BogoSec : Source Code Security Quality Metric

BOGOSEC(1)                   BogoSec User Manual                   BOGOSEC(1)

       bogosec - source-code security quality metric using established static
       source-code scanners

       bogosec [-l] [--log-directory] [--min-sev 0-10] [--nhf] [-p plugin_name 
       [args]]  [--plugin-dir directory] [--sev-range-max num] [--timeout num] 
       [--temp-log-direcotry direcotry]  [-v 0|1]  [--xp plugin_name] TARGET

       BogoSec  attempts  to  influence  developers  to  produce  more secure
       source-code over time. Various existing scanners point  developers  to
       potentially  insecure  sections of code. BogoSec broadens the scope of
       source-code scans by utilizing multiple independent scanners and  com-
       piling  the results into high level calculated metrics.  These metrics
       can help developers and users alike to comparatively judge  the  secu-
       rity quality of source-code.

       -l     Turn  on  scanner  output  logging.  Log  will be called .log 
              and created in current working directory,  unless --log-dir is 
              used to specify a different location.

       --log-dir direcotry
              Specify  a  directory for scanner output logs (only makes sense
              if -l is also used).  Default is current working directory.

       --min-sev minimum_security_level
              Specify a minimum severity level. Any vulnerabilities  reported
              by  the  scanners  whose  score falls below this number will be
              ignored.  The argument must be a number 0-10.  Default is 0.

       --nhf, --no-header-files
              Do not scan header files.  Useful if the scanners being used do
              not support scanning header files.

       -p, --plugin plugin_name [args]
              Specify  a plugin to use. If no plugins are defined on the com-
              mand-line, all of the plugins in the plugins_dir will be  used.
              This  option  can be passed more than once, to specify a set of
              scanners to use. Each scanner requires a separate  instance  of
              the  --plugin  flag (please see examples). Optionally, a set of
              command-line arguments can be passed to the scanner - this fea-
              ture  must  be  used  with  care.  Keep in mind that the plugin
              requires a certain formatting of the scanner output (for  exam-
              ple, '-SQ' is always passed to flawfinder, and '-w 3' is always
              passed to rats).  You can pass  additional  command-line  argu-
              ments  using  this  option, but be aware of the effect it might
              have on the formatting of the scanner output,  and  the  effect
              that  will  have on the plugin’s ability ('-SQ', '-w 3', etc.) 
              you  must edit the plugin directly.

       --plugin-dir direcotry
              Specify the directory where the plugins are stored.  Default is

       --sev-range-max number
              Specify the maximum severity value to be  used  in  calculating
              the  severity  value  range.   The default is 10.  For example,
              setting --sev-range-max to 50  would  mean  that  the  severity
              results  would  now be on a scale of 0-50 instead of on a scale
              of 0-10.  This can be used to scale the result if  more  granu-
              larity  is required. NOTE: -v 1 will not work if this option is

       --timeout number
              Specify the cpu time limit  in  seconds.  Some  scanners  might
              hang,  in  order to overcome this problem you may choose to set
              the timeout to an appropriate period to kill the  scanner  pro-
              cess. For example setting --timeout 60, will kill any remaining
              scanner processes after 60 seconds, and return control  to  the
              main  bogosec  process.  This  option  uses the ulimit command,
              please refer to ulimit manpage for additional information.

       --temp-log-dir directory
              Specify a directory where you want the temporary files used  by
              BogoSec  to  be stored (scanner output logs, etc.)  The default
              is /tmp/.

       -v, --verbosity 0|1
              Specify verbosity level (default is 0).  If 1, then a graph  of
              the  severity points is shown, which breaks the results down by
              severity levels. This option does not work if the  --sev-range-
              max is changed from 10.

       --xp, --exclude-plugin plugin_name
              Do not run plugin defined by plugin_name.

       bogosec_wrapper  provides  a  method to run bogosec automatically on a
       directory containing multiple targets. Please refer to bogosec_wrapper
       man page for additional information.

              Global configuration file. The settings here are overwritten by
              any settings in user  ~/.bogosecrc file.
              Default user configuration  file  (overrides  the  settings  in
              /etc/bogosec.conf).  This file is not created during an instal-
              lation, you must create it yourself.
              Default plugins directory.  Can be  changed  with  --plugin-dir
              option.  Plugins must be executable, and must end in .pm as per
              Directory of BogoSec documentation and other germane documents.

       FlawFinder :

       ITS4       :

       RATS       :

       Not  all  input  validated.   Not all environmental variables checked.
       This program expects to be run by trusted users.

       Developed by Dustin Kirkland, Agoston Petz, and Loulwa  Salem  at  the
       IBM Linux Technology Center.

Linux                            Jan 25 2005                       BOGOSEC(1)