1CSMOCK(1) User Commands CSMOCK(1)
2
6 csmock - run static analysis of the given SRPM using mock
7
9 usage: csmock [-h] [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install
10 INSTALL]
11 [-o OUTPUT] [-f] [-j JOBS] [--rpm-build-opts RPM_BUILD_OPTS]
13 [--cswrap-timeout CSWRAP_TIMEOUT] [-U EMBED_CONTEXT] [-k]
14 [--skip-init] [--skip-build] [--use-ldpwrap] [--no-clean]
15 [--no-scan] [--run-check] [--no-run-check] [--print-defects]
16 [--no-print-defects] [--base-srpm BASE_SRPM] [--base-root
17 BASE_MOCK_PROFILE] [--root-override MOCK_ROOT_OVERRIDE]
18 [--skip-patches | --diff-patches | -c SHELL_CMD]
19 [--known-false-positives KNOWN_FALSE_POSITIVES] [--use-lo‐
20 gin-shell] [--no-use-login-shell] [--version] [--ban‐
21 dit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install]
22 [--no-bandit-scan-install] [--bandit-evt-filter BANDIT_EVT_FIL‐
23 TER] [--bandit-severity-filter {LOW,MEDIUM,HIGH}]
24 [--cbmc-add-flag CBMC_ADD_FLAG] [--cbmc-timeout CBMC_TIMEOUT]
25 [--clang-add-flag CLANG_ADD_FLAG] [--use-host-cppcheck] [--cp‐
26 pcheck-add-flag CPPCHECK_ADD_FLAG] [--divine-add-flag DI‐
27 VINE_ADD_FLAG] [--divine-timeout DIVINE_TIMEOUT] [--symbi‐
28 otic-add-flag SYMBIOTIC_ADD_FLAG] [--symbiotic-timeout SYMBI‐
29 OTIC_TIMEOUT] [--strace-add-flag STRACE_ADD_FLAG] [--val‐
30 grind-add-flag VALGRIND_ADD_FLAG] [--valgrind-timeout VAL‐
31 GRIND_TIMEOUT] [--gitleaks-bin-url GITLEAKS_BIN_URL]
32 [--gitleaks-config GITLEAKS_CONFIG] [--infer-analyze-add-flag
33 INFER_ANALYZE_ADD_FLAG] [--infer-archive-path INFER_AR‐
34 CHIVE_PATH] [--infer-filter] [--no-infer-filter] [--infer-biab‐
35 duction-filter] [--no-infer-biabduction-filter] [--infer-in‐
36 ferbo-filter] [--no-infer-inferbo-filter] [--infer-uninit-fil‐
37 ter] [--no-infer-uninit-filter] [--infer-dead-store-severity]
38 [--no-infer-dead-store-severity] [--infer-timeout INFER_TIMEOUT]
39 [--pylint-scan-build] [--no-pylint-scan-build]
40 [--pylint-scan-install] [--no-pylint-scan-install]
41 [--pylint-evt-filter PYLINT_EVT_FILTER]
42 [--shellcheck-scan-build] [--no-shellcheck-scan-build]
43 [--shellcheck-scan-install] [--no-shellcheck-scan-install]
44 [--unicontrol-bidi-only] [--unicontrol-notests] [-w GCC_WARN‐
45 ING_LEVEL] [--gcc-analyze] [--gcc-analyzer-bin GCC_ANALYZER_BIN]
46 [--gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG] [--gcc-set-env]
47 [--gcc-sanitize-address | --gcc-sanitize-leak | --gcc-sani‐
48 tize-thread] [--gcc-sanitize-undefined] [--gcc-add-flag
49 GCC_ADD_FLAG] [--gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG]
50 [--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag
51 GCC_DEL_FLAG] [SRPM]
52 positional arguments:
54 SRPM source RPM package to be scanned by static analyzers
55 options:
57 -h, --help
58 show this help message and exit
59 -r MOCK_PROFILE, --root MOCK_PROFILE
61 mock profile to use (defaults to mock's default)
62 -t TOOLS, --tools TOOLS
64 comma-separated list of tools to enable (use --listavail‐
65 able-tools to see the list of available tools)
66 -a, --all-tools
68 enable all stable csmock plug-ins (use --listavailable-tools to
69 see the list of available tools)
70 -l, --list-available-tools
72 list available tools and exit
73 --install INSTALL
75 space-separated list of packages to install into the chroot
76 -o OUTPUT, --output OUTPUT
78 name of the tarball or directory to put the results to
79 -f, --force
81 overwrite the resulting file or directory if it exists already
82 -j JOBS, --jobs JOBS
84 maximal number of jobs running in parallel (passed to 'make')
85 --rpm-build-opts RPM_BUILD_OPTS
87 shell-quoted options passed to rpm-build
88 --cswrap-timeout CSWRAP_TIMEOUT
90 maximal amount of time taken by analysis of a single module [s]
91 -U EMBED_CONTEXT, --embed-context EMBED_CONTEXT
93 embed a number of lines of context from the source file for the
94 key event (defaults to 3).
