Man Linux: Main Page and Category List

NAME

       bogosec  - source-code security quality metric using established static
       source-code scanners

SYNOPSIS

       bogosec [-l] [--log-dir directory  ]  [--min-sev  0-10  ]  [--nhf]  [-p
       plugin_name  [args]  ] [--plugin-dir directory ] [--sev-range-max num ]
       [--timeout  num  ]  [--temp-log-dir  directory  ]  [-v  0|1   ]   [--xp
       plugin_name ] [--xv vuln_list ] TARGET

DESCRIPTION

       BogoSec attempts to influence developers to produce more secure source-
       code  over  time.  Various  existing  scanners  point   developers   to
       potentially  insecure  sections  of code. BogoSec broadens the scope of
       source-code  scans  by  utilizing  multiple  independent  scanners  and
       compiling  the  results  into  high  level  calculated  metrics.  These
       metrics can help developers and users alike to comparatively judge  the
       security quality of source-code.

OPTIONS

       -l     Turn   on   scanner   output   logging.   Log   will  be  called
              <scanner_name>.log and created  in  current  working  directory,
              unless --log-dir is used to specify a different location.

       --log-dir directory
              Specify a directory for scanner output logs (only makes sense if
              -l is also used).  Default is current working directory.

       --min-sev minimum_severity_level
              Specify a minimum severity level. Any  vulnerabilities  reported
              by  the  scanners  whose  score  falls below this number will be
              ignored.  The argument must be a number 0-10.  Default is 0.

       --nhf, --no-header-files
              Do not scan header files.  Useful if the scanners being used  do
              not support scanning header files.

       -p, --plugin plugin_name [args]
              Specify  a  plugin  to  use.  If  no  plugins are defined on the
              command line, all of the plugins  in  the  plugins_dir  will  be
              used. This option can be passed more than once, to specify a set
              of scanners to use. Each scanner requires a separate instance of
              the  --plugin  flag  (please see examples). Optionally, a set of
              command line arguments can be passed  to  the  scanner  --  this
              feature  must  be  used with care.  Keep in mind that the plugin
              requires  a  certain  formatting  of  the  scanner  output  (for
              example,  ’-SQ’  is  always  passed to flawfinder, and ’-w 3’ is
              always passed to rats).  You can pass  additional  command  line
              arguments using this option, but be aware of the effect it might
              have on the formatting of the scanner  output,  and  the  effect
              that  will  have  on the plugin’s ability to parse it correctly.
              If you must change the defaults (’-SQ’, ’-w 3’, etc.)  you  must
              edit the plugin directly.

       --plugin-dir directory
              Specify  the directory where the plugins are stored.  Default is
              /usr/lib/bogosec/plugins.

       --sev-range-max number
              Specify the maximum severity value to be used in calculating the
              severity  value range.  The default is 10.  For example, setting
              --sev-range-max to 50 would mean that the severity results would
              now  be  on a scale of 0-50 instead of on a scale of 0-10.  This
              can be used to scale the result if more granularity is required.
              NOTE: -v 1 will not work if this option is used.

       --timeout number
              Specify the cpu time limit in seconds. Some scanners might hang,
              in order to overcome this problem you  may  choose  to  set  the
              timeout  to  an  appropriate period to kill the scanner process.
              For example  setting  --timeout  60,  will  kill  any  remaining
              scanner  processes  after  60 seconds, and return control to the
              main bogosec process.  This  option  uses  the  ulimit  command,
              please refer to ulimit manpage for additional information.

       --temp-log-dir directory
              Specify  a  directory where you want the temporary files used by
              BogoSec to be stored (scanner output logs, etc.)  The default is
              /tmp/.

       -v, --verbosity 0|1
              Specify  verbosity  level (default is 0).  If 1, then a graph of
              the severity points is shown, which breaks the results  down  by
              severity   levels.   This   option   does   not   work   if  the
              --sev-range-max is changed from 10.

       --xp, --exclude-plugin plugin_name
              Do not run plugin defined by plugin_name.

       --xv, --exclude-vuln vuln_list
              Exclude the vulnerabilites  in  the  vuln_list  from  the  final
              bogosec  calculation.  vuln_list  is  a  ":"  separated  list of
              vulnerability identifiers.

TOOLS

       bogosec_wrapper provides a method to run  bogosec  automatically  on  a
       directory  containing multiple targets. Please refer to bogosec_wrapper
       man page for additional information.

FILES

       /etc/bogosec.conf
              Global configuration file. The settings here are overwritten  by
              any settings in user’s ~/.bogosecrc file.
       ~/.bogosecrc
              Default  user  configuration  file  (overrides  the  settings in
              /etc/bogosec.conf).   This  file  is  not  created   during   an
              installation, you must create it yourself.
       /usr/lib/bogosec/plugins/
              Default  plugins  directory.   Can  be changed with --plugin-dir
              option.  Plugins must be executable, and must end in .pm as  per
              convention.
       /usr/lib/bogosec/documents/
              Directory  of BogoSec documentation and other germane documents.

SCANNERS

       FlawFinder : http://www.dwheeler.com/flawfinder

       RATS       : http://www.securesoftware.com/resources/tools.html

BUGS

       Not all input validated.   Not  all  environmental  variables  checked.
       This program expects to be run by trusted users.

AUTHORS

       Developed by Dustin Kirkland, Agoston Petz, and Loulwa Salem at the IBM
       Linux Technology Center.

       http://sourceforge.net/projects/bogosec/