1CSMOCK(1) User Commands CSMOCK(1)
2
6 csmock - run static analysis of the given SRPM using mock
7
9 usage: csmock [-h] [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install
10 INSTALL]
11 [-o OUTPUT] [-f] [-j JOBS] [--rpm-build-opts RPM_BUILD_OPTS]
13 [--cswrap-timeout CSWRAP_TIMEOUT] [-U EMBED_CONTEXT] [-k]
14 [--skip-init] [--skip-build] [--use-ldpwrap] [--no-clean]
15 [--no-scan] [--run-check] [--no-run-check] [--print-defects]
16 [--no-print-defects] [--base-srpm BASE_SRPM] [--base-root
17 BASE_MOCK_PROFILE] [--root-override MOCK_ROOT_OVERRIDE]
18 [--skip-patches | --diff-patches | -c SHELL_CMD]
19 [--known-false-positives KNOWN_FALSE_POSITIVES] [--use-lo‐
20 gin-shell] [--no-use-login-shell] [--version] [--ban‐
21 dit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install]
22 [--no-bandit-scan-install] [--bandit-evt-filter BANDIT_EVT_FIL‐
23 TER] [--bandit-severity-filter {LOW,MEDIUM,HIGH}]
24 [--cbmc-add-flag CBMC_ADD_FLAG] [--cbmc-timeout CBMC_TIMEOUT]
25 [--clang-add-flag CLANG_ADD_FLAG] [--use-host-cppcheck] [--cp‐
26 pcheck-add-flag CPPCHECK_ADD_FLAG] [--divine-add-flag DI‐
27 VINE_ADD_FLAG] [--divine-timeout DIVINE_TIMEOUT] [--symbi‐
28 otic-add-flag SYMBIOTIC_ADD_FLAG] [--symbiotic-timeout SYMBI‐
29 OTIC_TIMEOUT] [--valgrind-add-flag VALGRIND_ADD_FLAG] [--val‐
30 grind-timeout VALGRIND_TIMEOUT] [--strace-add-flag
31 STRACE_ADD_FLAG] [--gitleaks-bin-url GITLEAKS_BIN_URL]
32 [--gitleaks-cache-dir GITLEAKS_CACHE_DIR] [--gitleaks-config
33 GITLEAKS_CONFIG] [--gitleaks-refresh] [--infer-analyze-add-flag
34 INFER_ANALYZE_ADD_FLAG] [--infer-archive-path INFER_AR‐
35 CHIVE_PATH] [--infer-filter] [--no-infer-filter] [--infer-biab‐
36 duction-filter] [--no-infer-biabduction-filter] [--infer-in‐
37 ferbo-filter] [--no-infer-inferbo-filter] [--infer-uninit-fil‐
38 ter] [--no-infer-uninit-filter] [--infer-dead-store-severity]
39 [--no-infer-dead-store-severity] [--infer-timeout INFER_TIMEOUT]
40 [--pylint-scan-build] [--no-pylint-scan-build]
41 [--pylint-scan-install] [--no-pylint-scan-install]
42 [--pylint-evt-filter PYLINT_EVT_FILTER]
43 [--shellcheck-scan-build] [--no-shellcheck-scan-build]
44 [--shellcheck-scan-install] [--no-shellcheck-scan-install]
45 [--unicontrol-bidi-only] [--unicontrol-notests] [-w GCC_WARN‐
46 ING_LEVEL] [--gcc-analyze] [--gcc-analyzer-bin GCC_ANALYZER_BIN]
47 [--gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG] [--gcc-set-env]
48 [--gcc-sanitize-address | --gcc-sanitize-leak | --gcc-sani‐
49 tize-thread] [--gcc-sanitize-undefined] [--gcc-add-flag
50 GCC_ADD_FLAG] [--gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG]
51 [--gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag
52 GCC_DEL_FLAG] [SRPM]
53 positional arguments:
55 SRPM source RPM package to be scanned by static analyzers
56 options:
58 -h, --help
59 show this help message and exit
60 -r MOCK_PROFILE, --root MOCK_PROFILE
62 mock profile to use (defaults to mock's default)
63 -t TOOLS, --tools TOOLS
65 comma-separated list of tools to enable (use --listavail‐
66 able-tools to see the list of available tools)
67 -a, --all-tools
69 enable all stable csmock plug-ins (use --listavailable-tools to
70 see the list of available tools)
71 -l, --list-available-tools
73 list available tools and exit
74 --install INSTALL
76 space-separated list of packages to install into the chroot
77 -o OUTPUT, --output OUTPUT
79 name of the tarball or directory to put the results to
80 -f, --force
82 overwrite the resulting file or directory if it exists already
83 -j JOBS, --jobs JOBS
85 maximal number of jobs running in parallel (passed to 'make')
86 --rpm-build-opts RPM_BUILD_OPTS
88 shell-quoted options passed to rpm-build
89 --cswrap-timeout CSWRAP_TIMEOUT
91 maximal amount of time taken by analysis of a single module [s]
92 -U EMBED_CONTEXT, --embed-context EMBED_CONTEXT
94 embed a number of lines of context from the source file for the
95 key event (defaults to 3).
