1CSMOCK(1)                        User Commands                       CSMOCK(1)
2
3
4

NAME

6       csmock - run static analysis of the given SRPM using mock
7

DESCRIPTION

9       usage:  csmock  [-h]  [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install
10       INSTALL]
11
12              [-o OUTPUT] [-f]  [-j  JOBS]  [--rpm-build-opts  RPM_BUILD_OPTS]
13              [--cswrap-timeout   CSWRAP_TIMEOUT]   [-U   EMBED_CONTEXT]  [-k]
14              [--skip-init]    [--skip-build]     [--no-clean]     [--no-scan]
15              [--run-check] [--no-run-check] [--print-defects] [--no-print-de‐
16              fects] [--base-srpm BASE_SRPM]  [--base-root  BASE_MOCK_PROFILE]
17              [--skip-patches     |    --diff-patches    |    -c    SHELL_CMD]
18              [--known-false-positives    KNOWN_FALSE_POSITIVES]    [--use-lo‐
19              gin-shell]     [--no-use-login-shell]     [--version]    [--ban‐
20              dit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install]
21              [--no-bandit-scan-install]  [--bandit-evt-filter BANDIT_EVT_FIL‐
22              TER]        [--bandit-severity-filter         {LOW,MEDIUM,HIGH}]
23              [--cbmc-add-flag  CBMC_ADD_FLAG]  [--cbmc-timeout  CBMC_TIMEOUT]
24              [--clang-add-flag CLANG_ADD_FLAG]  [--use-host-cppcheck]  [--cp‐
25              pcheck-add-flag    CPPCHECK_ADD_FLAG]   [--divine-add-flag   DI‐
26              VINE_ADD_FLAG]   [--divine-timeout    DIVINE_TIMEOUT]    [--val‐
27              grind-add-flag   VALGRIND_ADD_FLAG]   [--valgrind-timeout   VAL‐
28              GRIND_TIMEOUT]  [--strace-add-flag  STRACE_ADD_FLAG]   [--symbi‐
29              otic-add-flag  SYMBIOTIC_ADD_FLAG]  [--symbiotic-timeout  SYMBI‐
30              OTIC_TIMEOUT]       [--gitleaks-bin-url        GITLEAKS_BIN_URL]
31              [--gitleaks-config     GITLEAKS_CONFIG]    [--pylint-scan-build]
32              [--no-pylint-scan-build]                 [--pylint-scan-install]
33              [--no-pylint-scan-install]  [--pylint-evt-filter PYLINT_EVT_FIL‐
34              TER]   [--shellcheck-scan-build]    [--no-shellcheck-scan-build]
35              [--shellcheck-scan-install]       [--no-shellcheck-scan-install]
36              [--unicontrol-bidi-only]  [--unicontrol-notests]  [-w  GCC_WARN‐
37              ING_LEVEL] [--gcc-analyze] [--gcc-analyzer-bin GCC_ANALYZER_BIN]
38              [--gcc-analyze-add-flag  GCC_ANALYZE_ADD_FLAG]   [--gcc-set-env]
39              [--gcc-sanitize-address   |  --gcc-sanitize-leak  |  --gcc-sani‐
40              tize-thread]     [--gcc-sanitize-undefined]      [--gcc-add-flag
41              GCC_ADD_FLAG]     [--gcc-add-c-only-flag    GCC_ADD_C_ONLY_FLAG]
42              [--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG]  [--gcc-del-flag
43              GCC_DEL_FLAG] [SRPM]
44
45   positional arguments:
46       SRPM   source RPM package to be scanned by static analyzers
47
48   options:
49       -h, --help
50              show this help message and exit
51
52       -r MOCK_PROFILE, --root MOCK_PROFILE
53              mock profile to use (defaults to mock's default)
54
55       -t TOOLS, --tools TOOLS
56              comma-separated  list  of  tools  to  enable  (use  --listavail‐
57              able-tools to see the list of available tools)
58
59       -a, --all-tools
60              enable all stable csmock plug-ins (use --listavailable-tools  to
61              see the list of available tools)
62
63       -l, --list-available-tools
64              list available tools and exit
65
66       --install INSTALL
67              space-separated list of packages to install into the chroot
68
69       -o OUTPUT, --output OUTPUT
70              name of the tarball or directory to put the results to
71
72       -f, --force
73              overwrite the resulting file or directory if it exists already
74
75       -j JOBS, --jobs JOBS
76              maximal number of jobs running in parallel (passed to 'make')
77
78       --rpm-build-opts RPM_BUILD_OPTS
79              shell-quoted options passed to rpm-build
80
81       --cswrap-timeout CSWRAP_TIMEOUT
82              maximal amount of time taken by analysis of a single module [s]
83
84       -U EMBED_CONTEXT, --embed-context EMBED_CONTEXT
85              embed  a number of lines of context from the source file for the
86              key event (defaults to 3).
87
88       -k, --keep-going
89              continue as much as possible after an error
90
91       --skip-init
92              do not run 'mock --init' before the scan  (may  lead  to  unpre‐
93              dictable scan results)
