1CSMOCK(1) User Commands CSMOCK(1)
2
6 csmock - run static analysis of the given SRPM using mock
7
9 usage: csmock [-h] [-r MOCK_PROFILE] [-t TOOLS] [-a] [-l] [--install
10 INSTALL]
11 [-o OUTPUT] [-f] [-j JOBS] [--rpm-build-opts RPM_BUILD_OPTS]
13 [--cswrap-timeout CSWRAP_TIMEOUT] [-U EMBED_CONTEXT] [--warn‐
14 ing-rate-limit WARNING_RATE_LIMIT] [--limit-msg-len
15 LIMIT_MSG_LEN] [-k] [--skip-init] [--skip-build] [--use-ldpwrap]
16 [--no-clean] [--no-scan] [--run-check] [--no-run-check]
17 [--print-defects] [--no-print-defects] [--base-srpm BASE_SRPM]
18 [--base-root BASE_MOCK_PROFILE] [--root-override MOCK_ROOT_OVER‐
19 RIDE] [--skip-patches | --diff-patches | -c SHELL_CMD]
20 [--known-false-positives KNOWN_FALSE_POSITIVES] [--use-lo‐
21 gin-shell] [--no-use-login-shell] [--version] [--ban‐
22 dit-scan-build] [--no-bandit-scan-build] [--bandit-scan-install]
23 [--no-bandit-scan-install] [--bandit-evt-filter BANDIT_EVT_FIL‐
24 TER] [--bandit-severity-filter {LOW,MEDIUM,HIGH}]
25 [--cbmc-add-flag CBMC_ADD_FLAG] [--cbmc-timeout CBMC_TIMEOUT]
26 [--clang-add-flag CLANG_ADD_FLAG] [--use-host-cppcheck] [--cp‐
27 pcheck-add-flag CPPCHECK_ADD_FLAG] [--divine-add-flag DI‐
28 VINE_ADD_FLAG] [--divine-timeout DIVINE_TIMEOUT] [--val‐
29 grind-add-flag VALGRIND_ADD_FLAG] [--valgrind-timeout VAL‐
30 GRIND_TIMEOUT] [--strace-add-flag STRACE_ADD_FLAG] [--symbi‐
31 otic-add-flag SYMBIOTIC_ADD_FLAG] [--symbiotic-timeout SYMBI‐
32 OTIC_TIMEOUT] [--gitleaks-bin-url GITLEAKS_BIN_URL]
33 [--gitleaks-cache-dir GITLEAKS_CACHE_DIR] [--gitleaks-config
34 GITLEAKS_CONFIG] [--gitleaks-rate-limit GITLEAKS_RATE_LIMIT]
35 [--gitleaks-limit-msg-len GITLEAKS_LIMIT_MSG_LEN]
36 [--gitleaks-refresh] [--infer-analyze-add-flag INFER_ANA‐
37 LYZE_ADD_FLAG] [--infer-archive-path INFER_ARCHIVE_PATH] [--in‐
38 fer-filter] [--no-infer-filter] [--infer-biabduction-filter]
39 [--no-infer-biabduction-filter] [--infer-inferbo-filter]
40 [--no-infer-inferbo-filter] [--infer-uninit-filter] [--no-in‐
41 fer-uninit-filter] [--infer-dead-store-severity] [--no-in‐
42 fer-dead-store-severity] [--infer-timeout INFER_TIMEOUT]
43 [--pylint-scan-build] [--no-pylint-scan-build]
44 [--pylint-scan-install] [--no-pylint-scan-install]
45 [--pylint-evt-filter PYLINT_EVT_FILTER]
46 [--shellcheck-scan-build] [--no-shellcheck-scan-build]
47 [--shellcheck-scan-install] [--no-shellcheck-scan-install]
48 [--snyk-bin-url SNYK_BIN_URL] [--snyk-auth SNYK_AUTH]
49 [--snyk-cache-dir SNYK_CACHE_DIR] [--snyk-refresh] [--snyk-time‐
50 out SNYK_TIMEOUT] [--unicontrol-bidi-only] [--unicon‐
51 trol-notests] [-w GCC_WARNING_LEVEL] [--gcc-analyze] [--gcc-ana‐
52 lyzer-bin GCC_ANALYZER_BIN] [--gcc-analyze-add-flag GCC_ANA‐
53 LYZE_ADD_FLAG] [--gcc-set-env] [--gcc-sanitize-address |
54 --gcc-sanitize-leak | --gcc-sanitize-thread | --gcc-sanitize-un‐
55 defined] [--gcc-add-flag GCC_ADD_FLAG] [--gcc-add-c-only-flag
56 GCC_ADD_C_ONLY_FLAG] [--gcc-add-cxx-only-flag
57 GCC_ADD_CXX_ONLY_FLAG] [--gcc-del-flag GCC_DEL_FLAG] [SRPM]
58 positional arguments:
60 SRPM source RPM package to be scanned by static analyzers
61 options:
63 -h, --help
64 show this help message and exit
65 -r MOCK_PROFILE, --root MOCK_PROFILE
67 mock profile to use (defaults to mock's default)
68 -t TOOLS, --tools TOOLS
70 comma-separated list of tools to enable (use --listavail‐
71 able-tools to see the list of available tools)
72 -a, --all-tools
74 enable all stable csmock plug-ins (use --listavailable-tools to
75 see the list of available tools)
76 -l, --list-available-tools
