-check
109 --print-defects
111 print the resulting list of defects (default if connected to a
112 tty)
113 --no-print-defects
115 disables --print-defects
116 --base-srpm BASE_SRPM
118 perform a differential scan against the specified base pacakge
119 --base-root BASE_MOCK_PROFILE
121 mock profile to use for the base scan (use only with
122 --base-srpm)
123 --skip-patches
125 skip patches not annotated by %{?_rawbuild} (vanilla build)
126 --diff-patches
128 scan with/without patches and diff the lists of defects
129 -c SHELL_CMD, --shell-cmd SHELL_CMD
131 use shell command to build the given tarball (instead of SRPM)
132 --known-false-positives KNOWN_FALSE_POSITIVES
134 suppress known false positives loaded from the given file (de‐
135 faults to "/usr/share/csmock/known-falsepositives.js" if avail‐
136 able)
137 --use-login-shell
139 use login shell for build (default)
140 --no-use-login-shell
142 disables --use-login-shell
143 --version
145 print the version of csmock and exit
146 --bandit-scan-build
148 make bandit scan files in the build directory (disabled by de‐
149 fault)
150 --no-bandit-scan-build
152 disables --bandit-scan-build
153 --bandit-scan-install
155 make bandit scan files in the install directory (enabled by de‐
156 fault)
157 --no-bandit-scan-install
159 disables --bandit-scan-install
160 --bandit-evt-filter BANDIT_EVT_FILTER
162 report only Bandit defects whose key event matches the given
163 regex (defaults to '^B[0-9]+')
164 --bandit-severity-filter {LOW,MEDIUM,HIGH}
166 suppress Bandit defects whose severity level is below given
167 level (default 'LOW')
168 --cbmc-add-flag CBMC_ADD_FLAG
170 append the given flag when invoking cbmc (can be used multiple
171 times)
172 --cbmc-timeout CBMC_TIMEOUT
174 maximal amount of time taken by analysis of a single process [s]
175 --clang-add-flag CLANG_ADD_FLAG
177 append the given flag when invoking clang static analyzer (can
178 be used multiple times)
179 --use-host-cppcheck
181 use host's Cppcheck instead of the one in chroot (automatically
182 enables the Cppcheck plug-in)
183 --cppcheck-add-flag CPPCHECK_ADD_FLAG
185 append the given flag when invoking cppcheck (can be used multi‐
186 ple times)
187 --divine-add-flag DIVINE_ADD_FLAG
189 append the given flag when invoking divine (can be used multiple
190 times)
191 --divine-timeout DIVINE_TIMEOUT
193 maximal amount of time taken by analysis of a single process [s]
194 --valgrind-add-flag VALGRIND_ADD_FLAG
196 append the given flag when invoking valgrind (can be used multi‐
197 ple times)
198 --valgrind-timeout VALGRIND_TIMEOUT
200 maximal amount of time taken by analysis of a single process [s]
201 --strace-add-flag STRACE_ADD_FLAG
203 append the given flag when invoking strace (can be used multiple
204 times)
205 --symbiotic-add-flag SYMBIOTIC_ADD_FLAG
207 append the given flag when invoking symbiotic (can be used mul‐
208 tiple times)
209 --symbiotic-timeout SYMBIOTIC_TIMEOUT
211 maximal amount of time taken by analysis of a single process [s]
212 --gitleaks-bin-url GITLEAKS_BIN_URL
214 URL to download gitleaks binary executable from
215 --gitleaks-config GITLEAKS_CONFIG
217 local configuration file to be used for gitleaks
218 --pylint-scan-build
220 make pylint scan files in the build directory (disabled by de‐
221 fault)
222 --no-pylint-scan-build
224 disables --pylint-scan-build
225 --pylint-scan-install
227 make pylint scan files in the install directory (enabled by de‐
228 fault)
229 --no-pylint-scan-install
231 disables --pylint-scan-install
232 --pylint-evt-filter PYLINT_EVT_FILTER
234 filter out Pylint defects whose key event matches the given
235 regex (defaults to '^W[0-9]+', use '.*' to get all defects de‐
236 tected by Pylint)
237 --shellcheck-scan-build
239 make shellcheck scan files in the build directory (disabled by
240 default)
241 --no-shellcheck-scan-build
243 disables --shellcheck-scan-build
244 --shellcheck-scan-install
246 make shellcheck scan files in the install directory (enabled by
247 default)
248 --no-shellcheck-scan-install
250 disables --shellcheck-scan-install
251 --unicontrol-bidi-only
253 look for bidirectional control characters only
254 --unicontrol-notests
256 exclude tests (basically test.* as a component of path)
257 -w GCC_WARNING_LEVEL, --gcc-warning-level GCC_WARNING_LEVEL
259 Adjust GCC warning level. -w0 means default flags, -w1 appends
260 -Wall and -Wextra, and -w2 enables some other useful warnings.
261 (automatically enables the GCC plugin)
262 --gcc-analyze
264 run `gcc -fanalyzer` in a separate process
265 --gcc-analyzer-bin GCC_ANALYZER_BIN
267 Use custom build of gcc to perform scan. Absolute path to the
268 binary must be provided.
269 --gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG
271 append the given flag when invoking `gcc -fanalyzer` (can be
272 used multiple times)
273 --gcc-set-env
275 set $CC and $CXX to gcc and g++, respectively, for build
276 --gcc-sanitize-address
278 enable %check and compile with -fsanitize=address
279 --gcc-sanitize-leak
281 enable %check and compile with -fsanitize=leak
282 --gcc-sanitize-thread
284 enable %check and compile with -fsanitize=thread
285 --gcc-sanitize-undefined
287 enable %check and compile with -fsanitize=undefined
288 --gcc-add-flag GCC_ADD_FLAG
290 append the given compiler flag when invoking gcc (can be used
291 multiple times)
292 --gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG
294 append the given compiler flag when invoking gcc for C (can be
295 used multiple times)
296 --gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG
298 append the given compiler flag when invoking gcc for C++ (can be
299 used multiple times)
300 --gcc-del-flag GCC_DEL_FLAG
302 drop the given compiler flag when invoking gcc (can be used mul‐
303 tiple times)
304
306 If not overridden by the --output option, csmock creates an archive
307 NVR.tar.xz in the current directory for an SRPM named NVR.src.rpm (or
308 NVR.tar.* if the --shell-cmd option is used). The archive contains a
309 directory named NVR as the only top-level directory, containing the
310 following items:
311 scan-results.err - scan results encoded as plain-text (for source code
313 editors)
314 scan-results.html - scan results encoded as HTML (suitable for web
316 browsers)
317 scan-results.js - scan results, including scan metadata, encoded using
319 JSON
320 scan-results-summary.txt - total count of defects found by particular
322 checkers
323 scan.ini - scan metadata encoded in the INI format
325 scan.log - scan log file (useful for debugging scan failures)
327 debug - a directory containing additional data (intended for csmock de‐
329 bugging)
330 Note that external plug-ins of csmock may create additional files (not
332 covered by this man page) in the directory with results.
333csmock csmock-3.1.0-1.fc35 November 2021 CSMOCK(1)