bogosec - source-code security quality metric using established static
bogosec [-l] [--log-dir directory ] [--min-sev 0-10 ] [--nhf] [-p
plugin_name [args] ] [--plugin-dir directory ] [--sev-range-max num ]
[--timeout num ] [--temp-log-dir directory ] [-v 0|1 ] [--xp
plugin_name ] [--xv vuln_list ] TARGET
BogoSec attempts to influence developers to produce more secure source-
code over time. Various existing scanners point developers to
potentially insecure sections of code. BogoSec broadens the scope of
source-code scans by utilizing multiple independent scanners and
compiling the results into high level calculated metrics. These
metrics can help developers and users alike to comparatively judge the
security quality of source-code.
-l Turn on scanner output logging. Log will be called
<scanner_name>.log and created in current working directory,
unless --log-dir is used to specify a different location.
Specify a directory for scanner output logs (only makes sense if
-l is also used). Default is current working directory.
Specify a minimum severity level. Any vulnerabilities reported
by the scanners whose score falls below this number will be
ignored. The argument must be a number 0-10. Default is 0.
Do not scan header files. Useful if the scanners being used do
not support scanning header files.
-p, --plugin plugin_name [args]
Specify a plugin to use. If no plugins are defined on the
command line, all of the plugins in the plugins_dir will be
used. This option can be passed more than once, to specify a set
of scanners to use. Each scanner requires a separate instance of
the --plugin flag (please see examples). Optionally, a set of
command line arguments can be passed to the scanner -- this
feature must be used with care. Keep in mind that the plugin
requires a certain formatting of the scanner output (for
example, ’-SQ’ is always passed to flawfinder, and ’-w 3’ is
always passed to rats). You can pass additional command line
arguments using this option, but be aware of the effect it might
have on the formatting of the scanner output, and the effect
that will have on the plugin’s ability to parse it correctly.
If you must change the defaults (’-SQ’, ’-w 3’, etc.) you must
edit the plugin directly.
Specify the directory where the plugins are stored. Default is
Specify the maximum severity value to be used in calculating the
severity value range. The default is 10. For example, setting
--sev-range-max to 50 would mean that the severity results would
now be on a scale of 0-50 instead of on a scale of 0-10. This
can be used to scale the result if more granularity is required.
NOTE: -v 1 will not work if this option is used.
Specify the cpu time limit in seconds. Some scanners might hang,
in order to overcome this problem you may choose to set the
timeout to an appropriate period to kill the scanner process.
For example setting --timeout 60, will kill any remaining
scanner processes after 60 seconds, and return control to the
main bogosec process. This option uses the ulimit command,
please refer to ulimit manpage for additional information.
Specify a directory where you want the temporary files used by
BogoSec to be stored (scanner output logs, etc.) The default is
-v, --verbosity 0|1
Specify verbosity level (default is 0). If 1, then a graph of
the severity points is shown, which breaks the results down by
severity levels. This option does not work if the
--sev-range-max is changed from 10.
--xp, --exclude-plugin plugin_name
Do not run plugin defined by plugin_name.
--xv, --exclude-vuln vuln_list
Exclude the vulnerabilites in the vuln_list from the final
bogosec calculation. vuln_list is a ":" separated list of
bogosec_wrapper provides a method to run bogosec automatically on a
directory containing multiple targets. Please refer to bogosec_wrapper
man page for additional information.
Global configuration file. The settings here are overwritten by
any settings in user’s ~/.bogosecrc file.
Default user configuration file (overrides the settings in
/etc/bogosec.conf). This file is not created during an
installation, you must create it yourself.
Default plugins directory. Can be changed with --plugin-dir
option. Plugins must be executable, and must end in .pm as per
Directory of BogoSec documentation and other germane documents.
FlawFinder : http://www.dwheeler.com/flawfinder
RATS : http://www.securesoftware.com/resources/tools.html
Not all input validated. Not all environmental variables checked.
This program expects to be run by trusted users.
Developed by Dustin Kirkland, Agoston Petz, and Loulwa Salem at the IBM
Linux Technology Center.