94
95       --skip-build
96              do not run %build and %install sections [EXPERIMENTAL]
97
98       --no-clean
99              do not clean chroot when it becomes unused
100
101       --no-scan
102              do not analyze any package, just check versions of the analyzers
103
104       --run-check
105              run the %check section of specfile (disabled by default)
106
107       --no-run-check
108              disables --run-check
109
110       --print-defects
111              print  the  resulting list of defects (default if connected to a
112              tty)
113
114       --no-print-defects
115              disables --print-defects
116
117       --base-srpm BASE_SRPM
118              perform a differential scan against the specified base pacakge
119
120       --base-root BASE_MOCK_PROFILE
121              mock  profile  to  use  for  the  base  scan  (use   only   with
122              --base-srpm)
123
124       --skip-patches
125              skip patches not annotated by %{?_rawbuild} (vanilla build)
126
127       --diff-patches
128              scan with/without patches and diff the lists of defects
129
130       -c SHELL_CMD, --shell-cmd SHELL_CMD
131              use shell command to build the given tarball (instead of SRPM)
132
133       --known-false-positives KNOWN_FALSE_POSITIVES
134              suppress  known  false positives loaded from the given file (de‐
135              faults to "/usr/share/csmock/known-falsepositives.js" if  avail‐
136              able)
137
138       --use-login-shell
139              use login shell for build (default)
140
141       --no-use-login-shell
142              disables --use-login-shell
143
144       --version
145              print the version of csmock and exit
146
147       --bandit-scan-build
148              make  bandit  scan files in the build directory (disabled by de‐
149              fault)
150
151       --no-bandit-scan-build
152              disables --bandit-scan-build
153
154       --bandit-scan-install
155              make bandit scan files in the install directory (enabled by  de‐
156              fault)
157
158       --no-bandit-scan-install
159              disables --bandit-scan-install
160
161       --bandit-evt-filter BANDIT_EVT_FILTER
162              report  only  Bandit  defects  whose key event matches the given
163              regex (defaults to '^B[0-9]+')
164
165       --bandit-severity-filter {LOW,MEDIUM,HIGH}
166              suppress Bandit defects whose  severity  level  is  below  given
167              level (default 'LOW')
168
169       --cbmc-add-flag CBMC_ADD_FLAG
170              append  the  given flag when invoking cbmc (can be used multiple
171              times)
172
173       --cbmc-timeout CBMC_TIMEOUT
174              maximal amount of time taken by analysis of a single process [s]
175
176       --clang-add-flag CLANG_ADD_FLAG
177              append the given flag when invoking clang static  analyzer  (can
178              be used multiple times)
179
180       --use-host-cppcheck
181              use  host's Cppcheck instead of the one in chroot (automatically
182              enables the Cppcheck plug-in)
183
184       --cppcheck-add-flag CPPCHECK_ADD_FLAG
185              append the given flag when invoking cppcheck (can be used multi‐
186              ple times)
187
188       --divine-add-flag DIVINE_ADD_FLAG
189              append the given flag when invoking divine (can be used multiple
190              times)
191
192       --divine-timeout DIVINE_TIMEOUT
193              maximal amount of time taken by analysis of a single process [s]
194
195       --valgrind-add-flag VALGRIND_ADD_FLAG
196              append the given flag when invoking valgrind (can be used multi‐
197              ple times)
198
199       --valgrind-timeout VALGRIND_TIMEOUT
200              maximal amount of time taken by analysis of a single process [s]
201
202       --strace-add-flag STRACE_ADD_FLAG
203              append the given flag when invoking strace (can be used multiple
204              times)
205
206       --symbiotic-add-flag SYMBIOTIC_ADD_FLAG
207              append the given flag when invoking symbiotic (can be used  mul‐
208              tiple times)
209
210       --symbiotic-timeout SYMBIOTIC_TIMEOUT
211              maximal amount of time taken by analysis of a single process [s]
212
213       --gitleaks-bin-url GITLEAKS_BIN_URL
214              URL to download gitleaks binary executable from
215
216       --gitleaks-config GITLEAKS_CONFIG
217              local configuration file to be used for gitleaks
218