96 -k, --keep-going
98 continue as much as possible after an error
99 --skip-init
101 do not run 'mock --init' before the scan (may lead to unpre‐
102 dictable scan results)
103 --skip-build
105 do not run %build and %install sections [EXPERIMENTAL]
106 --use-ldpwrap
108 use ldpwrap instead of csexec-loader [EXPERIMENTAL]
109 --no-clean
111 do not clean chroot when it becomes unused
112 --no-scan
114 do not analyze any package, just check versions of the analyzers
115 --run-check
117 run the %check section of specfile (disabled by default)
118 --no-run-check
120 disables --run-check
121 --print-defects
123 print the resulting list of defects (default if connected to a
124 tty)
125 --no-print-defects
127 disables --print-defects
128 --base-srpm BASE_SRPM
130 perform a differential scan against the specified base package
131 --base-root BASE_MOCK_PROFILE
133 mock profile to use for the base scan (use only with
134 --base-srpm)
135 --root-override MOCK_ROOT_OVERRIDE
137 override the build root directory for mock (disables yum and
138 root cache)
139 --skip-patches
141 skip patches not annotated by %{?_rawbuild} (vanilla build)
142 --diff-patches
144 scan with/without patches and diff the lists of defects
145 -c SHELL_CMD, --shell-cmd SHELL_CMD
147 use shell command to build the given tarball (instead of SRPM)
148 --known-false-positives KNOWN_FALSE_POSITIVES
150 suppress known false positives loaded from the given file (de‐
151 faults to "/usr/share/csmock/known-falsepositives.js" if avail‐
152 able)
153 --use-login-shell
155 use login shell for build (default)
156 --no-use-login-shell
158 disables --use-login-shell
159 --version
161 print the version of csmock and exit
162 --bandit-scan-build
164 make bandit scan files in the build directory (disabled by de‐
165 fault)
166 --no-bandit-scan-build
168 disables --bandit-scan-build
169 --bandit-scan-install
171 make bandit scan files in the install directory (enabled by de‐
172 fault)
173 --no-bandit-scan-install
175 disables --bandit-scan-install
176 --bandit-evt-filter BANDIT_EVT_FILTER
178 report only Bandit defects whose key event matches the given
179 regex (defaults to '^B[0-9]+')
180 --bandit-severity-filter {LOW,MEDIUM,HIGH}
182 suppress Bandit defects whose severity level is below given
183 level (default 'LOW')
184 --cbmc-add-flag CBMC_ADD_FLAG
186 append the given flag when invoking cbmc (can be used multiple
187 times)
188 --cbmc-timeout CBMC_TIMEOUT
190 maximal amount of time taken by analysis of a single process [s]
191 --clang-add-flag CLANG_ADD_FLAG
193 append the given flag when invoking clang static analyzer (can
194 be used multiple times)
195 --use-host-cppcheck
197 use host's Cppcheck instead of the one in chroot (automatically
198 enables the Cppcheck plug-in)
199 --cppcheck-add-flag CPPCHECK_ADD_FLAG
201 append the given flag when invoking cppcheck (can be used multi‐
202 ple times)
203 --divine-add-flag DIVINE_ADD_FLAG
205 append the given flag when invoking divine (can be used multiple
206 times)
207 --divine-timeout DIVINE_TIMEOUT
209 maximal amount of time taken by analysis of a single process [s]
210 --symbiotic-add-flag SYMBIOTIC_ADD_FLAG
212 append the given flag when invoking symbiotic (can be used mul‐
213 tiple times)
214 --symbiotic-timeout SYMBIOTIC_TIMEOUT
216 maximal amount of time taken by analysis of a single process [s]
217 --valgrind-add-flag VALGRIND_ADD_FLAG
219 append the given flag when invoking valgrind (can be used multi‐
220 ple times)
221 --valgrind-timeout VALGRIND_TIMEOUT
223 maximal amount of time taken by analysis of a single process [s]
224 --strace-add-flag STRACE_ADD_FLAG
226 append the given flag when invoking strace (can be used multiple
227 times)
228 --gitleaks-bin-url GITLEAKS_BIN_URL
230 URL to download gitleaks binary executable (in a .tar.gz) from
231 --gitleaks-cache-dir GITLEAKS_CACHE_DIR
233 directory where downloaded Gitleaks tarballs are cached across
234 runs
235 --gitleaks-config GITLEAKS_CONFIG
237 local configuration file to be used for gitleaks
238 --gitleaks-refresh
240 force download of gitleaks binary executable (in a .tar.gz) from
241 --infer-analyze-add-flag INFER_ANALYZE_ADD_FLAG
243 appends the given flag (except '-o') when invoking 'infer ana‐
244 lyze' (can be used multiple times)(default flags '--bufferover‐
245 run', '--pulse')
246 --infer-archive-path INFER_ARCHIVE_PATH
248 use the given archive to install Infer (default is /opt/in‐
249 fer-linux*.tar.xz)
250 --infer-filter