78 list available tools and exit
79 --install INSTALL
81 space-separated list of packages to install into the chroot
82 -o OUTPUT, --output OUTPUT
84 name of the tarball or directory to put the results to
85 -f, --force
87 overwrite the resulting file or directory if it exists already
88 -j JOBS, --jobs JOBS
90 maximal number of jobs running in parallel (passed to 'make')
91 --rpm-build-opts RPM_BUILD_OPTS
93 shell-quoted options passed to rpm-build
94 --cswrap-timeout CSWRAP_TIMEOUT
96 maximal amount of time taken by analysis of a single module [s]
97 -U EMBED_CONTEXT, --embed-context EMBED_CONTEXT
99 embed a number of lines of context from the source file for the
100 key event (defaults to 3).
101 --warning-rate-limit WARNING_RATE_LIMIT
103 stop processing a warning if the count of its occurrences ex‐
104 ceeds the specified limit (defaults to 1024).
105 --limit-msg-len LIMIT_MSG_LEN
107 limit length of diagnostic messages by the specified number of
108 chars (defaults to 512).
109 -k, --keep-going
111 continue as much as possible after an error
112 --skip-init
114 do not run 'mock --init' before the scan (may lead to unpre‐
115 dictable scan results)
116 --skip-build
118 do not run %build and %install sections [EXPERIMENTAL]
119 --use-ldpwrap
121 use ldpwrap instead of csexec-loader [EXPERIMENTAL]
122 --no-clean
124 do not clean chroot when it becomes unused
125 --no-scan
127 do not analyze any package, just check versions of the analyzers
128 --run-check
130 run the %check section of specfile (disabled by default)
131 --no-run-check
133 disables --run-check
134 --print-defects
136 print the resulting list of defects (default if connected to a
137 tty)
138 --no-print-defects
140 disables --print-defects
141 --base-srpm BASE_SRPM
143 perform a differential scan against the specified base package
144 --base-root BASE_MOCK_PROFILE
146 mock profile to use for the base scan (use only with
147 --base-srpm)
148 --root-override MOCK_ROOT_OVERRIDE
150 override the build root directory for mock (disables yum and
151 root cache)
152 --skip-patches
154 skip patches not annotated by %{?_rawbuild} (vanilla build)
155 --diff-patches
157 scan with/without patches and diff the lists of defects
158 -c SHELL_CMD, --shell-cmd SHELL_CMD
160 use shell command to build the given tarball (instead of SRPM)
161 --known-false-positives KNOWN_FALSE_POSITIVES
163 suppress known false positives loaded from the given file (de‐
164 faults to "/usr/share/csmock/known-falsepositives.js" if avail‐
165 able)
166 --use-login-shell
168 use login shell for build (default)
169 --no-use-login-shell
171 disables --use-login-shell
172 --version
174 print the version of csmock and exit
175 --bandit-scan-build
177 make bandit scan files in the build directory (disabled by de‐
178 fault)
179 --no-bandit-scan-build
181 disables --bandit-scan-build
182 --bandit-scan-install
184 make bandit scan files in the install directory (enabled by de‐
185 fault)
186 --no-bandit-scan-install
188 disables --bandit-scan-install
189 --bandit-evt-filter BANDIT_EVT_FILTER
191 report only Bandit defects whose key event matches the given
192 regex (defaults to '^B[0-9]+')
193 --bandit-severity-filter {LOW,MEDIUM,HIGH}
195 suppress Bandit defects whose severity level is below given
196 level (default 'LOW')
197 --cbmc-add-flag CBMC_ADD_FLAG
199 append the given flag when invoking cbmc (can be used multiple
200 times)
201 --cbmc-timeout CBMC_TIMEOUT
203 maximal amount of time taken by analysis of a single process [s]