95 -k, --keep-going
97 continue as much as possible after an error
98 --skip-init
100 do not run 'mock --init' before the scan (may lead to unpre‐
101 dictable scan results)
102 --skip-build
104 do not run %build and %install sections [EXPERIMENTAL]
105 --use-ldpwrap
107 use ldpwrap instead of csexec-loader [EXPERIMENTAL]
108 --no-clean
110 do not clean chroot when it becomes unused
111 --no-scan
113 do not analyze any package, just check versions of the analyzers
114 --run-check
116 run the %check section of specfile (disabled by default)
117 --no-run-check
119 disables --run-check
120 --print-defects
122 print the resulting list of defects (default if connected to a
123 tty)
124 --no-print-defects
126 disables --print-defects
127 --base-srpm BASE_SRPM
129 perform a differential scan against the specified base package
130 --base-root BASE_MOCK_PROFILE
132 mock profile to use for the base scan (use only with
133 --base-srpm)
134 --root-override MOCK_ROOT_OVERRIDE
136 override the build root directory for mock (disables yum and
137 root cache)
138 --skip-patches
140 skip patches not annotated by %{?_rawbuild} (vanilla build)
141 --diff-patches
143 scan with/without patches and diff the lists of defects
144 -c SHELL_CMD, --shell-cmd SHELL_CMD
146 use shell command to build the given tarball (instead of SRPM)
147 --known-false-positives KNOWN_FALSE_POSITIVES
149 suppress known false positives loaded from the given file (de‐
150 faults to "/usr/share/csmock/known-falsepositives.js" if avail‐
151 able)
152 --use-login-shell
154 use login shell for build (default)
155 --no-use-login-shell
157 disables --use-login-shell
158 --version
160 print the version of csmock and exit
161 --bandit-scan-build
163 make bandit scan files in the build directory (disabled by de‐
164 fault)
165 --no-bandit-scan-build
167 disables --bandit-scan-build
168 --bandit-scan-install
170 make bandit scan files in the install directory (enabled by de‐
171 fault)
172 --no-bandit-scan-install
174 disables --bandit-scan-install
175 --bandit-evt-filter BANDIT_EVT_FILTER
177 report only Bandit defects whose key event matches the given
178 regex (defaults to '^B[0-9]+')
179 --bandit-severity-filter {LOW,MEDIUM,HIGH}
181 suppress Bandit defects whose severity level is below given
182 level (default 'LOW')
183 --cbmc-add-flag CBMC_ADD_FLAG
185 append the given flag when invoking cbmc (can be used multiple
186 times)
187 --cbmc-timeout CBMC_TIMEOUT
189 maximal amount of time taken by analysis of a single process [s]
190 --clang-add-flag CLANG_ADD_FLAG
192 append the given flag when invoking clang static analyzer (can
193 be used multiple times)
194 --use-host-cppcheck
196 use host's Cppcheck instead of the one in chroot (automatically
197 enables the Cppcheck plug-in)
198 --cppcheck-add-flag CPPCHECK_ADD_FLAG
200 append the given flag when invoking cppcheck (can be used multi‐
201 ple times)
202 --divine-add-flag DIVINE_ADD_FLAG
204 append the given flag when invoking divine (can be used multiple
205 times)
206 --divine-timeout DIVINE_TIMEOUT
208 maximal amount of time taken by analysis of a single process [s]
209 --symbiotic-add-flag SYMBIOTIC_ADD_FLAG
211 append the given flag when invoking symbiotic (can be used mul‐
212 tiple times)
213 --symbiotic-timeout SYMBIOTIC_TIMEOUT
215 maximal amount of time taken by analysis of a single process [s]
216 --strace-add-flag STRACE_ADD_FLAG
218 append the given flag when invoking strace (can be used multiple
219 times)
220 --valgrind-add-flag VALGRIND_ADD_FLAG
222 append the given flag when invoking valgrind (can be used multi‐
223 ple times)
224 --valgrind-timeout VALGRIND_TIMEOUT
226 maximal amount of time taken by analysis of a single process [s]
227 --gitleaks-bin-url GITLEAKS_BIN_URL
229 URL to download gitleaks binary executable from
230 --gitleaks-config GITLEAKS_CONFIG
232 local configuration file to be used for gitleaks
233 --infer-analyze-add-flag INFER_ANALYZE_ADD_FLAG
235 appends the given flag (except '-o') when invoking 'infer ana‐
236 lyze' (can be used multiple times)(default flags '--bufferover‐
237 run', '--pulse')
238 --infer-archive-path INFER_ARCHIVE_PATH
240 use the given archive to install Infer (default is /opt/in‐
241 fer-linux*.tar.xz)
242 --infer-filter
244 apply false positive filter (enabled by default)
245 --no-infer-filter
247 disables --infer-filter