219       --pylint-scan-build
220              make  pylint  scan files in the build directory (disabled by de‐
221              fault)
222
223       --no-pylint-scan-build
224              disables --pylint-scan-build
225
226       --pylint-scan-install
227              make pylint scan files in the install directory (enabled by  de‐
228              fault)
229
230       --no-pylint-scan-install
231              disables --pylint-scan-install
232
233       --pylint-evt-filter PYLINT_EVT_FILTER
234              filter  out  Pylint  defects  whose  key event matches the given
235              regex (defaults to '^W[0-9]+', use '.*' to get all  defects  de‐
236              tected by Pylint)
237
238       --shellcheck-scan-build
239              make  shellcheck  scan files in the build directory (disabled by
240              default)
241
242       --no-shellcheck-scan-build
243              disables --shellcheck-scan-build
244
245       --shellcheck-scan-install
246              make shellcheck scan files in the install directory (enabled  by
247              default)
248
249       --no-shellcheck-scan-install
250              disables --shellcheck-scan-install
251
252       --unicontrol-bidi-only
253              look for bidirectional control characters only
254
255       --unicontrol-notests
256              exclude tests (basically test.* as a component of path)
257
258       -w GCC_WARNING_LEVEL, --gcc-warning-level GCC_WARNING_LEVEL
259              Adjust  GCC  warning level. -w0 means default flags, -w1 appends
260              -Wall and -Wextra, and -w2 enables some other  useful  warnings.
261              (automatically enables the GCC plugin)
262
263       --gcc-analyze
264              run `gcc -fanalyzer` in a separate process
265
266       --gcc-analyzer-bin GCC_ANALYZER_BIN
267              Use  custom  build  of gcc to perform scan. Absolute path to the
268              binary must be provided.
269
270       --gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG
271              append the given flag when invoking  `gcc  -fanalyzer`  (can  be
272              used multiple times)
273
274       --gcc-set-env
275              set $CC and $CXX to gcc and g++, respectively, for build
276
277       --gcc-sanitize-address
278              enable %check and compile with -fsanitize=address
279
280       --gcc-sanitize-leak
281              enable %check and compile with -fsanitize=leak
282
283       --gcc-sanitize-thread
284              enable %check and compile with -fsanitize=thread
285
286       --gcc-sanitize-undefined
287              enable %check and compile with -fsanitize=undefined
288
289       --gcc-add-flag GCC_ADD_FLAG
290              append  the  given  compiler flag when invoking gcc (can be used
291              multiple times)
292
293       --gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG
294              append the given compiler flag when invoking gcc for C  (can  be
295              used multiple times)
296
297       --gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG
298              append the given compiler flag when invoking gcc for C++ (can be
299              used multiple times)
300
301       --gcc-del-flag GCC_DEL_FLAG
302              drop the given compiler flag when invoking gcc (can be used mul‐
303              tiple times)
304

OUTPUT FORMAT

306       If  not  overridden  by  the --output option, csmock creates an archive
307       NVR.tar.xz in the current directory for an SRPM named  NVR.src.rpm  (or
308       NVR.tar.*  if  the --shell-cmd option is used).  The archive contains a
309       directory named NVR as the only  top-level  directory,  containing  the
310       following items:
311
312       scan-results.err  - scan results encoded as plain-text (for source code
313       editors)
314
315       scan-results.html - scan results encoded  as  HTML  (suitable  for  web
316       browsers)
317
318       scan-results.js  - scan results, including scan metadata, encoded using
319       JSON
320
321       scan-results-summary.txt - total count of defects found  by  particular
322       checkers
323
324       scan.ini - scan metadata encoded in the INI format
325
326       scan.log - scan log file (useful for debugging scan failures)
327
328       debug - a directory containing additional data (intended for csmock de‐
329       bugging)
330
331       Note that external plug-ins of csmock may create additional files  (not
332       covered by this man page) in the directory with results.
333
334
335
336csmock csmock-3.1.0-1.fc35       November 2021                       CSMOCK(1)
Impressum