204 --clang-add-flag CLANG_ADD_FLAG
206 append the given flag when invoking clang static analyzer (can
207 be used multiple times)
208 --use-host-cppcheck
210 use host's Cppcheck instead of the one in chroot (automatically
211 enables the Cppcheck plug-in)
212 --cppcheck-add-flag CPPCHECK_ADD_FLAG
214 append the given flag when invoking cppcheck (can be used multi‐
215 ple times)
216 --divine-add-flag DIVINE_ADD_FLAG
218 append the given flag when invoking divine (can be used multiple
219 times)
220 --divine-timeout DIVINE_TIMEOUT
222 maximal amount of time taken by analysis of a single process [s]
223 --valgrind-add-flag VALGRIND_ADD_FLAG
225 append the given flag when invoking valgrind (can be used multi‐
226 ple times)
227 --valgrind-timeout VALGRIND_TIMEOUT
229 maximal amount of time taken by analysis of a single process [s]
230 --strace-add-flag STRACE_ADD_FLAG
232 append the given flag when invoking strace (can be used multiple
233 times)
234 --symbiotic-add-flag SYMBIOTIC_ADD_FLAG
236 append the given flag when invoking symbiotic (can be used mul‐
237 tiple times)
238 --symbiotic-timeout SYMBIOTIC_TIMEOUT
240 maximal amount of time taken by analysis of a single process [s]
241 --gitleaks-bin-url GITLEAKS_BIN_URL
243 URL to download gitleaks binary executable (in a .tar.gz) from
244 --gitleaks-cache-dir GITLEAKS_CACHE_DIR
246 directory where downloaded Gitleaks tarballs are cached across
247 runs
248 --gitleaks-config GITLEAKS_CONFIG
250 local configuration file to be used for gitleaks
251 --gitleaks-rate-limit GITLEAKS_RATE_LIMIT
253 drop warnings if their count exceeds the specified limit
254 --gitleaks-limit-msg-len GITLEAKS_LIMIT_MSG_LEN
256 trim message if it exceeds max message length
257 --gitleaks-refresh
259 force download of gitleaks binary executable (in a .tar.gz) from
260 --infer-analyze-add-flag INFER_ANALYZE_ADD_FLAG
262 appends the given flag (except '-o') when invoking 'infer ana‐
263 lyze' (can be used multiple times)(default flags '--bufferover‐
264 run', '--pulse')
265 --infer-archive-path INFER_ARCHIVE_PATH
267 use the given archive to install Infer (default is /opt/in‐
268 fer-linux*.tar.xz)
269 --infer-filter
271 apply false positive filter (enabled by default)
272 --no-infer-filter
274 disables --infer-filter
275 --infer-biabduction-filter
277 apply false positive bi-abduction filter (enabled by default)
278 --no-infer-biabduction-filter
280 disables --infer-biabduction-filter
281 --infer-inferbo-filter
283 apply false positive inferbo filter (enabled by default)
284 --no-infer-inferbo-filter
286 disables --infer-inferbo-filter
287 --infer-uninit-filter
289 apply false positive uninit filter (enabled by default)
290 --no-infer-uninit-filter
292 disables --infer-uninit-filter
293 --infer-dead-store-severity
295 lower dead store severity (enabled by default)
296 --no-infer-dead-store-severity
298 disables --infer-dead-store-severity
299 --infer-timeout INFER_TIMEOUT
301 maximal amount of time taken by Infer's analysis phase [s] (de‐
302 fault 300)
303 --pylint-scan-build
305 make pylint scan files in the build directory (disabled by de‐
306 fault)
307 --no-pylint-scan-build
309 disables --pylint-scan-build
310 --pylint-scan-install
312 make pylint scan files in the install directory (enabled by de‐
313 fault)
314 --no-pylint-scan-install
316 disables --pylint-scan-install
317 --pylint-evt-filter PYLINT_EVT_FILTER
319 filter out Pylint defects whose key event matches the given
320 regex (defaults to '^W[0-9]+', use '.*' to get all defects de‐
