BogoSec : Source Code Security Quality Metric
BOGOSEC(1) BogoSec User Manual BOGOSEC(1)
bogosec - source-code security quality metric using established static
bogosec [-l] [--log-directory] [--min-sev 0-10] [--nhf] [-p plugin_name
[args]] [--plugin-dir directory] [--sev-range-max num] [--timeout num]
[--temp-log-direcotry direcotry] [-v 0|1] [--xp plugin_name] TARGET
BogoSec attempts to influence developers to produce more secure
source-code over time. Various existing scanners point developers to
potentially insecure sections of code. BogoSec broadens the scope of
source-code scans by utilizing multiple independent scanners and com-
piling the results into high level calculated metrics. These metrics
can help developers and users alike to comparatively judge the secu-
rity quality of source-code.
-l Turn on scanner output logging. Log will be called .log
and created in current working directory, unless --log-dir is
used to specify a different location.
Specify a directory for scanner output logs (only makes sense
if -l is also used). Default is current working directory.
Specify a minimum severity level. Any vulnerabilities reported
by the scanners whose score falls below this number will be
ignored. The argument must be a number 0-10. Default is 0.
Do not scan header files. Useful if the scanners being used do
not support scanning header files.
-p, --plugin plugin_name [args]
Specify a plugin to use. If no plugins are defined on the com-
mand-line, all of the plugins in the plugins_dir will be used.
This option can be passed more than once, to specify a set of
scanners to use. Each scanner requires a separate instance of
the --plugin flag (please see examples). Optionally, a set of
command-line arguments can be passed to the scanner - this fea-
ture must be used with care. Keep in mind that the plugin
requires a certain formatting of the scanner output (for exam-
ple, '-SQ' is always passed to flawfinder, and '-w 3' is always
passed to rats). You can pass additional command-line argu-
ments using this option, but be aware of the effect it might
have on the formatting of the scanner output, and the effect
that will have on the plugin’s ability ('-SQ', '-w 3', etc.)
you must edit the plugin directly.
Specify the directory where the plugins are stored. Default is
Specify the maximum severity value to be used in calculating
the severity value range. The default is 10. For example,
setting --sev-range-max to 50 would mean that the severity
results would now be on a scale of 0-50 instead of on a scale
of 0-10. This can be used to scale the result if more granu-
larity is required. NOTE: -v 1 will not work if this option is
Specify the cpu time limit in seconds. Some scanners might
hang, in order to overcome this problem you may choose to set
the timeout to an appropriate period to kill the scanner pro-
cess. For example setting --timeout 60, will kill any remaining
scanner processes after 60 seconds, and return control to the
main bogosec process. This option uses the ulimit command,
please refer to ulimit manpage for additional information.
Specify a directory where you want the temporary files used by
BogoSec to be stored (scanner output logs, etc.) The default
-v, --verbosity 0|1
Specify verbosity level (default is 0). If 1, then a graph of
the severity points is shown, which breaks the results down by
severity levels. This option does not work if the --sev-range-
max is changed from 10.
--xp, --exclude-plugin plugin_name
Do not run plugin defined by plugin_name.
bogosec_wrapper provides a method to run bogosec automatically on a
directory containing multiple targets. Please refer to bogosec_wrapper
man page for additional information.
Global configuration file. The settings here are overwritten by
any settings in user ~/.bogosecrc file.
Default user configuration file (overrides the settings in
/etc/bogosec.conf). This file is not created during an instal-
lation, you must create it yourself.
Default plugins directory. Can be changed with --plugin-dir
option. Plugins must be executable, and must end in .pm as per
Directory of BogoSec documentation and other germane documents.
FlawFinder : http://www.dwheeler.com/flawfinder
ITS4 : http://www.cigital.com/its4
RATS : http://www.securesoftware.com/resources/tools.html
Not all input validated. Not all environmental variables checked.
This program expects to be run by trusted users.
Developed by Dustin Kirkland, Agoston Petz, and Loulwa Salem at the
IBM Linux Technology Center.
Linux Jan 25 2005 BOGOSEC(1)