248 --infer-biabduction-filter
250 apply false positive bi-abduction filter (enabled by default)
251 --no-infer-biabduction-filter
253 disables --infer-biabduction-filter
254 --infer-inferbo-filter
256 apply false positive inferbo filter (enabled by default)
257 --no-infer-inferbo-filter
259 disables --infer-inferbo-filter
260 --infer-uninit-filter
262 apply false positive uninit filter (enabled by default)
263 --no-infer-uninit-filter
265 disables --infer-uninit-filter
266 --infer-dead-store-severity
268 lower dead store severity (enabled by default)
269 --no-infer-dead-store-severity
271 disables --infer-dead-store-severity
272 --infer-timeout INFER_TIMEOUT
274 maximal amount of time taken by Infer's analysis phase [s] (de‐
275 fault 300)
276 --pylint-scan-build
278 make pylint scan files in the build directory (disabled by de‐
279 fault)
280 --no-pylint-scan-build
282 disables --pylint-scan-build
283 --pylint-scan-install
285 make pylint scan files in the install directory (enabled by de‐
286 fault)
287 --no-pylint-scan-install
289 disables --pylint-scan-install
290 --pylint-evt-filter PYLINT_EVT_FILTER
292 filter out Pylint defects whose key event matches the given
293 regex (defaults to '^W[0-9]+', use '.*' to get all defects de‐
294 tected by Pylint)
295 --shellcheck-scan-build
297 make shellcheck scan files in the build directory (disabled by
298 default)
299 --no-shellcheck-scan-build
301 disables --shellcheck-scan-build
302 --shellcheck-scan-install
304 make shellcheck scan files in the install directory (enabled by
305 default)
306 --no-shellcheck-scan-install
308 disables --shellcheck-scan-install
309 --unicontrol-bidi-only
311 look for bidirectional control characters only
312 --unicontrol-notests
314 exclude tests (basically test.* as a component of path)
315 -w GCC_WARNING_LEVEL, --gcc-warning-level GCC_WARNING_LEVEL
317 Adjust GCC warning level. -w0 means default flags, -w1 appends
318 -Wall and -Wextra, and -w2 enables some other useful warnings.
319 (automatically enables the GCC plugin)
320 --gcc-analyze
322 run `gcc -fanalyzer` in a separate process
323 --gcc-analyzer-bin GCC_ANALYZER_BIN
325 Use custom build of gcc to perform scan. Absolute path to the
326 binary must be provided.
327 --gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG
329 append the given flag when invoking `gcc -fanalyzer` (can be
330 used multiple times)
331 --gcc-set-env
333 set $CC and $CXX to gcc and g++, respectively, for build
334 --gcc-sanitize-address
336 enable %check and compile with -fsanitize=address
337 --gcc-sanitize-leak
339 enable %check and compile with -fsanitize=leak
340 --gcc-sanitize-thread
342 enable %check and compile with -fsanitize=thread
343 --gcc-sanitize-undefined
345 enable %check and compile with -fsanitize=undefined
346 --gcc-add-flag GCC_ADD_FLAG
348 append the given compiler flag when invoking gcc (can be used
349 multiple times)
350 --gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG
352 append the given compiler flag when invoking gcc for C (can be
353 used multiple times)
354 --gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG
356 append the given compiler flag when invoking gcc for C++ (can be
357 used multiple times)
358 --gcc-del-flag GCC_DEL_FLAG
360 drop the given compiler flag when invoking gcc (can be used mul‐
361 tiple times)
362
364 If not overridden by the --output option, csmock creates an archive
365 NVR.tar.xz in the current directory for an SRPM named NVR.src.rpm (or
366 NVR.tar.* if the --shell-cmd option is used). The archive contains a
367 directory named NVR as the only top-level directory, containing the
368 following items:
369 scan-results.err - scan results encoded as plain-text (for source code
371 editors)
372 scan-results.html - scan results encoded as HTML (suitable for web
374 browsers)
375 scan-results.js - scan results, including scan metadata, encoded using
377 JSON
378 scan-results-summary.txt - total count of defects found by particular
380 checkers
381 scan.ini - scan metadata encoded in the INI format
383 scan.log - scan log file (useful for debugging scan failures)
385 debug - a directory containing additional data (intended for csmock de‐
387 bugging)
388 Note that external plug-ins of csmock may create additional files (not
390 covered by this man page) in the directory with results.
391csmock csmock-3.3.3-1.fc36 June 2022 CSMOCK(1)