321 tected by Pylint)
322 --shellcheck-scan-build
324 make shellcheck scan files in the build directory (disabled by
325 default)
326 --no-shellcheck-scan-build
328 disables --shellcheck-scan-build
329 --shellcheck-scan-install
331 make shellcheck scan files in the install directory (enabled by
332 default)
333 --no-shellcheck-scan-install
335 disables --shellcheck-scan-install
336 --snyk-bin-url SNYK_BIN_URL
338 URL to download snyk binary executable
339 --snyk-auth SNYK_AUTH
341 file containing snyk authentication token
342 --snyk-cache-dir SNYK_CACHE_DIR
344 directory where downloaded snyk tarballs are cached across runs
345 --snyk-refresh
347 force download of snyk binary executable
348 --snyk-timeout SNYK_TIMEOUT
350 maximum amount of time taken by invocation of Snyk [s]
351 --unicontrol-bidi-only
353 look for bidirectional control characters only
354 --unicontrol-notests
356 exclude tests (basically test.* as a component of path)
357 -w GCC_WARNING_LEVEL, --gcc-warning-level GCC_WARNING_LEVEL
359 Adjust GCC warning level. -w0 means default flags, -w1 appends
360 -Wall and -Wextra, and -w2 enables some other useful warnings.
361 (automatically enables the GCC plugin)
362 --gcc-analyze
364 run `gcc -fanalyzer` in a separate process
365 --gcc-analyzer-bin GCC_ANALYZER_BIN
367 Use custom build of gcc to perform scan. Absolute path to the
368 binary must be provided.
369 --gcc-analyze-add-flag GCC_ANALYZE_ADD_FLAG
371 append the given flag when invoking `gcc -fanalyzer` (can be
372 used multiple times)
373 --gcc-set-env
375 set $CC and $CXX to gcc and g++, respectively, for build
376 --gcc-sanitize-address
378 enable %check and compile with -fsanitize=address
379 --gcc-sanitize-leak
381 enable %check and compile with -fsanitize=leak
382 --gcc-sanitize-thread
384 enable %check and compile with -fsanitize=thread
385 --gcc-sanitize-undefined
387 enable %check and compile with -fsanitize=undefined
388 --gcc-add-flag GCC_ADD_FLAG
390 append the given compiler flag when invoking gcc (can be used
391 multiple times)
392 --gcc-add-c-only-flag GCC_ADD_C_ONLY_FLAG
394 append the given compiler flag when invoking gcc for C (can be
395 used multiple times)
396 --gcc-add-cxx-only-flag GCC_ADD_CXX_ONLY_FLAG
398 append the given compiler flag when invoking gcc for C++ (can be
399 used multiple times)
400 --gcc-del-flag GCC_DEL_FLAG
402 drop the given compiler flag when invoking gcc (can be used mul‐
403 tiple times)
404
406 If not overridden by the --output option, csmock creates an archive
407 NVR.tar.xz in the current directory for an SRPM named NVR.src.rpm (or
408 NVR.tar.* if the --shell-cmd option is used). The archive contains a
409 directory named NVR as the only top-level directory, containing the
410 following items:
411 scan-results.err - scan results encoded as plain-text (for source code
413 editors)
414 scan-results.html - scan results encoded as HTML (suitable for web
416 browsers)
417 scan-results.js - scan results, including scan metadata, encoded using
419 JSON
420 scan-results-summary.txt - total count of defects found by particular
422 checkers
423 scan.ini - scan metadata encoded in the INI format
425 scan.log - scan log file (useful for debugging scan failures)
427 debug - a directory containing additional data (intended for csmock de‐
429 bugging)
430 Note that external plug-ins of csmock may create additional files (not
432 covered by this man page) in the directory with results.
433csmock csmock-3.5.0-1.fc38 October 2023 CSMOCK(1)