252 apply false positive filter (enabled by default)
253 --no-infer-filter
255 disables --infer-filter
256 --infer-biabduction-filter
258 apply false positive bi-abduction filter (enabled by default)
259 --no-infer-biabduction-filter
261 disables --infer-biabduction-filter
262 --infer-inferbo-filter
264 apply false positive inferbo filter (enabled by default)
265 --no-infer-inferbo-filter
267 disables --infer-inferbo-filter
268 --infer-uninit-filter
270 apply false positive uninit filter (enabled by default)
271 --no-infer-uninit-filter
273 disables --infer-uninit-filter
274 --infer-dead-store-severity
276 lower dead store severity (enabled by default)
277 --no-infer-dead-store-severity
279 disables --infer-dead-store-severity
280 --infer-timeout INFER_TIMEOUT
282 maximal amount of time taken by Infer's analysis phase [s] (de‐
283 fault 300)
284 --pylint-scan-build
286 make pylint scan files in the build directory (disabled by de‐
287 fault)
288 --no-pylint-scan-build
290 disables --pylint-scan-build
291 --pylint-scan-install
293 make pylint scan files in the install directory (enabled by de‐
294 fault)
295 --no-pylint-scan-install
297 disables --pylint-scan-install
298 --pylint-evt-filter PYLINT_EVT_FILTER
300 filter out Pylint defects whose key event matches the given
301 regex (defaults to '^W[0-9]+', use '.*' to get all defects de‐
302 tected by Pylint)
303 --shellcheck-scan-build
305 make shellcheck scan files in the build directory (disabled by
306 default)
307 --no-shellcheck-scan-build
309 disables --shellcheck-scan-build
310 --shellcheck-scan-install
312 make shellcheck scan files in the install directory (enabled by
313 default)
314 --no-shellcheck-scan-install
316 disables --shellcheck-scan-install
317 --unicontrol-bidi-only
319 look for bidirectional control characters only
320 --unicontrol-notests
322 exclude tests (basically test.* as a component of path)
323 -w GCC_WARNING_LEVEL, --gcc-warning-level GCC_WARNING_LEVEL
325 Adjust GCC warning level. -w0 means default flags, -w1 appends
326 -Wall and -Wextra, and -w2 enables some other useful warnings.
327 (automatically enables the GCC plugin)
328 --gcc-analyze
330 run `gcc -fanalyzer` in a separate process
331 --gcc-analyzer-bin GCC_ANALYZER_BIN
333 Use custom build of gcc to perform scan. Absolute path to the
334 binary must be provided.
335 --gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG
337 append the given flag when invoking `gcc -fanalyzer` (can be
338 used multiple times)
339 --gcc-set-env
341 set $CC and $CXX to gcc and g++, respectively, for build
342 --gcc-sanitize-address
344 enable %check and compile with -fsanitize=address
345 --gcc-sanitize-leak
347 enable %check and compile with -fsanitize=leak
348 --gcc-sanitize-thread
350 enable %check and compile with -fsanitize=thread
351 --gcc-sanitize-undefined
353 enable %check and compile with -fsanitize=undefined
354 --gcc-add-flag GCC_ADD_FLAG
356 append the given compiler flag when invoking gcc (can be used
357 multiple times)
358 --gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG
360 append the given compiler flag when invoking gcc for C (can be
361 used multiple times)
362 --gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG
364 append the given compiler flag when invoking gcc for C++ (can be
365 used multiple times)
366 --gcc-del-flag GCC_DEL_FLAG
368 drop the given compiler flag when invoking gcc (can be used mul‐
369 tiple times)
370
372 If not overridden by the --output option, csmock creates an archive
373 NVR.tar.xz in the current directory for an SRPM named NVR.src.rpm (or
374 NVR.tar.* if the --shell-cmd option is used). The archive contains a
375 directory named NVR as the only top-level directory, containing the
376 following items:
377 scan-results.err - scan results encoded as plain-text (for source code
379 editors)
380 scan-results.html - scan results encoded as HTML (suitable for web
382 browsers)
383 scan-results.js - scan results, including scan metadata, encoded using
385 JSON
386 scan-results-summary.txt - total count of defects found by particular
388 checkers
389 scan.ini - scan metadata encoded in the INI format
391 scan.log - scan log file (useful for debugging scan failures)
393 debug - a directory containing additional data (intended for csmock de‐
395 bugging)
396 Note that external plug-ins of csmock may create additional files (not
398 covered by this man page) in the directory with results.
399csmock csmock-3.3.5-1.fc37 December 2022 CSMOCK(1)